GAAS & Internal Control

The Standard Behind the Opinion

What GAAS Is

When we issue an opinion on your financial statements, that opinion is only as credible as the process behind it. Generally Accepted Auditing Standards — GAAS — are the professional framework that governs how an audit is planned, performed, evidenced, and reported. They are the difference between a recognized, defensible audit and an informal once-over. An opinion delivered under GAAS carries meaning to your bankers, investors, regulators, and board precisely because everyone knows what those three letters require.

For audits of private companies and most not-for-profit and governmental entities, GAAS is issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), codified in the Statements on Auditing Standards and organized under the AU-C section numbers an auditor cites throughout an engagement. For audits of public companies, the standards of the Public Company Accounting Oversight Board (PCAOB) apply instead, under the oversight regime established after Sarbanes-Oxley. The principles are closely related, but the body that sets and enforces them differs depending on who the audited entity is.

GAAS Versus GAAP — Two Different Things

It is worth being precise about a distinction that confuses many clients. GAAP — Generally Accepted Accounting Principles — governs how financial statements are prepared: how revenue is recognized, how leases are accounted for, how assets are measured and disclosed. GAAP is management's responsibility. GAAS governs how those statements are audited: how we gather evidence, assess risk, and reach a conclusion about whether the statements are fairly stated in accordance with GAAP. In short, GAAP is the standard for the numbers; GAAS is the standard for our examination of the numbers. We hold ourselves to GAAS so that our opinion on your GAAP-basis statements is reliable.

What this means for you is concrete: when C&M LLP audits your financial statements, the work is performed to a recognized professional standard, not an ad hoc review shaped by convenience or budget. Planning, risk assessment, evidence, documentation, supervision, and reporting all follow a defined framework — and that discipline is what gives our signature its weight.

The Framework We Evaluate Against

COSO Internal Control — the Framework

A central part of any audit is understanding and evaluating your internal control — the processes management has in place to provide reasonable assurance that the entity achieves its objectives and that its financial reporting is reliable. Auditors do not invent a private definition of internal control; we work from a recognized model. The standard model, used worldwide and embedded in U.S. regulatory expectations, is the framework published by the Committee of Sponsoring Organizations of the Treadway Commission — COSO.

COSO defines internal control as a process effected by an entity's board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. The framework is often pictured as a cube, and it has three dimensions worth keeping in mind: the objectives internal control serves (operations, reporting, and compliance), the organizational levels at which control operates (from the entity as a whole down to divisions, operating units, and functions), and — most importantly for understanding how control actually works — the five integrated components below. We assess each component when we plan and perform your audit.

1. Control Environment

The control environment is the foundation for everything else — the set of standards, processes, and structures that establish the tone at the top of an organization. It encompasses the integrity and ethical values that leadership demonstrates and enforces, the independence and oversight exercised by the board or those charged with governance, the organizational structure and the way authority and responsibility are assigned, the entity's commitment to attracting and retaining competent people, and the way it holds individuals accountable. A weak control environment undermines even well-designed procedures elsewhere, because culture determines whether controls are respected or ignored. We assess it first, because it colors everything we conclude about the rest.

2. Risk Assessment

Risk assessment is the entity's own dynamic process of identifying and analyzing the risks to achieving its objectives, forming a basis for how those risks should be managed. This includes specifying objectives clearly enough that risks against them can be identified, analyzing both the likelihood and significance of those risks, and explicitly considering the potential for fraud. It also requires considering how change — new markets, new systems, new leadership, new accounting standards, rapid growth — creates new risks that existing controls may not address. We evaluate how rigorously management identifies and responds to risk, and we perform our own risk assessment to direct audit effort where misstatement is most likely.

3. Control Activities

Control activities are the policies and procedures that help ensure management's directives are carried out and that risks to objectives are mitigated. These are the concrete mechanisms most people picture when they think of internal control: authorizations and approvals of transactions, reconciliations of accounts and balances, verifications, segregation of incompatible duties so that no single person both initiates and conceals a transaction, and physical controls over assets and records. Control activities occur at every level of the entity and across the technology environment. We test the activities most relevant to the financial statement assertions we are auditing.

4. Information & Communication

Internal control depends on relevant, quality information being identified, captured, and communicated in a form and timeframe that lets people carry out their responsibilities. This component covers the entity's information systems — including the accounting records and the reports drawn from them — and the flow of communication both internally, so that personnel understand their control duties, and externally, with customers, vendors, regulators, and shareholders. If information is incomplete, inaccurate, or does not reach the right people in time, controls that rely on it fail regardless of how well they are designed. We assess the reliability of the information underpinning the controls we rely on.

5. Monitoring Activities

Finally, an effective system of internal control is monitored over time. Monitoring activities are the ongoing evaluations built into normal operations, the separate evaluations conducted periodically (such as internal audit reviews), or some combination of the two, used to determine whether each of the components is present and functioning. Just as important, identified deficiencies must be evaluated and communicated in a timely manner to those responsible for taking corrective action, including senior management and the board where warranted. Controls degrade if no one watches them; monitoring is what keeps the system honest between audits.

