june 2017 21 Internal audItor
To commen T on this article,
email the author at email@example.com
Review the potential liabilities to
management for improper attestations.
risks be communicated to management? What if issues are
communicated, but management concludes the gaps are not
significant concerns? Management’s basis for this conclusion
may be that no actual problems have been identified to date.
To address the risk appropriately, auditors must ask, “If an
issue has not yet come to light or been identified, should that
fact minimize the finding?”
What if the auditor’s opinion of the gap’s severity differs
from management’s opinion? Organizational leaders may push
back if they receive a poor control environment assessment. An
obvious step for internal auditors may be to speak to the audit
committee, but this can be challenging. It may be difficult to
communicate a control environment gap to an audience that
has been preconditioned by management’s view.
To resolve these dilemmas, auditors can:
Ʌ Ensure they have authority to analyze and communicate
the situation beyond just the existence of policies.
Ʌ Ensure management understands the difference between
a control gap and a control failure. It is important to
know whether the gap has created a failure, but just
because it hasn’t failed to date should not minimize the
impact of the gap. The inability to recognize this cause-and-effect relationship will put the control environment
at significant risk.
Ʌ Encourage independent communication with board
members. If management and the auditor disagree
about the severity of the issue, the board must be open
to both sides of the argument.
Management Philosophy and Operating Style
Philosophy and operating style include how management
executes its day to day responsibilities and the manner in
which executives provide overall direction. Consider an
example of quarterly attestations and their impact on the
control environment. U.S.-traded companies have procedures in place for affirmation of internal control processes for
Sarbanes-Oxley Section 302. These procedures often involve
business-unit managers providing personal subcertifications
on controls for their areas of responsibility.
Assume the procedure for quarterly attestations was established several years ago. The subcertification states: “To the
best of my knowledge, internal control procedures and financial information within my area of responsibility are accurate
and complete.” The certification was originally accompanied
by specific training for the business-unit leaders.
Fast forward several years. Many personnel signing the
attestations are individuals who have been promoted into
new positions but have not been trained on the attestation
requirements. New management views the process as a “step”
they must complete each quarter because of compliance
requirements. If the auditor assumes the standard process
of attestation is effective, there may be a risk to the control
environment. Because the attestation is a simple signature,
the risk exists that management is simply following a legacy
process and does not understand the need for disclosure controls. One solution is to review the Sarbanes-Oxley requirements and potential fines and liabilities to management for
improper attestations. Outlining the risk may convince management to re-evaluate and solidify the process.
Segregation of Duties
A strong control environment can only be supported through
appropriate segregation of duties. Segregation of duties assist
in mitigating the potential for one person to maintain control over an entire
process, thus having the opportunity to
perpetrate some undesirable behavior.
When evaluating the sufficiency of segregation of duties, internal auditors examine responsibilities around transaction
authorization, recording, custody of asset, and reconciliation.
Depending on organizational resources, it may not be
possible for the organization to fully implement appropriate
segregation of duties. In this situation, auditors must assess
the risk embedded in the processes, attempt to quantify the
risk, communicate to management their observations, and
provide alternative methods in which management can monitor transaction activity or provide additional checks and balances for the process.
A Thorough Assessment
The control environment is the foundation upon which an
organization can effectively execute strategy. If management
focuses only on “check the box” activities, it will miss critical attributes that may result in major gaps that ultimately
impact the organization’s viability and control environment.
That is why it is important for internal auditors to fully
assess gaps or flaws and provide adequate assurance regarding
the sufficiency of controls.
lynn Foun Tain, cGma, cRma, is a business consultant,
author, and trainer with Fountain Consulting and Training
Services in Overland Park, Kan.