We are often asked by boards if we believe that the management company’s processes are effective. The answer is, we have no way of knowing as we are conducting an audit of the financial statements, not an audit of the managers’ internal control system. To which the response is typically a look of bewilderment as most board members don’t understand the difference.
An audit of the financial statement does require the auditor to understand the internal control structure put in place by management so we can plan and perform the audit. But what typically happens is that the auditor says, “That’s great, but we are going to assume management doesn’t follow it and plan our audit as though the system doesn’t work.”
Given the size and simplicity of the transactions in the typical association, it is faster and more effective to avoid testing the internal control system to ensure it works. Take accounts payable; walking a single transaction through the entire control system and documenting the steps would take about an hour. In order to rely upon the system to ensure it leads to the correct recording and reporting of the transaction we would have to test several dozen. But, since this is a financial audit and we are concerned with ensuring that vendor invoices are reported to the correct period, we can simply review the individually significant invoices reported in the subsequent period to determine the period in which it was incurred and recorded. We can go through the 4 or 5 invoices in about 10 minutes.
Since we didn’t rely upon the control system to ensure the invoice was recorded correctly, we completed the procedure faster and determined the results just as effectively as though we had relied upon it. If we find invoices in the subsequent period (typically January) that should have been recorded in the prior period, we propose a journal entry. The internal control system might have worked but we can’t say that, even if we didn’t find an invoice posted to the wrong period.
We understand that boards are concerned with the effectiveness of the internal control system and agree that it is important. But the individual board does not want to engage an auditor to test the management company’s system. Boards should require their management company to have a SOC audit.
A SOC, or Service Organization Control, audit is performed by an auditor on the service provider: In this case the management company. The SOC audit ensures the appropriate controls are in place and function as required. While there are different levels of SOC audit, the end result is the same – reporting on the effectiveness of the providers internal control system.
Frankly, state law should require a management company to have a SOC audit in addition to requiring the association to have a financial audit. Associations which outsource the receipt and payment of funds need to know that the company they use has the right systems in place and those systems work. The annual financial audit is not designed to offer an assurance that this is the case.
We realize that a SOC audit could be expensive. To be honest, it might not even substantially reduce the cost of the association’s financial audit; although I think there would be some cost savings. If a manager could produce a SOC audit which stated that the controls were in place and effective, we could probably drop our audit charge by 10-20 percent. But beyond the potential savings you would have a strong marketing tool.
The feedback we have received is that an association board would rather have a report which says that the internal control system is in place and works. We would like to offer this to a board but this type of report is not cost effective at the association level. But it could be at the management company level. And it is quite possible that having a SOC audit report can help you land new clients – since everything else being equal, having a documented and tested internal control system is much more important to boards than knowing their financial statements are prepared according to GAAP.
Something to think about.