Why We Audit With Skepticism

The Fraud Triangle

Auditing standards require us to maintain professional skepticism throughout an engagement — to recognize that material misstatement due to fraud is possible regardless of our past experience with the honesty and integrity of management. The fraud triangle is the long-standing model that explains the three conditions generally present when fraud occurs. Understanding all three is what lets us design procedures that address fraud risk rather than simply assuming good faith.

Pressure or incentive. A motive to commit fraud — financial difficulty, aggressive earnings targets, debt covenants at risk, performance-based compensation, or personal pressures. We consider where incentives might push someone toward misstatement, and we treat areas under such pressure as higher risk.
Opportunity. A way to commit and conceal the fraud — weak controls, poor segregation of duties, ineffective oversight, or the ability to override controls. Opportunity is the condition internal control is best positioned to reduce, which is why we focus so heavily on evaluating control design and operation.
Rationalization. An attitude or set of values that allows a person to justify the act to themselves — "I'll pay it back," "the company owes me," "everyone does it." Rationalization is the hardest condition to control directly, which is why the control environment and tone at the top matter so much: a strong ethical culture narrows the room to rationalize.

What this means for you is straightforward but important: we audit assuming fraud is possible, not assuming everyone is honest. That is not a comment on your people; it is a professional requirement and a protection. Skepticism, unpredictable procedures, and a hard look at the controls that govern opportunity are how we discharge that responsibility on your behalf.

How Controls Do Their Work

Types of Control

Not all controls do the same job. A healthy control system layers different types so that what one fails to stop, another catches, and what is caught is then fixed. When we evaluate your environment, we look at the balance across these three categories.

Preventive Controls

Preventive controls are designed to stop errors or fraud before they occur. They are the first line of defense and generally the most cost-effective, because preventing a problem is cheaper than correcting one. Examples include requiring approval and authorization before a payment is released, segregating incompatible duties so the person who approves vendors cannot also cut the checks, restricting system access by role, and validating data at the point of entry. A well-controlled organization invests heavily here.

Detective Controls

Detective controls are designed to find problems after they have occurred — because no preventive system is perfect. They include bank and account reconciliations, management review of variances against budget, physical counts compared to recorded balances, exception and audit-trail reports, and internal and external audits themselves. Detective controls do not stop the initial error, but they identify it so it can be addressed before it does lasting harm, and their existence also deters wrongdoing by raising the likelihood of being caught.

Corrective Controls

Corrective controls fix the problems that detective controls surface and, just as importantly, prevent recurrence. They include posting adjusting entries to correct misstatements, recovering or backing out erroneous transactions, disciplinary and remediation procedures, and revising a deficient process or policy so the same failure does not happen again. A control system that detects but never corrects simply documents the same problems indefinitely; correction is what closes the loop.

An Honest Appraisal

The Limits of Internal Control

This is perhaps the most important section for any client to understand, because it is where unrealistic expectations are corrected. Even the best-designed and best-operated system of internal control can provide only reasonable assurance — never absolute assurance — about the achievement of an entity's objectives. Anyone who promises that controls or an audit guarantee no error or fraud is misrepresenting what is possible. The reasons are inherent to internal control itself.

Suitability of the objectives. Internal control is assessed against the objectives management has established — and the suitability of those objectives is a precondition to internal control. Control cannot compensate for objectives that are poorly chosen or wrong in the first place; it can only provide assurance regarding objectives that have actually been set.
Dependence on human judgment. Controls are designed and operated by people, and people make faulty judgments and simple mistakes. A reviewer can misread a report; a preparer can transpose a figure; a manager can reach a reasonable but ultimately incorrect conclusion under time pressure. Human fallibility is unavoidable.
Management override. The very people responsible for the controls can deliberately override them — instructing staff to record a transaction improperly, suppressing information, or stepping outside established procedures. Because management sits above the control structure, override is a risk that no routine control can fully eliminate, and it is a particular focus of our skepticism.
Collusion. Segregation of duties works only if the separated individuals act independently. Two or more people acting together — or with an outside party — can circumvent controls that would stop any one of them alone, and can conceal the activity from view. Collusion defeats controls precisely because the system assumes the participants are checking one another.
External factors and cost-benefit constraints. Events beyond the entity's control can affect its ability to achieve objectives despite sound internal control. And because no entity has unlimited resources, the cost of a control is always weighed against the benefit it provides — meaning some risks are deliberately accepted rather than controlled away, as a matter of reasoned judgment.

What you get from us is the honest version of all this. We will tell you what your controls can reasonably be relied upon to do, where the residual risk sits, and what an audit can and cannot guarantee. Reasonable assurance, delivered with rigor and documented thoroughly, is a genuinely valuable thing — and it is far more trustworthy than a promise of certainty that no one can keep.

A Note on Scope

The Standards Beyond This Page

This page is an overview of the concepts most directly relevant to your experience of an audit — the standard that governs our work, the framework we use to evaluate control, the model that shapes our skepticism, and the honest limits of what any control system can promise. It is not the whole of the rulebook.

A great many further auditing and quality-management standards govern how we accept engagements, assemble and supervise teams, gather and document evidence, evaluate estimates, communicate with those charged with governance, and maintain the firm-wide systems of quality control that sit behind every report we issue. We apply all of them rigorously, whether or not they are detailed here, because they are less directly pertinent to your day-to-day experience but no less binding on us. If you ever want to understand how a particular aspect of an engagement will be handled, ask — we are glad to walk you through it.