CHAPTER 9

DOCUMENTING INTERNAL CONTROLS

What, Who, Where, and Why?

At the outset of an audit, the auditor must have a clear idea of the audit scope to identify a process that will achieve the audit objectives. Chapter 7 provided a summary of the Federal audit model jointly developed by the U.S. Government Accountability Office (GAO), the President’s Council on Integrity and Efficiency (PCIE), and the Office of Management and Budget (OMB). Exhibit 7.1, Federal Audit Model—Agency Financial Statements depicts in a graphic format the audit phases, procedures, and tasks that are described in some 1,000+ pages of Federal guidance appearing in the Financial Audit Manual (FAM), the Federal Information Security Controls Audit Manual (FISCAM), and the Standards for Internal Controls in the Federal Government. According to the Federal audit model introduced in Chapter 7 and as discussed in greater detail in Chapter 8, the auditor’s effort to understand controls is initiated during the planning phase of the audit and continues to be reexamined, refined, and revised during the entire internal control phase.

The second auditing standard of fieldwork states in part: “The auditor must obtain a sufficient understanding of the entity . . . including internal controls to assess the risk of material misstatement of the financial statements.” This chapter addresses internal control documentation, internal control definitions and requirements, and selected evaluation aspects of internal controls.