In our post from December 22, we defined, discussed, and provided examples of "control objectives" in the context of internal control systems. Auditors will identify company internal control systems that are relevant to whatever attestation service they are providing, be it financial auditing for the purpose of rendering an opinion on financial statements or government contracting for the purpose of ensuring the propriety of costs charged to contracts. For each relevant internal control system, auditors will identify control objectives necessary to make the systems work. In reality, these control objectives are pretty well established in professional standards and while they are tweeked now and then, there are rarely any substantive changes to the control objectives. Once the auditor identifies the system to be reviewed, he/she goes to a book or a manual to look up the control objectives that should be present and functioning in an adequate system.
There are two control objectives that are common to any internal control system; independent reviews of the system and training those individuals that are involved in the process. Today we will discuss independent audits. Tomorrow we will discuss training.
In any kind of internal control system, it is presumed that the company will have written policies and procedures. For example, Government contractors will need policies and procedures for timekeeping and all companies will require policies and procedures for extending credit to customers. For an internal control system to work effectively, management must periodically perform independent reviews of the policies and procedures to ensure that they comply with applciable regulations, have been properly implemented, and are operating effectively. It doesn't do any good to have policies and procedures that are not being followed and it does not do any good to have policies and procedures that are followed but are ineffective.
The reviewer's independence is important. Larger companies will have internal audit staffs. Other companies will spread the duties among various departments, ensuring that those performing the reviews are not directly involved in the processes under review.
When deficiencies are disclosed, it is important that the company take prompt corrective action. After the corrective action has been implemeted and has been operating for a reasonable amount of time (e.g. six months), it is important to initiate a follow-up review to ascertain whether the corrective action was indeed taken but also to evaluate the effect of the corrective action to determine whether it was effective in resolving the deficiency.
Finally, it is important for companies to prepare working papers, to maintain records of completed internal reviews, to prepare and update the status of corrective actions, and prepare plans for future reviews.