Jim Kaplan'saudnet.gif (4937 bytes)

Audit Programs
 Sarbanes-Oxley Center
 AuditNet Links
 AuditNet Library
AuditNet Newsletter
Audit Jobs
Partner Discounts
 Search the Site
Sign the Guestbook
Advertise
Our Sponsors
AuditNet Home
Accounting Procedures for Internal Control

Reducing Excessive Controls

By Tom Crouch, CPA, CIA, CISA, and Attorney

Excessive accounting controls or excessive internal controls may cost far more than many accountants, auditors, and auditee organizations realize. Internal control is the means by which management protects assets and secures data that is essential to a successful business operation. Controls that were cost effective and appropriate when put in place, may become unnecessary over time. Excessive or duplicated controls should be eliminated to save time and money.

Auditors fear blame and potential legal liability if they recommend the removal or modification of controls and a problem/fraud is later discovered. The auditors may fear the wrath auditee managers, who may be like little fiefdom kings, more than potential legal liability. Thus, many seasoned auditors are reluctant to even discuss with the auditee the possibility of removing or modifying controls.

When auditors evaluate whether internal controls are adequate, they want to ensure the mix of controls is sufficient to ensure appropriate control over a process. Weak controls can result in non-compliance with laws, inaccurate or lost data, and even fraud.

The external audit reports usually do not give any assurance on the adequacy of controls. In fact, looking for excessive controls is normally beyond the external auditor's scope and would add to the hours spent on the audit. However, the internal auditor's reports normally state that the controls are adequate or inadequate, noting any control deficiencies. Auditors almost never inform the auditee about duplicate or outdated internal controls even though the auditors may have noticed such situations. Also, the audit reports do not identify the excessive controls or explain how to remedy this. Thus, the unnecessary controls continue operating and the auditee continues to miss the cost savings opportunity.

Some organizations use Business Process Reengineering to redesign processes to reduce cycle times. In some instances, organizations use Controls Self-Assessment to periodically evaluate the controls in place, and to document the rationale for each control and the mix of controls. These two approaches can be used by accountants, internal auditors, external auditors, and others with a stake in the efficiency and effectiveness of the controls. These approaches may well be more cost effective now due to accounting reforms flowing from the Sarbanes-Oxley legislation. Reevaluating controls might need to become a continuous process in large organizations and a periodic process in other organizations.

External changes can alter the effectiveness of internal controls. Fifteen years ago, the check signing process could have included a dollar limit on checks and/or a second signature being required. Due to changes in how banks process checks, the effectiveness of these controls probably has been reduced or even eliminated. This is an example of how external changes can change the effectiveness of internal controls in achieving their objective.

As the mix of controls changes due to process (and/or technology) changes, the effectiveness of controls can be reduced. An internal control may have been put into place before the current mix of manual controls and IT (Information Technology) controls existed. When the system changed, the accountants and programmers may not have noticed a control was duplicated, or a new control overlapped an existing older control, or a new control superseded another. The auditors may not have performed a comprehensive review of the mix of IT controls and manual controls. One example would be a computer-generated error report, which is not being used by the recipient, because the errors are being detected and corrected in some other way. Another example would be too many approval levels or an ineffective approval process. Thus, a control may still be functioning, but it may not be needed.

Changes in laws or contracts can change the effectiveness of controls. An internal control may have been installed to ensure compliance with a law or a contract. The law or contract may have been amended so the control is no longer effective or not needed. If the rationale for the control is no longer valid, money is likely to be wasted when it continues to function.

Auditors generally identify and test key system or process controls. These key controls are key for audit purposes but these controls are not necessarily key for the auditee. The key controls identified by auditors are likely to be among the most cost effective and appropriate controls. The other non-key controls might not be needed. What would be the consequence of removing some or all of these controls? If removing a control has no obvious adverse impact, then the auditor should inform the auditee that there is no apparent value added by the control. This is a middle of the road approach, which would place an auditee on notice that the control might not be needed. In some instances, an auditor may want to go further and suggest that the auditee consider removing the control.

If accountants and auditors can more frequently find a way to identify and eliminate inappropriate or excessive controls, they should be able to help increase the operational efficiency of organizations. Furthermore, management would view the accountants and auditors as adding value instead of being a necessary business expense. Reducing costly controls that are no longer necessary or appropriate should become a key objective of all accountants and auditors.

Copyright (C) 2003 by Tom Crouch This text may be forwarded via fax or e-mail so long as the copyright is shown. This text may be re-printed anywhere in a constructive manner so long as the copyright is shown. All other rights are reserved.

***
Editors Note: The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®

Copyright 2005 AuditNet. All rights reserved.

All materials contained on this site are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, broadcast, performed or used to prepare derivative works, without the prior written permission of AuditNet. You may not alter or remove any trademark, copyright, logo or other notice from copies of the content.

You may, however, download material from the AuditNet website for your personal, noncommercial use only.

For further information, see section 1 of the Terms and Conditions and section 2 of the Subscriber Access Agreement.

Contact AuditNet


Revised: January 14, 2008

Address of this Page is http://www.auditnet.org/