THE TOPICS OF developing questionnaires and conducting interviews are not standard academic or certified public accounting (CPA) firm training topics for accountants and auditors. Prior to Sarbanes-Oxley (SOX), many financial audits were conducted primarily by substantive procedures that tested balances and transaction streams with direct tests. The requirements of SOX for public companies and a reinvigorated set of American Institute of Certified Public Accountants (AICPA) risk standards required companies and auditors to look at broader controls issues on all audits, including the control environment. As a result, information not previously directly gathered needs to be evidenced in the controls documentation of both entities and auditors. In addition, the continued improvement in controls of public and nonpublic companies and governments have made the reliance on effective internal controls a plausible and efficient strategy for many more audits than ever before. Management benefits from effective systems of internal controls by experiencing fewer fire drills and surprises and by opening the door to more efficient audits.

Sometimes “difficult” and sensitive inquiries and assessments must be made during this process. For example, it is not easy to openly acknowledge the chief executive officer (CEO) is an overbearing and abrasive executive when it was that person's initiative that founded the company; similarly, ...