Management is responsible for establishing and maintaining internal controls to prevent and detect material misstatements of the financial statements. However, the responsibility for the oversight of internal controls ultimately rests with the members of the Board of Directors as part of their fiduciary duty. Boards frequently delegate the heavy lifting of financial oversight to a committee.
Committee members often feel lost when addressing their responsibility for overseeing internal controls. Their conundrum over financial oversight stems from the fact that the Board of Directors sets strategy and policy while management implements strategy and policy via operating the organization. Because committee members are not involved in operations, they feel that they do not fully understand the internal controls that are in place. As a result, many committee members feel uneasy about overseeing internal controls, and they end up relying on the report from the financial statement auditors to make them feel comfortable that internal controls are in good shape.
Stop and contemplate this thought process for a moment.
Embedded within the belief that a good report from the financial statement auditors equates to a conclusion that internal controls are fine lies a critical disconnect. Recall for a moment what the financial statement audit entails. The scope of the financial statement audit includes a great deal of testing on the numbers in the annual financial statements and only a little bit of testing on internal controls. Additionally, financial statement audits are not designed to detect fraud. Thinking about the process this way illuminates the flawed logic that allows committee members to feel comfortable about internal controls solely on the basis of a good financial statement audit report.
Several organizations have solved this dilemma by implementing an audit of internal controls. Public companies subject to the Sarbanes Oxley Act are required to obtain both types of audits – financial statement and internal controls. However, even though nonprofits are not required to follow this law, some go the extra step and obtain an internal control audit so that their committee members feel more comfortable about their oversight responsibility with respect to internal controls.
Many of our clients have asked us to perform internal control audits and we also offer outsourced internal audit services. If you would like to learn more about these services, please contact me for additional information.
Susan Colladay is a partner in the Firm’s Audit and Assurance Services department.