Over the past half century, a great deal of literature has appeared in Canada and the United States about how to design, document and assess internal controls. The groundbreaking publication was Analytical Auditingby Ross Skinner and Rod Anderson, published by Pitman (Canada) in 1966. That book developed the concept of focusing on risks and weaknesses when analyzing controls; it presented internal control questionnaires that helped identify weaknesses by identifying missing or ineffective controls; and it required that an external auditor thoroughly understand the business being audited. (The latter principle has been rediscovered by auditing regulators recently.)
The focus on internal control processes has waxed and waned over the years, but the appearance of Internal Control – Integrated Framework (ICIF), by the American COSO group in 1992, laid the foundation for a systematic approach to internal control design in the United States. ICIF included extensive sample internal control objectives, risks and “points of focus for internal control activities.” While these were intended to be examples for following the overall framework, they became accepted as a starting point for documenting internal control compliance. When the Sarbanes-Oxley Act in the US and Multilateral Instrument 52-109 in Canada required that public companies document and evaluate internal controls, ICIF became the standard framework.
Currently, two authoritative publications provide a framework for internal controls in Canada. The 2013 revision of ICIF is accepted in Canada as the definitive paradigm for internal control and risk assessment. The Canadian Professional Engagement Manual (CPEM) published by CPA Canada (updated annually) is consistent with the COSO framework and provides tools that can be used not just by auditors but also by their clients.
First Reference has built upon both of these publications to provide practical tools for designing and evaluating controls. Each chapter of Finance and Accounting PolicyPro includes resources to help you evaluate internal controls. Additional powerful tools are available online through the PolicyPro software (click on the Supplementary Information Quick Link).
One important tool to evaluate controls is the control design matrix. Below is one example of a matrix available online with Finance and Accounting PolicyPro. Based on the CPEM, the chart lets you track your control procedures against risk factors. This is the same methodology auditors use in evaluating their clients’ controls. This control design matrix is for revenues, receivables and receipts. List controls on the left, and then insert a P in the appropriate box if the control is intended to prevent errors, and a D for those to detect and correct errors. The list of risk factors should be customized to your business.
The current release of Finance and Accounting PolicyPro includes a replacement for the Introductions to Chapters 1, 2, 3 and 4 of Volume I. In each Introduction, material has been freshened and updated, and references to the 2013 edition of CPEM have been added. Supplementary forms are available online to help you assess controls.
Jeffrey D. Sherman, BComm, MBA, CIM, FCPA, FCA
Author of Finance and Accounting PolicyPro
Finance and Accounting PolicyPro
Finance & Accounting PolicyPro can save you a significant amount of time to draft and update your policies. FAPP offers over 140 sample policies, procedures and authoritative commentary in the areas of finance, corporate governance, operations and marketing.