Internal Control Environment
In accordance with audit standards, we begin each engagement with a series of fraud risk interviews. The questions to which the responses are often “no,” “I don’t know,” or something that is non-responsive are:
Does the audit committee (a must-have) take an active role in oversight of management’s processes for identifying and responding to fraud risks and oversight of the controls established to mitigate those risks, and if so, how does the committee exercises such oversight activities?
Does management have defined process (indicating how, to what extent, and how often) for assessing the risk that the organization’s financial statements might be materially misstated due to fraud?
Does management have a defined process for assessing the controls in place to prevent and detect fraud?
Does the organization have processes (programs and controls) for identifying, responding to, and monitoring fraud risks?
Does management have a means of communicating to employees the importance of ethical behavior and appropriate practices?
Does management have a process for monitoring the organization's various components or programs to reduce the likelihood of fraud occurring and going undetected?
Overseeing the risk assessment process is not synonymous with reviewing financial statements or reports. Some entities use checklists to assess internal controls and identify gaps. They are among the simplest and least expensive tools at a small organization’s disposal. The key is for governance (i.e., the audit committee) to exercise its fiduciary duty in reviewing the assessments.