controls and gaps may be found. Additionally, the company’s
review team, external auditors, and senior management can
review the pilot to understand the company’s approach.
After documenting all processes within a cycle, the documenters should select one or two records as far upstream as possible — for example, the first process in the cycle — and trace
these records through to the last process in the cycle. This will
ensure that flowcharts and other documentation are correct.
This is an important step, because the external auditors will perform a similar walkthrough and base their opinion on it.
A review team, consisting of the company controller, project manager, a documenter, overall cycle process owner, and
a high-level IT manager, should decide which gaps could create material misstatements in the financial statements, and
which gaps are not significant. The group will also determine
which gaps need remediation and may propose various remediation ideas.
Establishing a quality control process for the documentation
produced as part of the project will save time for all parties
concerned (see “Quality Control Review Process,” this page).
Both COSO and the PCAOB require that testing be performed
to validate controls are in place. For the first year of compliance,
testing should be performed close enough to the reporting deadline so the company can be reasonably sure that tested controls will remain in place through the fiscal year-end. Also, tests
should be performed early enough so that if operational deficiencies are encountered, there will be time to make corrections.
Tests should be designed so that a single test covers as many
controls as possible. It is best to select sample sizes from
processes that are far upstream in the business cycle. For
instance, if process A feeds process C, which feeds process
D, then samples could be selected from process A and traced
through processes C and D. Process B, however, would need
separate samples selected. Required sample sizes for testing
are still under discussion among large accounting firms, so
it is important that the company consult with its external audit
firm before beginning testing.
Some accounting firms are willing to use tests performed
by the company to satisfy part of their own testing requirements. If this is workable with the firm, it will save the company audit fees. While this area is also under discussion
between the large accounting firms and their clients, some
general guidelines are emerging:
‡The more independent the tester is from the process, the
better. Ideally, an internal auditor would perform the testing. A
second choice may be to have the
company’s operations staff perform tests (for example, having
the accounts payable manager
test the accounts receivable
processes and vice versa).
‡The tester must be competent.
This is another reason to use
internal auditors for testing. If
internal auditors are not used,
then people who have experience
in auditing or hold a certified public accountant certificate
are a good second choice.
‡In all cases, external auditors must perform most of the
testing work in each process. In some areas, external auditors will want to perform all of the testing. In other areas,
such as routine processes like accounts payable and
accounts receivable processing, they may be willing to use a
larger percentage of internal testing as a substitute for their
Quality Control Review Process
of gaps and
Monthly review of
INTERNAL AUDITOR JUNE 2005