AICPA Answers Internal Control Technical Questions

10 min read

In April 2017, the AICPA released several nonauthoritative answers to technical questions, which are based on matters identified from questions received into the AICPA’s technical hotline and other sources. The following summarizes the guidance provided in Section 8200, Internal Control:

  • Auditors should obtain an understanding of business processes relevant to financial reporting and communication on every audit, but not necessarily all of the control activities underlying them.
  • An understanding of internal control relevant to the audit should encompass each component of internal control, not just the control activities component.
  • The auditor should evaluate the design of all controls relevant to the audit, and determine whether they have been implemented, every year – although the procedures may be less extensive on recurring engagements.
  • Control activities relevant to the audit are those that the auditor judges necessary to understand in order to make a preliminary assessment of the risk of material misstatement and design further audit procedures responsive to assessed risks. If present, control activities over the following would always be relevant to the audit:
    • Significant risks.
    • Fraud risks.
    • Risks for which substantive procedures alone do not provide sufficient appropriate evidence.
    • Risks for which the auditor intends to rely on the operating effectiveness of controls.
    • Journal entries, including nonroutine adjustments.
  • An audit does not require an understanding of all control activities related to each significant account, class of transaction, or disclosure – or every relevant assertion. However, control activities may exist that might be considered relevant to the audit based on auditor judgment, depending on the following factors:
    • Materiality and inherent risk.
    • Understanding of other internal control components.
    • Implementation of new systems and the effectiveness of general IT controls.
    • Lack of segregation of duties.
    • Legal and regulatory requirements.


Jennifer Louis has over 25 years of experience in designing and instructing high-quality training programs in a wide variety of technical and “soft-skills” topics needed for professional and organization success. In 2003, she founded Emergent Solutions Group, LLC, where she focuses her energy on designing and delivering practical and engaging accounting and auditing training. Jennifer started her career in Audit for Deloitte & Touche LLP. Jennifer graduated summa cum laude from Marymount University with a B.B.A. in Accounting.

Now Leaving

You are leaving the website. Once you click “continue,” you will be brought to a third-party website. Please be aware, the privacy policy may differ on the third-party website. Adtalem Global Education is not responsible for the security, contents and accuracy of any information provided on the third-party website. Note that the website may still be a third-party website even the format is similar to the website.