Internal control reviews provide management with assurance about the effectiveness of their control environments. The reviews can be undertaken by internal or external auditors, but are also completed by Quality Assurance personnel or even department management. Internal control reviews will include steps for: identifying the scope of the review project; testing internal controls through sampling, interviews, walk-throughs and observations; documenting tests performed and their results in standardized working papers; and reporting results.
Prepare a one- to two-page executive summary of the internal control review that includes the information in the following steps. Senior and executive managers will use the summary to understand the control issues identified and management’s plans to correct those issues.
Provide a brief description of the area reviewed, including relevant figures such as business or department size, earnings or expense numbers and personnel. The description will be useful to readers who are not familiar with details of the area reviewed.
Use the memo to management prepared, when planning the review, to summarize the purpose of the internal control review, including any functions, areas or responsibilities excluded from the project’s scope.
Provide a summary of internal control weaknesses identified, including an indication of each problem’s severity, and indicate briefly how management intends to resolve the weaknesses. An internal control weakness might be a failure to reconcile cash accounts or a failure to adequately secure a vault or safe.
Include a high-level opinion and/or conclusion about the internal control environment as required by The Institute of Internal Auditors, an international professional association recognized as the world's leader in audit education, certification, technical guidance and research. (See References) Opinions and conclusions are derived from evaluating the outcome of the internal control review and determining the control environment’s effectiveness.
Sign and date the report. Either the senior reviewer and/or their manager should sign the internal control report.
Include a list of people to be copied on the report and any limitations on distribution or use of the report. Department management, relevant senior and executive management should be included on the distribution list. Distribution limitations may arise if fraud or sensitive legal matters are identified during the review.
Detailed Findings, Recommendations and Corrective Action Plans
Provide a summary of each control weakness identified, using facts and statistical summaries of testing data to demonstrate the relevance of the weakness. Rate each weakness according to severity and list weaknesses from the most severe to the least.
Include a recommendation for correcting the control weakness if required by company practice or requested by management. Provide sufficient detail that a reader can clearly understand what steps to take to resolve the problem.
Include management’s corrective actions in the internal control report if required by company practice or requested by management. Including corrective actions documents management’s commitment to change and also permits precise follow-up on the implementation of corrective actions.
Include a specific date for corrective plan implementation and the name of the person responsible for the action to demonstrate accountability.