7.2. CONFIRM YOUR UNDERSTANDING OF THE DESIGN OF CONTROLS
Ideally, the documentation of the company's business processes and controls should be a perfect reflection of what actually happens at the company day in and day out.
Realistically, however, there can be differences between what is supposed to happen and what actually does happen. Therefore, before beginning your tests of activity-level controls, it usually is wise to confirm your understanding of the design of controls.
Suppose that you ask the controller how cash disbursements are authorized. She tells you that she reviews and authorizes payments over $1,000. You select a sample of cash disbursements over $1,000 and examine the underlying documentation. Five of the items you selected for examination did not contain any evidence that the controller authorized the payment.
Do the results of these tests indicate a control deficiency?
As it turns out, the company changed its control procedure early in the year, lowering the amount of disbursement requiring authorization from $5,000 to $1,000. The items that contained no evidence of authorization were for amounts that were less than $5,000, and the payments were made early in the year.
Now, after selecting a sample and performing your tests, you have to go back and redesign your tests to take into account the change in the company's control procedure that occurred during the year. The controller was not being deceitful when she answered your question. She just thought you ...
Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
