Changing the Mindset: Internal Control Begins at the Top

By Troy Y. Manning, Cherry, Bekaert & Holland, L.L.P. (CB&H)
Email: tmanning@cbh.com

An organization’s management or those charged with governance should never view audit adjustments as an expected outcome of a financial statement audit, or consider an audit itself as an internal control. Such a mindset negatively reflects the degree to which the organization takes seriously its commitment to accurate and reliable financial reporting and to establishing internal controls to achieve this objective.

Audit Adjustments
Audit adjustments should be of concern to any organization, as each adjustment represents a “red flag” that may indicate the existence of a control deficiency. In addition, a control deficiency or combination of control deficiencies may be assessed by the auditor as an indicator of a significant deficiency or a material weakness in internal control. When there are audit adjustments, be prepared for the question that may be asked by your auditors, “Why wasn’t the misstatement(s) identified by the organization’s internal controls?”

Overall, the organization must understand that management and those charged with governance are responsible for establishing internal controls over financial reporting. This includes identifying, processing, valuing and recording all valid transactions in a timely manner. It also includes the preparation of reliable financial statements that are fairly presented in conformity with generally accepted accounting principles, including related disclosures.

It can be particularly troublesome when the auditor identifies a material misstatement in previously issued financial statements that result in a prior period adjustment. According to SAS 112, Communicating Internal Control Related Matters Identified in an Audit, this circumstance is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness.

An organization may have difficulty understanding why a material misstatement that the auditor did not detect in a prior year is considered a significant deficiency or a material weakness. Even though the facts and circumstances may reveal that the auditor should have identified the misstatement in a prior year, the fact remains that a material misstatement should have been detected by the organization’s internal controls.

An Audit Is Not an Internal Control
An auditor must comply with professional standards by maintaining independence. In order for an auditor to maintain independence, they cannot perform a management function or make management decisions. It is management’s responsibility to establish and maintain internal controls relating to financial reporting. Therefore, an organization should not have the mindset that a financial statement audit represents an internal control because the auditor cannot be part of the organization’s internal control system.

Rather than relying on an audit to identify misstatements in the organization’s financial reporting, an organization should have a process to evaluate existing internal controls by identifying “what could go wrong.” An example would be to assess what could go wrong in the organization’s process of ensuring that there are no unrecorded transactions. The next step would be to establish internal controls that address the identified risk(s) of misstatement.

Conclusion
The primary responsibility for an organization’s internal control resides with management and those charged with governance. When an organization understands this responsibility, the mindset and overall tone of the organization will encourage a commitment to accurate and reliability financial reporting. This in turn should reduce or eliminate audit adjustments and the identification of control deficiencies that may be assessed by the auditor as significant deficiencies or material weaknesses.

Troy is a Partner with CB&H and a member of the Firm’s Not-For-Profit Industry Group.