Beginning Your Evaluation
Step 2 — Do Your Controls Work in Practice?
Determining the effectiveness of the controls you've identified requires that you gather evidence about how the controls actually operate. What kind of evidence you need, and how much of it, depends on your assessment of two kinds of internal control risk:
- The risk of a material misstatement in the financial reports
- The risk that the control will fail to operate as designed
The greater the internal control risk, the more evidence you'll need to support a conclusion that the control is effective.
In a smaller company, you may not need to assign any special personnel to the task of gathering evidence on how internal controls are operating. Likewise, the procedures you follow to obtain evidence of operating effectiveness may be integrated with the daily responsibilities of the employees. As internal control risk increases, however, you may need to consider:
- Using personnel who are more objective
- More extensively validating the controls
- Testing over longer periods
The SEC's newly issued guidance provides examples of financial reporting elements that ordinarily would be considered higher risk, such as critical accounting policies. It also provides examples of controls that have higher risk, such as those that are subject to override by management, involve significant judgment, or are complex.
The SEC guidance also describes circumstances in which managers can rely on their own knowledge and supervision of controls — a common situation in smaller companies — as a way to limit the additional procedures, if any, that might be needed to gather evidence of operating effectiveness.
Once the evidence is gathered, you then determine whether the control is operating effectively. In making your assessment, you should consider:
- Whether the control operates as designed
- How it is applied
- Whether it operates consistently
- Whether the personnel responsible for the control have the authority, and the competence, to do the job
If management determines that the control is not operating effectively, then a control deficiency exists. As described below, each control deficiency must be evaluated to determine if it is a material weakness.