Those of you who participated in Bill Heritage's Summer Series of webinars recently would have heard him talking about the value of using "open" rather than "closed" questions when asking clients to describe their controls processes.
Our existing Internal Controls Checklist was very much based on a closed model, whereby we would ask a questions like:
We are now providing a second narrative-type option for gathering information from clients about the Internal Controls. We have called this the Internal Controls Questionnaire to differentiate it from the old checklist.
The new questionnaire is framed in such a way that the client must add a comment to describe how the entity meets a particular control risk. For example:
Instead of yes/no or multi-choice answers the client is prompted to either add a comment or an attachment (where they may have some notes they wish to attach).
Overall there are less questions (which should please many users) but hopefully the information gathered will be much more useful in assessing how the entity has (or hasn't) thought about its risk and control systems.
We updated the step on the B1 Internal Controls page so that there is now a further option when prompted about obtaining feedback from the client over internal controls:
- Complete checklist
- Complete descriptive questionnaire
- Information already obtained
We have left the option for now that users may select the descriptive questionnaire in addition to the checklist already used, however you will probably want to choose only one be shared with the client.
As with all new content, we do welcome feedback in case we have missed something obvious or there are definite other improvements users suggest.
1. For existing jobs, if the Internal Controls Checklist is not opening from the index page you will need to reselect it from the Internal Controls (B1) page multi-choice list. All your data will still be there.
2. We are often asked with shared pages whether there is a way to hide parts that are not relevant. The answer is no - however we do recommend that auditors go through the page first before sharing and n/a any areas that are obviously not suitable for the client and would just be confusing for them to try to answer.