Auditing internal control services- PKC

Auditing Internal Controls- Assessing Effectiveness and Identifying Weaknesses

Posted On :

Auditing internal controls provides valuable insights into an organization’s risk management framework. It’s a must for good governance.

Explore with us the basics of auditing internal controls, the procedures, common mistakes and best practices to resolve them. 

What are Internal Controls?

Internal control is the process designed, implemented, and maintained by those charged with governance, management, and other personnel. 

It is meant to provide reasonable assurance regarding the achievement of an organization’s objectives

  • The reliability of financial reporting
  • The effectiveness and  efficiency of operations
  • The safeguarding of assets
  • Compliance with applicable laws and regulations

The term “controls” refers to all aspects of one or more components of internal control” as defined in SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and Its Environment.”

 By using Internal controls, PKC Management Consulting can help your organization operate more efficiently by ensuring that your financial statements and reporting are accurate and timely.

Purpose of Auditing Internal Controls in India

Ensuring Accuracy & Reliability 

Auditors evaluate internal controls to verify that financial statements are free from material misstatements (errors or fraud).

Compliance with Accounting Standards (Ind AS/AS) and Companies Act, 2013 requirements is checked.

Compliance with Regulatory Requirements

Indian laws (e.g., SEBI Regulations, Income Tax Act, GST Laws, RBI Guidelines) mandate strong internal controls.

Listed companies must comply with SEBI’s LODR (Listing Obligations and Disclosure Requirements) Regulations, which require internal financial controls (IFC) audits under Regulation 17(8).

Fraud Prevention & Risk Management

Auditors assess controls to detect and prevent fraud (e.g., misappropriation of assets, financial fraud).

Weak controls increase risks, making audits essential for corporate governance.

Enhancing Operational Efficiency

Auditing identifies inefficiencies in processes (e.g., procurement, inventory management) and suggests improvements.

Helps businesses optimize resources and reduce wastage.

Stakeholder Confidence & Corporate Governance

Strong internal controls improve investor, lender, and regulator trust.

Compliance with Section 143(3)(i) of the Companies Act, 2013 requires auditors to report on internal financial controls.

Statutory & Regulatory Audit Requirements

Statutory Auditors must evaluate Internal Financial Controls (IFC) as per Section 143(3)(i).

Internal Auditors (for large companies) ensure ongoing control effectiveness under Companies Act, 2013.

Aligning with Global Best Practices

Many Indian companies follow COSO Framework or ISO 31000 for risk management, making audits essential for global compliance.

Assessing Effectiveness of Internal Controls

 

Reviewing Internal Controls

A review of internal control can be accomplished through the process of examining, testing, and evaluating the system of controls established by management. 

This includes a complete understanding of the organization, such as

  • Nature of the organization
  • Accounting policies and practices of the organization
  • Objectives and strategies of the organization
  • Financial performance of the organization
  • Relevant industry and regulatory factors.

Auditor’s Role – SA 330

In accordance with SA 330, “Auditor’s Responses to Assessed Risks,” The auditor performs tests of controls. 

An audit procedure designed to evaluate the effectiveness of controls for preventing or detecting and correcting material misstatements at the assertion level is called the Test of Controls.

Representations made by management that are included in the financial statements to address various types of potential misstatements are known as Assertions.

Impact of Control Risk

Because an audit itself will not automatically detect all irregularities, PKC Consulting uses tools such as a test of control to test systemic operational controls. This reduces the client’s risk.

  • If the controls are effective, the control risk is low.
  • If the controls are weak or ineffective, the control risk is high.
  • In such cases, the auditor must perform additional tests during the audit.

Test of Controls

The Test of Controls can be classified into four main categories:

  1. Interviewing: It involves asking clients to explain their control processes.
  2. Observation: The test may involve observing a business process or transaction as it occurs, noting all relevant control elements.
  3. Repeat: In this method, a new transaction is started and tracks the internal controls of management that repeat during this process.
  4. Inspection: During the inspection of controls, transaction documents are examined for signs of verification. Signatures, checkmarks, and stamps are signs that internal controls have been implemented.

