Imagine your organization as a well-oiled machine. It needs to run smoothly to achieve its goals, but also needs protection from unexpected problems. Internal controls are like the safety features built into that machine – things like pressure valves and automatic shut-offs – that prevent malfunctions and keep everything running safely.
But just like any safety feature, internal controls need to be checked regularly to make sure they’re working properly. This is where internal control testing comes in. It’s a vital process that helps organizations assess how well their internal controls are designed and functioning.
Internal control testing focuses on two main aspects:
Testing Control Design: Checking the Blueprint
Think of this as reviewing the instruction manual for your machine’s safety features. Here, auditors are looking to see if the controls, as described by the organization, are properly planned to address potential risks. It’s a one-time assessment that asks: “Does this control, in its current form, have the ability to effectively manage risks?”
Here’s how it works:
- Reviewing the Control Description: Auditors will examine how the controls are documented. For example, a company’s purchasing policy might not require getting multiple quotes for expensive equipment or approval from department managers. This would be a red flag, indicating a potential design flaw in the control.
- Real-World Examples:
- Background Checks: An auditor might check a company’s policy to see if it states they conduct background checks on all new hires. They would then verify this by confirming if a background check was actually carried out on a recent hire.
- Change Management Process: If a company claims to have a process for approving changes made to their computer systems, the design of this process would be reviewed. The auditor would ensure that for recent system changes, proper reviews, testing, and approvals were obtained by the designated personnel.
Testing Operating Effectiveness: Ensuring Consistent Performance
This test goes beyond the initial design. It’s like checking if the safety features on your machine are actually functioning as planned over a period of time, typically the past year. Auditors use sample testing to assess the control’s ongoing effectiveness.
Here’s how it’s done:
- Sample Selection: Instead of examining every single purchase order or transaction, auditors choose a representative sample for evaluation.
- Example: Imagine a company policy requires obtaining more than three quotes for purchases exceeding $5,000. The auditor wouldn’t examine every purchase above this amount. Instead, they would select a sample of such transactions and check if multiple quotes were consistently obtained for each.
Understanding When Tests Fail: Design vs. Effectiveness
- Failed Test of Design: This means there’s a fundamental flaw in how the control is planned.
- Example: Let’s say a company allows the same person to approve invoices and make payments for them. This violates a basic security principle called segregation of duties. Even if this person is honest, the design flaw makes the control vulnerable to fraud.
- Failed Test of Operating Effectiveness: This reveals a breakdown in how the control is being carried out, even though the design is sound.
- Continuing with the invoice processing example, imagine the policy requires separate people for approvals and payments. But during testing, the auditor finds instances where the same person handled both tasks. This means the control isn’t being followed properly, despite a good design.
The Importance of Regular Testing
By performing both design and effectiveness testing, organizations can identify weaknesses in their internal controls and take corrective action. This helps to:
- Safeguard Assets: Strong internal controls protect your organization from theft, fraud, and other financial losses.
- Promote Accurate Financial Reporting: Effective controls ensure your financial statements are accurate and reliable.
- Ensure Regulatory Compliance: Many regulations require organizations to have robust internal controls in place.
Remember Internal control testing is an ongoing process, not a one-time event. By regularly assessing their controls, organizations can build a strong foundation for security, accurate reporting, and regulatory compliance. This helps to keep the machine of your organization running smoothly and safely.
=============================
Click here to watch full video on Test of Design and Test of Effectiveness.