Most business owners assume an audit is about checking whether their numbers add up. But there’s a lot more to an audit than ensuring the accuracy of your financial reporting, and it all comes down to internal controls.
Internal controls are the checks and balances your organization puts in place to mitigate risk and protect your financials. It’s an ongoing system of policies and procedures that should be directed by management and carried out by your team.
In our 30+ years as experts in audit and assurance, evaluating those controls is always one of the first orders of business. Here’s a closer look at the process and how to get ahead of it.
What’s at risk?
Under Generally Accepted Auditing Standards (GAAS), auditors are required to obtain an understanding of your internal controls. They’re looking for any unintentional or intentional errors that could cause your financial statements to be wrong.
For example, a company that processes vendor payments without a secondary approval could allow fraudulent disbursements to go undetected, raising red flags during an audit.
Auditors assess your current controls to determine how much additional testing they need to do to satisfy audit requirements and sign off on your financials. In a nutshell, strong controls mean less testing while weak controls mean more.
What do auditors evaluate?
Auditors typically zoom in on five areas. They follow a structured framework to gain a closer look at how your organization manages financial risk.
- Control environment. Does management take financial integrity seriously? Are ethical standards clear and enforced?
- Risk assessment. Does your organization identify and respond to risks as the business changes? For example, a company that grows from five to fifty employees, but never updates its approval workflows, can cause a breakdown of oversight.
- Control activities. Are there specific policies and procedures that put controls into action, including approvals, reconciliations, physical safeguards and IT access? This is where most of the hands-on audit testing happens.
- Information and communication. Are the right people getting accurate, timely financial information? Are issues escalated appropriately?
- Monitoring. Does management regularly check that controls are working? Controls that were effective three years ago might not be applicable to your business today.
Once your audit is completed, any control deficiencies are outlined in a letter with recommendations on how to address them. You’ll be expected to respond with a remediation plan.
If the same weaknesses continue to pop up audit after audit, that’s a signal to auditors, lenders and investors that you’re not working to address problems and improve the overall fiscal health of your organization.
Staying a step ahead
Don’t wait for an auditor to find problems. Make sure your policies are documented and followed. Walk through your key financial processes and pinpoint who’s responsible for each task. Look for anywhere one person controls an entire process from start to finish, which can put your organization at risk for fraud.
Need more support? The CPAs at Magone & Company are experts in internal control assessments. Whether you’re preparing for your first audit or need a more constructive approach to improving your processes, reach out or give us a call today at (973) 301-2300.
This document is for informational purposes only and should not be considered tax or financial advice. Be sure to consult with a knowledgeable financial or legal advisor for guidance specific to your unique circumstances