When conducting your inquiries, consider the following:
Focus first on what should happen and whether the employees’ understanding of the control procedure is consistent with your understanding. This strategy accomplishes two important objectives:
1 It provides you with a baseline understanding of the procedure that everyone can agree on. It helps to start with everyone on the same page. You can then discuss exceptions to the norm later.
2 If the employees’ understanding of what should happen varies significantly from what is documented, that may indicate a weakness in entity-level controls. For example, you may determine that a weakness in the entity’s hiring or training policies is the cause of the lack of understanding of what should happen. This weakness may have implications for the operating effectiveness of other application-level controls.
Differences between the documentation and the employees’ understanding of the procedures also may indicate that the implementation or use of the entity’s automated documentation tool was poorly planned or executed. For example, documentation of a new control may have been created without informing operating personnel of the change.
Ask open-ended questions. Open-ended questions get people talking and allow them to volunteer information. The results of your inquiries are more reliable when individuals volunteer information that is consistent with your own understanding rather than simply confirming that understanding with a direct statement.
Focus on how the procedure is applied and documented. As described earlier, operating effectiveness is determined by how the procedure was applied, the consistency with which it was applied, and by whom (e.g., whether the person performing the control has other, conflicting duties). The last two elements will be the subject of your inquiries to identify exceptions to the stated policy. Questions about what somebody does or how he or she documents control performance (e.g., by initialing a source document) typically are less threatening than questions related to consistency (“Under what circumstances do you not follow the required procedure?”) or possible incompatible functions.
Interviewers should share their findings and observations with each other. Research indicates that the effectiveness of inquiries as an evidence-gathering technique improves when engagement team members debrief the results.
Ask “What could go wrong?” Interviewees will easily understand a line of questioning that starts with: “Tell me what could go wrong in processing this information,” followed by: “What do you do to make sure those errors don’t occur?”Toward that end, consider using the financial statement assertions model to frame your questions. As described previously, one way to organize your understanding of activity-level controls is to link them to financial statement assertions. You can use these assertions to formulate questions. For example, the question “What procedures do you perform to make sure that you capture all the transactions?” is related to the completeness assertion.
Consider the difference between processes and controls. A process changes or manipulates the information in the stream. Processes introduce the possibility of error. Controls detect errors or prevent them from occurring during the processing of information. Your inquiries should confirm your understanding of both the steps involved in processing the information and the related controls.
The duties of an individual employee may include the processing of information (e.g., the manual input of data into the computer system or the preparation of source documents), control procedures (e.g., the performance of a reconciliation or the follow-up on items identified in an exception report), or both. In making your inquiries, you should remain cognizant of the distinction between processes and controls and the responsibilities of the individual being interviewed.
Identify exceptions. In every entity, there will be differences between the company’s stated procedures and what individuals actually do in the course of everyday work. The existence of differences is normal. In testing the effectiveness of application-level controls, you should anticipate that these differences will exist, and you should plan your procedures to identify them and assess how they affect the effectiveness of activity-level controls. Differences between what should happen and what really happens can arise from:
The existence of transactions that were not contemplated in the design of the system.
Different application of the procedure according to division, location, or differences between people.
Changes in personnel or in their assigned responsibilities during the period under review.
Practical, field-level work-arounds, a way to satisfy other objectives, such as bypassing a control to better respond to customer needs.
Once you and the interviewee reach a common understanding of the company’s stated procedures, you should be prepared to discuss the circumstances that result in a variation from these procedures. When making these inquiries:
Don’t make value judgments. In any organization, the information that flows through a processing stream will follow the path of least resistance. Controls that are seen as barriers to the processing of legitimate transactions that meet the company’s overall objectives may be bypassed. The employee may not be at fault. More important, if you adopt a judgmental attitude toward the interviewee, he or she will be less inclined to participate productively in the information-gathering process, and your interview will lose effectiveness.
Separate information gathering from evaluation. Remember that this phase of your inquiries is a two-step process: (1) identify the exceptions to the stated policy, and (2) assess the effect that these have on operating effectiveness. Keep these two objectives separate. Be careful that you don’t perform your evaluation prematurely, before you gather all the necessary information. When performing your inquiries, remember that your only objective is to gather information; you will perform your evaluation once you have completed your inquiries.
Use hypothetical or indirect questions to probe sensitive areas. Many interviewees will feel uncomfortable describing to you how they circumvent company policies or how they have incompatible duties that could leave the company vulnerable to fraud. To gather this type of information, use indirect questioning techniques that do not confront employees directly or otherwise put them on the defensive. For example, you might preface your questions with qualifying statements, such as:“If a situation arose in which …”“Suppose that …”“If someone wanted to …”
Ask interviewees directly about their opinions of control effectiveness. The overall objective of your inquiry is to gather information to assess the effectiveness of controls. The opinions of those who perform the control procedures on a daily basis are important. Ask them to share those opinions. Do they think the controls are effective? Why or why not?
Qualifications of employees. Assessing the operating effectiveness of control activities requires you to consider who performs such activities. Your inquiries should determine whether the interviewee is qualified to perform the required procedures. To be qualified, the individual should have the necessary skills, training, and experience and should have no incompatible functions.
Focus groups. As a supplement to, or perhaps instead of, interviewing people individually, you may wish to facilitate a group discussion about the entity’s activity-level control activities and their effectiveness. The purpose of the group discussion would be the same as a discussion with individuals: to confirm your understanding of control design and to gather information about operating effectiveness. However, group discussions are advantageous in that they:
Enable you to see the whole process. You may be able to convene a group of individuals who represent every step in the processing stream, from the initiation of the transaction through to its posting in the general ledger. A group discussion that includes these members will help you to understand more quickly how the entire process fits together.