Have you experienced receiving a recommendation from external auditors on the organisation’s internal control weaknesses? Do you think the external auditors can add value to your business as part of their engagement?
Though Auditors are appointed to audit the financial statements of an organisation to provide an opinion on whether those financial statements reflect the true and fair value of the financial position and financial performance, they can still add value by recommending weakness in organisation’s internal control environment. In fact, the auditors are required to communicate material weaknesses discovered in an organisation’s internal systems and controls. This requirement originates from International Standards on Auditing 265 (ISA 265) Communicating Deficiencies in Internal Control to Those Charged with Governance and Management.
However, it is also important not to confuse the role of an external auditor with that of an internal auditor. The scope and extent to which an internal auditor would look at the weaknesses in internal control and processes is generally broader than the scope of an external auditor. The external auditor may consider only those deficiencies which are relevant for the purpose of the audit of the financial statements.
The following are the five most common internal control weaknesses found by external auditors and what an organisation can do to mitigate those:
Each business would indeed have policies and procedures which allows it (business) to operate smoothly. However, it is commonly observed, especially for smaller businesses, that these policies and procedures are not formally documented, and so do the control points embedded in these policies and procedures.
One may think that the business is not complex, and it is well controlled by owner. However, it is always valuable to formally document the policies, procedures and surrounding controls. The businesses should identify all the critical cycles (e.g., sales, purchases, financial reporting, cash, etc.) and document the policies and procedures around the same. This will provide transparency and clarity to employees and help the business teams to have alignment with management’s expectations and direction.
It is often observed that the smaller businesses may not have a sufficient level of segregation of duties which may pose a severe risk to the business. A large organisation will have many employees, and the processes would be divided amongst them to strike a balance in the segregation of duties. However, the smaller businesses do face challenges due to resource constraints and may end up in a situation where a single or few employees may be taking care of almost all critical functions. This can result in a greater risk of fraud or error.
The smaller businesses should achieve a balance that will allow them to reduce the risk to an acceptable level. The first step would be to review all the existing processes and separate the most critical ones from others. Once the most critical processes are identified, establish appropriate controls and segregation of duties to manage the risk. If this requires more investments in human assets, it would still be worth than to fall for any fraud or error.
- Controls over the period-end financial reporting process
Various stakeholders use financial statements, and many a time this may be only source of information for a stakeholder to understand the business and either continue the faith in business or act otherwise. Due to its significance, it is necessary to have sufficient control around the period-end financial reporting process, including non-recurring journal entries. The lack of necessary controls around this process and non-recurring journal entries can cause a severe risk of fraud or error resulting in inaccurate reporting to the stakeholders.
The business should specifically consider the following matters:
- Is there control in place to hard-close the books of accounts at regular intervals, say monthly or at least quarterly?
- Is there control in place for the review and approval of non-recurring journal entries?
- Is there control in place to allow only authorised personnel to post non-recurring journal entries?
- How are the accounting estimates and complex accounting matters dealt with during the period-end financial reporting process?
- Is there a process and control in place to identify the related party and report the transactions with such related parties during the period?
The robust controls over the period-end financial reporting process assist in accurate reporting and strengthening confidence with various stakeholders.
With the increased use of technology, each business may be using multiple applications. Such applications may range from operational, human resources to accounting applications. It is often observed that the business may lack necessary in-house or external support for its IT infrastructure. This may result in unnecessary access to employees than what may be required. Further, the lack of requisite support for IT infrastructure may also result in businesses being exposed to possible cyber security threats or loss of valuable data in case of occurrence of any incident related to information systems.
In these ever-changing times, it is imperative for small to large businesses to manage their IT risks effectively. The business should consider making necessary investments for an in-house IT team or external consultants to identify all possible risks and put in place necessary controls to mitigate those risks. This involves granting limited/requisite access to various users in an organisation, conducting penetration testing and having the necessary disaster recovery plan in place.
- Controls around petty cash
It may sometimes sound not so important as it relates to ‘petty’ cash. However, this is one of the common internal control weaknesses identified by the external auditor. The businesses may have a limit set for petty cash and may feel it’s enough as the limit may be set lower. However, this can still pose a significant risk when one considers the cumulative impact. Imagine a business that may have set a petty cash limit as low as CU 10,000, and historically this gets utilised every 15 days. This means the use of petty cash in a year is around CU 240,000 (CU 10,000 * 2 times in a month * 12 months) on a yearly basis. Will this not be significant enough for the business to pay specific attention to?
The businesses should ensure that sufficient controls are put in place around handling and replenishment of petty cash. This includes establishing maker and checker, conducting a surprise physical count of petty cash, amongst other possible controls as the business would deem fit.
The above are only few of the common internal control weaknesses and not the exhaustive list. The external auditors would generally rate the identified deficiencies in one of the three categories – Low, Medium or High. This is based on their professional judgement and significance of the identified deficiency. It is for the business to perform the cost-benefit analysis and have a plan in place to implement the recommendations to improvise the internal control environment.
Business owners know their businesses very well, but the external audit can give external perspective based on their wider experience auditing other similar sized businesses across various industries. So next time when you have your accounts audited, do not forget to engage with your auditors for that ‘added value’.
Click our Subscribe button to ensure you don’t miss any new content that we post.