What is a Deviation From Internal Control?

Meaning of internal control

Internal control refers to all of the policies and procedures management uses to achieve the organization’s objectives. Internal controls ensure timely, accurate, and complete information with respect to books of account to report business operations to users of financial statements.

It also helps to ensure that the company complies with all the relevant company guidelines, relevant laws, regulations, and practices. It provides the framework for how the internal activities need to be done to strengthen the organization’s control.

Deviation from internal control

Deviation from internal control occurs when the company differs from its design path at the beginning of the accounting period. The client also takes transactions that may be outside the regular nature of operations. Such one-off transactions should be carefully audited especially if a large amount of money is involved.

These transactions do not have pre-defined guidelines on who to authorize and who shall be responsible. The board minutes should be looked up to know if any sanction for such transaction is made and procedures have been devised. This will require separate planning and audit performance.

Internal control helps to minimize risk and achieve the goals of the entity. It segregates the tasks into various responsibilities and affixes these tasks with authorization procedures. Hence, the design of internal control would need special attention. The deviation from internal control includes the following:

  1. a business transaction that occurred that was not expected to occur
  2. a business transaction that was expected to happen did not happen
  3. a control exists but does not operate effectively. It means internal control has not prevented or detected or made the necessary correction
  4. absence of internal controls
Related article  Compliance audit: Definition, Type, Process, Procedure, Example

Let’s take an elaborate example of deviation from internal control:

Sinra Inc supplies raw materials within the borders of the country. It has not dealt with any transaction beyond borders and does not plan to do so.

With the increase in scale and popularity of quality of raw materials of Sinra Inc, a foreign company Kuman Inc held talks with officials of Sinra Inc.

In this scenario, the management of Sinra Inc does not have an established plan or internal control guidelines on how to proceed with transactions. So, they have to prepare new guidelines, report it under board minutes, authorize the personnel to handle the deal, and proceed.

The auditor would also need to look upon this carefully as new transactions previously out of the scope of client business have occurred.

The auditor would need to prepare new planning and determine the extent of nature and timing of the transaction. Further details on auditing aspects are shown below.

Impact of deviations on the auditor

In the initial auditing stage, the auditor would require to understand the client’s business operations complications.

They need to validate the process, understand it, devise how internal control shall work and how management has done it, and find out deficiencies that may happen. The auditor would test the controls to obtain sufficient and appropriate audit evidence to minimize substantive audit procedures as much as possible.

The auditor needs to assess the impact of such transactions on business and the amount of money involved. As internal control may not be effective, the probability of misstatement impacting financial statements goes high.

Related article  Social Compliance Auditor - What Do They Do?

Auditors need to gather evidence to support their opinion on financial statements. The auditor would also need to test further the likelihood of similar transactions in the future so that internal controls are in place and working effectively when it happens.

Talking about the above example, the auditor has to scrutinize any instances the company has faced in the past and what actions were taken. The auditor shall also determine the internal controls to be devised based on their professional experience and judgment.

The auditor shall start checking major components of the transaction as authorization, recording, safeguards, and verification. The auditor shall study the board minutes to know who is responsible for the business transactions and the supporting documents aiding it.

They also need to know what authority is recorded in the books of account and how they are being ratified later on. In case of assets deal related to physical nature, the auditor shall check if the management has employed the proper safeguards.

The auditor may also need to physically verify the asset in case it is tangible in nature. If any issues exist, the auditor may raise this matter in a management letter to show the internal control weakness and provide proper recommendations.