A single control test is usually insufficient to draw conclusions, so the practice of PKC Consulting is to use all four types of Test of Controls to gain more assurance. 

To obtain more accurate results, an investigation should be combined with an inspection or retest.

Audit Procedures to Identify Internal Control Weaknesses

Internal Control weaknesses are identified by performing certain audit procedures including:

Monitoring the controls: 

Detecting incidents is important. The faster you can respond to an incident, the lower the impact will be. 

Gather feedback from various stakeholders, talk to other departments, and continually update your audits so you can identify internal control weaknesses before they lead to a breach.

Narrative Record or Memorandum Approach: 

This is a complete and exhaustive description of the system. It is suitable when there is no formal internal control system, such as in small companies. 

Gaps in the control system are difficult to identify with the help of a memorandum.

Internal Control Questionnaire: 

This is the most widely used method for collecting information on the internal control system. Different people at different levels of the organization are asked questions. 

The questionnaire has a pre-designed format to ensure that all relevant information is collected. 

The questions are formulated in such a way that complete information can be obtained by answering “yes” or “no.”

Checklist: 

This is a set of instructions to be followed by a member of the examination staff. It must be signed and initiated by the audit assistant as evidence that the instructions have been followed. 

A specific statement is required for each area of weakness. The Director/Manager/Senior studies the complete checklist to identify the internal control weaknesses and assess their implementation and effectiveness.

Flowchart: 

This is a pictorial representation of the internal control system with its various elements, such as operations, processes, and controls, that provide the auditor with a concise and comprehensive overview of how the organization operates. 

A flowchart facilitates the process of evaluating internal control, as it provides a comprehensive picture of all the controls involved.

Common Internal Control Weaknesses & How to Fix Them

Many Indian companies face serious issues due to weak internal controls, the most common ones being: 

Common Weaknesses

Lack of Segregation of Duties (SoD)

Single employees handle multiple high-risk functions (e.g., approving payments + recording transactions).

This increases fraud opportunities (e.g., fake vendor scams).

Inadequate Documentation 

Another weakness is poor documentation. Missing invoices, unsigned approvals, or unrecorded transactions.

When policies and procedures aren’t clearly recorded, it’s easy for employees to skip steps or make errors.

Weak IT & Cybersecurity Controls

Poor access controls, outdated software, or no data encryption is another red flag.

Companies often fail to secure data, control access, or track changes, which makes financial manipulation easier.

Poor Inventory & Fixed Asset Management

Another commonly found problem is no physical verification, unrecorded disposals, or theft.

This puts the company at a risk of misstated financials and tax scrutiny.

Weak Fraud Detection Mechanisms

Often overlooked is a whistleblower policy and surprise audits.

Having sound fraud detection mechanisms in place can protect against financial losses and legal liabilities.

Management Override of Controls 

This happens more often than it should.

When top executives ignore or bypass controls, it sets a dangerous tone from the top.

How to Fix These Weaknesses?

  • Automate Controls: Use ERP systems (e.g., SAP, Oracle) for approvals and reconciliations.
  • Implement SoD: Separate authorization, custody, and recording duties.
  • Strengthen IT Controls: Multi-factor authentication (MFA), regular cybersecurity audits.
  • Documentation Policies: Enforce proper vouchers, approvals, and audit trails.
  • Regular Training: Educate staff on fraud risks and compliance (e.g., GST, TDS).

Need more help? Talk to PKC’s Experts Now!

Author

author

Kaviyan S.P

An Article Associate with a passion for human connection, I invest in people and explore the profound meaning of life through the diverse souls I encounter. My experiences shape my writing, reflecting a deep understanding of the human spirit.

Linkedin

How PKC can help you

Your dream business is just a click away. Book a FREE 30 mins consulting.

Call us : +91 9176100095

Sign up for FREE consultation.

Related posts :

ERP change management best practices- PKC IndiaERP Change Management: Best Practices, Tips & Mistakes to Avoid Auditing accounts payable fraud- PKC IndiaAuditing Accounts Payable | Detecting Fraud & Ensuring Vendor Compliance

Fill out your details

    Want to Talk? Get a Call Back Today!
    +91 9176100095
    phone
    phone-2