You have engaged independent auditors to perform an audit of your financial statements, which is required by one or more of your funding sources. The auditors have provided you with the audited financial statements and have issued an unmodified opinion, meaning that your financial statements are not materially misstated, which is what you expected.
However, they also provide you with a management letter on internal control (internal control letter) that appears to list in detail everything they found wrong with your internal control during the audit. You do a great job making sure all of the accounting transactions are properly recorded and immediately become defensive; you did not ask for this letter, so why was it prepared? What will your funding sources think if they receive this letter? Will they stop funding your organization? What does this letter mean? What is the difference between a material weakness and a significant deficiency? What do you need to do to make sure that you do not receive another letter in the future?
This article will address these questions and hopefully, show you the benefits of the internal control letter to your organization.
Why did the auditor prepare this letter? Auditing standards require auditors to communicate in writing to management about material weaknesses and or significant deficiencies in internal controls discovered in an audit. The auditor is required to gain an understanding of internal control as part of the planning process; however, that does not mean that internal control is required to be tested in all audits. In most cases, auditors use walkthrough procedures to gain this understanding. They will review the organization’s procedures, noting the internal controls that are implemented, and then follow specific transactions through the process to make sure that it appears that the internal controls are working properly.
What will your funding sources think if they receive this letter? Will they stop funding your organization? This letter is prepared for and intended for management and those charged with governance, i.e., the board of directors, the audit committee, etc. This is a tool to assist management in improving the organization’s internal control and should not be provided to anyone other than these specified parties. This letter is not intended to and should not play a role in the future funding of your organization by those requesting the audit.
What does this letter mean? What is the difference between a material weakness and a significant deficiency? As mentioned previously, the auditor is required to communicate to management about material weaknesses and/or significant deficiencies identified during the audit. In addition, the auditor may also include “other matters” in the letter. Here are some definitions to assist with this question:
Deficiencies in internal control – these exist when the design or operation of a control does not allow management or employees, in the normal course of performing their work, to prevent, or detect and correct misstatements on a timely basis. For example, an employee electronically submits an electronic payment to a vendor for $15,000, but mistakenly records an entry for $1,500 and bank accounts were not required to be reconciled, this error would not be detected or corrected, and is therefore considered a deficiency in internal control, depending on the potential impact to the financial statement it could be a significant deficiency or a material weakness.
Significant Deficiencies in internal control – this is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. For example, the organization’s accounts payable clerk prints all checks and provides them to the Executive Director to be signed without proper supporting documentation, i.e., approved invoices. One of the checks was mistakenly written for $3,500 instead of $2,500, the vendor was overpaid by $1,000, and since the difference was not significant, it was not questioned by the Executive Director.
Material Weakness in internal control – this is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statement will not be prevented or detected and corrected on a timely basis. For example, a new capital lease agreement is executed by the Executive Director for 20 new copiers and requested payments to be made electronically by automatic withdrawal, but mistakenly forgot to provide this information to the accountant. The organization does not perform bank reconciliation; these transactions will not be captured in the accounting records. In addition, the capital lease asset and obligation under the capital lease would not be recorded, which would result in a material misstatement to the organization’s financial statement.
“Other matters” in internal control – this could be a deficiency or simply another matter that the auditor wants to bring to the attention of management and those charged with governance. For example, the organization does not have formal job descriptions for the accountant that has been employed by the organization for more than ten years. If the accountant becomes ill and is unable to work for several weeks, it is likely that some of the accountant’s job responsibilities will not be done that could result in late tax filings, noncompliance with grants, etc. The auditor may want to inform management and those charged with governance of the matter.
The internal control letter breaks the deficiencies in internal control into the different types, material weaknesses, significant deficiencies, and other matters, as noted above. The internal control letter means that during the audit, it was noted that an internal control did not exist or the internal control was not working properly and did or could result in errors. The letter is a tool provided to management and those charged with governance to assist them in improving the internal control of the organization.
In addition to identifying the internal control deficiency, the auditor provides a recommendation to the organization to improve its internal control in order to eliminate those deficiencies. The auditor recommendations can vary in resources needed to implement the recommendation. It is the responsibility of management and those charged with governance to analyze the recommendation and determine if it is feasible to implement them, if another internal control could accomplish the same result at a lower cost, or if nothing should be changed and they are willing to accept the risk.
What do you need to do to make sure that you do not receive another letter in the future? The obvious answer would be to correct all of the deficiencies in internal controls that are provided by the auditor and make sure all existing internal controls are followed. The auditors are required to report on material weaknesses and significant deficiencies; if they do not exist, a letter is not required. However, with many small to medium-sized organizations, the costs to implement proper internal controls could be very costly. Therefore, I recommend that you start with eliminating the material weaknesses, those that have the greatest risk of a material misstatement. When analyzing the recommendations, try to find other lower-cost ways to improve the internal control.
However, should you be trying to avoid another internal control letter next year? The auditors have already done the work as required by professional standards; don’t you want to know what they have found and documented in their audit files? The letter should be used as a tool for ways to improve the internal controls within the organization. The organizations that are constantly analyzing and improving their internal controls are typically those that have fewer errors and misstatements noted during the audit.
You may think that the organization’s internal control is finally perfect, but then changes occur, you have accounting staff turnover, the organization changes their accounting software, the organization goes paperless, etc. When significant changes like this occur, typically, the organization is trying to quickly adapt to the change but forgets to adapt its internal controls. For example, an organization has decided to implement a paperless work environment. The organization’s accountant previously took the bank statement that was received by the bank, performed a reconciliation, printed it, and provided it to a supervisor to review and approve, which was done by initialing the reconciliation.
In the paperless environment, the bank statement is obtained online, an electronic reconciliation process is done, and then the supervisor is emailed that it has been completed and is ready for review. The supervisor opens the file, reviews it, and then closes it. Now, there is no documentation that the reconciliation has been reviewed. You may think that the review has been performed; therefore, internal control still exists.
However, how do you know that it has been done? Now, let us assume that the supervisor got behind on work after taking a few days off and forgot about reviewing the bank reconciliation. Now the control procedure has not been performed. If it is not documented, are we sure that it was done? It is important to include some form of sign-off procedure, even if it is in an electronic format. Therefore, an internal control letter is extremely important in years in which changes have occurred in the accounting or finance department or the organization itself to make sure that internal control procedures are adapted for those changes.
As you can see, if used properly, a management letter on internal control is a great tool to ensure that your internal control procedures are properly working and assist you in making improvements to prevent, detect, and correct misstatements that may occur.