8.1.8 The evaluation of internal control systems by auditors using Internal Control Questionnaire, Flow charts and narrative notes

Auditors use various methods to evaluate internal control systems (ICS), including the use of Internal Control Questionnaires (ICQs), flowcharts, and narrative notes. Let’s look at each of these methods:

1. Internal Control Questionnaires (ICQs): An ICQ is a structured questionnaire that auditors use to assess the design and effectiveness of internal controls within an organization. It typically consists of a series of questions related to control activities, segregation of duties, authorization processes, access controls, and other key control areas. Auditors use the responses to these questions to evaluate the adequacy of the ICS and identify potential control weaknesses or deficiencies.
2. Flowcharts: Flowcharts are visual representations that illustrate the flow of processes, activities, and controls within an organization. Auditors use flowcharts to gain a better understanding of the sequence of events, decision points, and control activities within a specific process. Flowcharts help auditors identify control gaps, inefficiencies, or potential weaknesses in the ICS. They can also assist in identifying areas where controls are lacking or where improvements can be made.
3. Narrative Notes: Narrative notes provide a written description of the organization’s control environment, control activities, and key processes. Auditors use narrative notes to gain a comprehensive understanding of the ICS and its effectiveness. The narrative notes describe the control objectives, control activities, and responsibilities of individuals involved in the control process. They also highlight any control deficiencies or areas for improvement identified during the audit.

The evaluation of the ICS using these methods typically involves the following steps:

1. Planning: Auditors determine the scope of the audit and the specific control areas to be evaluated. They may choose to use ICQs, flowcharts, or narrative notes based on the nature and complexity of the organization’s operations.
2. Gathering Information: Auditors collect relevant information about the ICS, including policies, procedures, manuals, and other documentation. They may also conduct interviews with key personnel to understand the control environment and obtain insights into control activities.
3. Completing ICQs: Auditors administer ICQs to the appropriate individuals within the organization. The responses to the questionnaire help auditors assess the adequacy and effectiveness of control activities, identify control weaknesses, and determine if controls are designed and operating as intended.
4. Creating Flowcharts: Auditors develop flowcharts to map out the sequence of activities, decision points, and control activities within specific processes. Flowcharts help auditors visualize the flow of transactions and identify control points where risks could arise.
5. Documenting Narrative Notes: Auditors prepare narrative notes that describe the organization’s control environment, control activities, and key processes. These notes capture the control objectives, control activities, and responsibilities of individuals involved in the control process. They may also document any control deficiencies or areas for improvement.
6. Analysis and Evaluation: Auditors analyze the information gathered from ICQs, flowcharts, and narrative notes to assess the overall effectiveness of the ICS. They evaluate the design and operating effectiveness of control activities, identify control weaknesses or deficiencies, and make recommendations for improvement.