Don't Test Internal Controls, Test the Circumvention

People have asked me recently at seminars how I perform internal control testing. I replied that I focus not so much on testing internal controls (i.e., how many time did Joe, the rightful approver, approve an invoice). Rather, I focus on testing for any circumvention (i.e., how many times did Sue post invoices just under the approval limit so that Joe would not need to approve and therefore ever see the invoice).

Consider this in your query approach....focus on the circumvention and therefore the potential issues that could arise in the internal control structure. The test results will be more fruitful.

Comments are welcome.

Proactive Journal Entry Testing - A Must For Auditors

When looking at some of the recent large-scale frauds, such as WorldCom, management override around the journal entry process was the key contributing factor (according to an Oct. 30, 2002 article in The Wall Street Journal). This is to be expected because the easiest route to changing the books and records is for executive management to post a top-side journal entry.
Audit Standard #99 makes specific references to using data analysis to support the audit process and AICPA Practice Alert 2003-02 provides specific guidance on journal entry tests that should be performed on every audit. As much as possible, these reports should be automated (vs. having someone manually scan general ledgers).

See my website, AuditSoftware.Net for a comprehensive list of automated journal entry tests.