In this era where artificial intellect is gaining widespread traction in every field not just because it has changed the way in which work is done or productivity is enhanced, but because it has challenged the limits of our understanding and resulted in objectives that always remain fluid, is the audit profession immune?
Or do we believe that regulation will always come to rescue us from the altar of irrelevance or is it that in our considered thinking, us deploying superior quality applications and CAATs will be our buffer for what’s likely to come?
Hardly so! Unless we rethink the whole philosophy behind auditing. And that too, in the right context. That context is external auditing. Since external audit, the audit of historical financial information, is a regulation induced audit intervention to safeguard investors and promote trust in the economy. Additionally, by virtue of that regulation it is also resource intensive.
So, let’s use the audit of Internal Controls over Financial Reporting (ICFR) to understand the key differences between the value brought about by external and internal audit interventions and determine the best value for the dollar spent.
First a bit about ICFR. While it may seem a bit of jargon but clearly, it’s not when you get past the mnemonic. Simply put, ICFR refers to specific set of internal controls facilitating financial reporting. Mind you financial reporting is a strictly external audit domain and that’s why it’s interesting to understand how businesses could benefit from internal audit intervention in it.
The purpose and objectives of ICFR will give more clarity on their “What” and “What for”. Just like the purpose of any internal control is to achieve certain objectives while mitigating risks in the fulfillment of those objectives, the purpose of ICFR is to achieve credible and reliable financial reporting whereby the objectives are to ensure financial information is free from any misstatement and are aligned with the applicable reporting framework.
The system of ICFR comprises of policies like accounting policies, financial / budgetary authorizations, records generation and maintenance, etc. and procedures like accounting procedures, transactions processing, verification procedures, records protocols, etc. This system of internal controls is aimed at providing assurance to the business management about the credibility and reliability of financial reporting.
The external auditors while performing external audit engagement to determine if the financial statements give a true and fair view of the entity’s financial position, are also required to assess and evaluate the system of ICFR, to place reliance on it for the purposes of obtaining assurance.
Let’s now get to the ICFR assessment and evaluation approach used by external auditors, how it differs from that of internal auditors’ typical approach towards internal controls, how internal auditors can add value to the process, the external auditors simply can’t and why financial statement audit has now been relegated to a tick in the box engagement, when it could be a value adding proposition.
The External Auditors approach to the evaluation of ICFR is typically includes the following:
- Begins with the Tests of Controls on broad classifications of account heads, like sales, inventory, assets, payroll, etc.
- Based on the outcome of the Tests of Controls, move on to perform substantive procedures that require testing transactions to substantiate evidence for relevant assertions.
The external audit evaluation begins backwards, from the financial statements. They’re deep rooted in satisfying financial statement assertions, especially when tests of controls do not provide adequate assurance. However, the mainstay for external audit’s evaluation of ICFR are the Tests of Controls.
These Tests of Controls are designed to test a very limited sample of transactions, usually in single digits to observe the application of controls in a checklist manner, flagging areas where controls do not perform as intended. On the other hand, substantive testing does entail a larger chunk of transactional testing, however, that’s also based on checklist-based auditing, ticking fulfillment of relevant assertions like occurrence, accuracy, completeness, etc.
Thus, the external audit’s evaluation is transaction limited, narrowly focused and checklist oriented. No wonders then that the external audit is a diminishing marginal utility service in the present business world; an independent intervention in reporting of financial affairs of an entity that does not offer to add any value.
And hardly any surprises when year after year, a scandal erupts in the world of business financial reporting and erodes the credibility of audit firms owing to the typical approaches in which ICFR is assessed by external auditors. The dollars spent on externa audits are now largely aligned with the risk profile of the business rather than the audit effort required and planned to be deployed.
As for the Internal Auditors approach to ICFR, there isn’t any typical manner to adhere to and that’s why it always ends up yielding an enriching experience.
- Review of assertions is inherent to each, and every transaction tested, record examined, system scrutinized as elaborated here and is still just one small part.
- Internal Audit’s evaluation is a combination of backward (from financial information) and forward trail (from transaction initiation).
- It assumes a process driven approach, which could begin from how a contract, or a purchase commitment came into being, for instance and evaluates everything that occurs afterwards till the transaction culminates in a record. ICFR are not thus only tested specifically, but also as part of the overall internal controls system.
- Internal Audit makes use of the policies and procedures review to record the control checkpoints for evaluation.
- Internal Audit harnesses the power of risk registers in reviewing the design specifications of controls against risks identified and assessed.
- The Internal Audit approaches ICFR using COSO’s Internal Controls and ERM integrated frameworks.
- Entities benefit from the in-depth indigenous knowledge of processes and systems developed over time culminating in all financial statement components due to internal audit interventions as assurance and advisory providers.
- Transactional testing limits are not a constraint for internal auditing since assurance and advisory continue throughout the tenure of investment with internal auditing.
- Advisory is also issued that help balance costs of controls with costs of risks.
From cost center accounting issues to accounting policy deficiencies, from budgeting system improvement advisory to forecasting, from transactional verification protocols inefficiencies to authorizations scheme ineffectiveness, from potential to actual misstatements internal auditing encompasses all that external audit even fails to scratch the surface of!
I would sum up by recommending that it is time independent assurance on state of internal controls given in annual reports of entities should be from Internal Audit and results of ICFR assessment and evaluation should ideally come from both the external and the internal auditors.
For the dollar spent, internal auditing owing to its governance, risk management and internal controls evaluation and improvement rationale, offers the most optimized value when evaluating internal controls especially the ICFR. Thus, when thinking about ICFR evaluation, go internal, think internal audit!