Internal controls over financial reporting are used to prevent, detect, and correct misstatement. They also help to reduce the chance that fraud will occur. The auditor is required to obtain an understanding of an entity's controls as part of the risk assessment process. This workshop will provide participants with an opportunity to explore the design of controls over the significant systems typically found in a small- to mid-size client. Participants working in industry will find this course useful in challenging the level of internal controls currently implemented in their organizations. Participants will also learn to efficiently document their understanding of the controls and determine where it is either necessary or efficient to test them.


Participants will be able to:

  • Apply the five COSO elements of internal control
  • Differentiate between understanding and testing internal controls
  • Document the understanding of internal controls at the appropriate level
  • Test and document the results of tests of internal controls
  • Issue an AU 265 report


  • COSO Framework
  • Understanding the design of controls at the entity level and at the activity (financial statement assertion) level with an emphasis on manual control activities
  • Determining whether controls have been implemented
  • Effective and efficient tests of controls
  • Multi-purpose tests
  • Documentation techniques
  • Use of service auditor reports (AU 402)
  • AU 265 reporting requirements

Who Will Benefit

  • Audit practitioners working on audits of non-public companies
  • Accountants in industry who want to improve their entity's internal controls


Category Amount
Auditing 8.00


  • Tom Gancarski

    Tom Gancarski is a consultant at a cybersecurity-focused CPA firm, where he specializes in data privacy, risk management, and security compliance engagements relating to SOC 2, GDPR, HITRUST, Privacy Shield, and similar regulations/frameworks. Prior roles include regulatory compliance and risk management positions at Deutsche Bank, HSBC, and BNY Mellon. He also worked as an auditor at a regional consulting firm.

    Tom has spoken at cybersecurity events and seminars for CPA and CISO audiences on multiple topics including security frameworks, privacy, governance, and vendor risk management. He holds CPA licenses in Indiana and Alaska and is licensed to practice law in Massachusetts. Tom is also a Certified Information Privacy Professional/ Europe (CIPP/E), and a Certified Information Systems Auditor (CISA).

    Back to Top