Since they are not involved in operations, many members do not fully understand the internal controls that are in place. As a result, they rely on the report of the financial statement auditors to make them feel comfortable that internal controls are in good shape. The scope of the financial statement audit includes in-depth testing on the numbers in the annual financial statements and only minor testing of internal controls. Additionally, financial statement audits are not designed to detect fraud.
Many organizations solve this dilemma by implementing an audit of internal controls. Public companies subject to the Sarbanes Oxley Act are required to obtain both financial statement and internal control audits. However, even though nonprofits are not obliged to follow this law, some opt for an internal control audit so that their committee members feel more comfortable about their oversight responsibility.
Internal Control Services
Reporting on internal control can range from a formal opinion on an entity’s entire control system to management letters detailing suggestions for improvements in specific control activities. The following are examples of services or communications relating to internal control provided by Tate & Tryon.
- Opinion on the design of controls
- Opinion about the effectiveness of internal control
- Report on the internal controls of a service organization
- Report on internal control in connection with an audit of an entity receiving government funds under the Yellow Book
- Communication of recommendations regarding the design of internal controls
In a reliable internal control system, the following five components of internal control and all relevant principles must be present and functioning.
Control Environment is the tone at the top. The control environment refers to the policies and procedures in place to communicate the codes of conduct and ethical behavior.
Risk Assessment is the process in place to identify and assess the risks to the operation in achieving its objectives.
Control Activities are the actions established by policies and procedures to help management mitigate risks identified during the risk assessment process.
Information and Communication determine how the organization communicates control responsibilities and reports on finances.
Monitoring Activities are ongoing evaluations to ascertain whether each of the five components of internal control, including controls to affect the principles within each, is present and functioning.