Fraud prevention, detection and correction are best achieved by having a functional and operational control in place. It is the duty and responsibility of management to ensure that company’s assets are protected via the establishment and implementation of vibrant internal controls is the system. This is enshrined in the Sarbanes Oxley’s Act 2000 (SOA).
As true as the above may be, auditors are still the professionals/ experts on internal control matters. This assertion holds for the following reasons.
- Auditors need to fully understand a business’s working environment and internal control.
- Management may want to fool auditors into making audit risk (risk of giving the wrong opinion on the truth and fairness of financial statements of a company). Auditors evaluate internal controls of an entity so as to fix the level of acceptable detection risk that is the function of inherent risks and control risks.
- Auditors can be consulted to help organizations prevent and detect frauds and errors.
For auditors to achieve all the above, certain knowledge and skills needs to be acquired by auditors. Auditors must know how to evaluate internal controls of businesses. Auditors must have working knowledge of system development life cycle (SDLC).
Since the objectives of internal controls of businesses are to ensure the security of company’s assets, the evaluation of internal control should best be done from the result point of view. Auditors should seek to know if the control objectives of internal controls are met.
The cost of achieving a control objective in a system of internal control should not outweigh the benefits that should be derived from setting up the internal control in any business venture. Auditors can use either of these two tools to ensure that the internal control system is not defeating the aim for which it was set up. The tools are;
- The control matrix, and
- The systems flowchart
I will not go into the detailed steps of the above two tools as it will make this article too long for you to digest.