Assessing Internal Control Effectiveness
A widely followed approach to assessing and improving internal control effectiveness has been developed that comprises these steps (see case study 1):
Determine the documentation to be used, such as process maps (flowcharts), control registers, and process narratives.
Identify the objectives to be achieved.
Determine the processes that are key to the achievement of objectives.
Learn about each key process, documenting it in narrative, spreadsheet, and/or flowchart form.
Within a key process, identify and document the key controls.
Judge the potential of each key control to be effective, if followed as intended. Modify the control approach if necessary.
Design and document tests to be conducted to assess compliance with each control.
Conduct these tests.
Interpret the results of these tests. Where necessary, ensure better compliance or modify the control approach if satisfactory compliance is judged impractical.
Interpret the control significance of unwanted outcomes that have occurred.
Consider the adequacy of the control environment, information and communication, risk assessment, control activities, and monitoring.
Conclude on the effectiveness of internal control at the process level.
Testing Internal Controls
The extent of testing is a compromise between the need for thoroughness and the testing resources available, and will vary according to the criticality of the controls that are being relied upon, the potential for the controls to be circumvented, and the results of initial testing. For controls designed to operate at intervals (such as at week, month, or year ends), initial sample sizes may be as in Table 1. For controls that apply to individual transactions Table 2 may be appropriate, which can also be used for interval controls that are used in multiple locations or on multiple occasions.
|Frequency of control||Sample size|
|Many times a day||25|
|Population size||Sample size|
|Above 300||25 max|
Ongoing Maintenance of an Internal Controls System
Changing business requirements will result in modified business processes and the risk that controls within those processes may be abandoned or made less effective. Each modified business process that is key to the achievement of a business objective should be reassessed, applying steps 3 to 6 (above), prior to releasing the new or modified business process for operational use.
For established processes, performance criteria should be established to monitor the quality of performance and the extent to which controls fail.
- Page 4 of 6
- Previous section Design Characteristics of an Effective Internal Controls System
- Next section Case Study 1