It is management’s responsibility to establish and maintain an effective internal control system. As part of a financial statement audit, the auditors are required to gain an understanding of the internal control system and to determine if the internal control system is functioning as intended. Auditors review internal controls by performing walkthroughs to gain an understanding of the internal controls and to assess the overall risk of material misstatement to the financial statements.
Document the classes of transactions that have a significant effect on the financial statements. These are the classes of transactions that are key to the financial statements, because they have a large dollar volume. For example, cash receipts and cash disbursements will always be key to the financial statements, because they represent the cash coming in and going out of the company. In order to document all significant transaction classes there must be some parameters to go by (i.e., a materiality threshold) that establish a dollar amount considered significant to the financial statements. Once all significant transaction classes have been identified and documented, the client is asked to provide a description of the processes for each class.
Document an understanding of the client's system of internal controls using the description of procedures for each significant transaction class provided by the client. The Sarbanes Oxley Act has resulted in significant changes to the way internal controls are designed, documented, monitored and maintained. The resulting enhanced documentation (i.e., process maps) that management is required to maintain facilitates the auditor gaining an understanding of the client's system of internal controls. Auditors use checklists, flowcharts, narratives and internal control questionnaires to document their understanding of the client's internal control system.
Select a sample transaction from each of the significant transaction classes. Determine if the sample of transactions correctly flow through the internal control system in accordance with your understanding and the documentation of how the system should work. For example, the auditor selects a cash disbursement transaction and traces it from beginning to end through the client's system (i.e., from an approved purchase order request to the issued purchase order, to the documentation of delivery and inspection of goods, to the recording in accounts payable, to the processing and issuance of payment, to the check clearing the bank and showing up on the bank statement), noting and documenting any deviations from the documented internal control procedures.
Discuss the results of the walkthrough with management and inform management of any deficiencies that need immediate attention. Document any changes to risk assessments and whether the overall risk that a material misstatement in the financial statements could occur has changed in any way (increased or decreased). Document the findings in the audit work papers and highlight any findings that may be presented to management in a management letter or that may impact the audit opinion in any way.