INTERNAL CONTROL limitations of internal control. These include the
realities that human judgment in decision- Internal control – The process designed, making can be faulty and that breakdowns in implemented and maintained by those charged internal control can occur because of human with governance, management and other error. For example, there may be an error in the personnel to provide reasonable assurance about design of, or in the change to, a control. Equally, the achievement of an entity’s objectives with the operation of a control may not be effective, regard to reliability of financial reporting, such as where information produced for the effectiveness and efficiency of operations, and purposes of internal control (for example, an compliance with applicable laws and exception report) is not effectively used because regulations. The term “controls” refers to any the individual responsible for reviewing the aspects of one or more of the components of information does not understand its purpose or internal control. fails to take appropriate action. The auditor shall obtain an understanding of internal control relevant to the audit. It is a A47. matter of the auditor’s professional judgment Additionally, controls can be circumvented by whether a control, individually or in the collusion of two or more people or combination with others, is relevant to the audit. inappropriate management override of internal control. For example, management may enter An understanding of internal control assists the into side agreements with customers that alter auditor in identifying types of potential the terms and conditions of the entity’s standard misstatements and factors that affect the risks of sales contracts, which may result in improper material misstatement, and in designing the revenue recognition. Also, edit checks in a nature, timing and extent of further audit software program that are designed to identify procedures. and report transactions that exceed specified credit limits may be overridden or disabled. Purpose of Internal Control Internal control is designed, implemented and A48. Further, in designing and implementing maintained to address identified business risks controls, management may make judgments on that threaten the achievement of any of the the nature and extent of the controls it chooses to entity’s objectives that concern: implement, and the nature and extent of the risks • The reliability of the entity’s financial it chooses to assume. reporting; Division of Internal Control into Components • The effectiveness and efficiency of its A51. The division of internal control into the operations; and following five components, for purposes of the • Its compliance with applicable laws and ISAs, provides a useful framework for auditors regulations. The way in which internal control is to consider how different aspects of an entity’s designed, implemented and maintained varies internal control may affect the audit: with an entity’s size and complexity. Limitations of Internal Control (a) The control environment; (b) The entity’s risk assessment process; A46. Internal control, no matter how effective, (c) The information system, including the can provide an entity with only reasonable related business processes, relevant to assurance about achieving the entity’s financial financial reporting, and communication; reporting objectives. The likelihood of their (d) Control activities; and their interaction with internal and external (e) Monitoring of controls. auditors. 10 ISA 330, The division does not necessarily reflect how an (d) Management’s philosophy and operating entity designs, implements and maintains style – Characteristics such as management’s: internal control, or how it may classify any • Approach to taking and managing business particular component. Auditors may use risks. different terminology or frameworks to describe • Attitudes and actions toward financial the various aspects of internal control, and their reporting. effect on the audit than those used in this ISA, • Attitudes toward information processing and provided all the components described in this accounting functions and personnel. ISA are addressed. (e) Organizational structure – The framework (A) within which an entity’s activities for achieving A69. The control environment includes the its objectives are planned, executed, controlled, governance and management functions and the and reviewed. attitudes, awareness, and actions of those (f) Assignment of authority and responsibility – charged with governance and management Matters such as how authority and responsibility concerning the entity’s internal control and its for operating activities are assigned and how importance in the entity. The control reporting relationships and authorization environment sets the tone of an organization, hierarchies are established. influencing the control consciousness of its people. (g) Human resource policies and practices – Policies and practices that relate to, for example, A70. Elements of the control environment that recruitment, orientation, training, evaluation, may be relevant when obtaining an counselling, promotion, compensation, and understanding of the control environment remedial actions. include the following: (a) Communication and enforcement of integrity and ethical values – (B) These are essential elements that influence the effectiveness of the design, administration and A79. The entity’s risk assessment process forms monitoring of controls. the basis for how management determines the risks to be managed. If that process is (b) Commitment to competence – Matters such appropriate to the circumstances, including the as management’s consideration of the nature, size and complexity of the entity, it competence levels for particular jobs and how assists the auditor in identifying risks of material those levels translate into requisite skills and misstatement. Whether the entity’s risk knowledge. assessment process is appropriate to the circumstances is a matter of judgment. (c) Participation by those charged with governance – Attributes of those charged with (C) governance such as: • Their independence from management. • Their experience and stature. • A81. The information system relevant to The extent of their involvement and the financial reporting objectives, which includes information they receive, and the scrutiny of the accounting system, consists of the activities. • The appropriateness of their actions, procedures and records designed and established including the degree to which difficult questions to: are raised and pursued with management, and • Initiate, record, process, and report entity of specific control activities include those transactions (as well as events and conditions) relating to the following: • Authorization. • and to maintain accountability for the related Performance reviews. • Information processing. assets, liabilities, and equity; • Physical controls. • Segregation of duties. • Resolve incorrect processing of transactions, (E) for example, automated suspense files and procedures followed to clear suspense items out A98. Monitoring of controls is a process to on a timely basis; assess the effectiveness of internal control • Process and account for system overrides or performance over time. It involves assessing bypasses to controls; the effectiveness of controls on a timely • Transfer information from transaction processing systems to the general ledger; • basis and taking necessary remedial actions. Capture information relevant to financial Management accomplishes monitoring of reporting for events and conditions other than controls through ongoing activities, separate transactions, such as the depreciation and evaluations, or a combination of the two. amortization of assets and changes in the Ongoing monitoring activities are often built recoverability of accounts receivables; and into the normal recurring activities of an • Ensure information required to be disclosed by entity and include regular management and the applicable financial reporting framework is supervisory activities. accumulated, recorded, processed, summarized and appropriately reported in the financial A99. Management’s monitoring activities statements. may include using information from communications from external parties such Communication - Communication by the entity of the financial reporting roles and as customer complaints and regulator responsibilities and of significant matters comments that may indicate problems or relating to financial reporting involves providing highlight areas in need of improvement. an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes such matters as the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Communication may take such forms as policy manuals and financial reporting manuals. Open communication channels help ensure that exceptions are reported and acted on. (D) A88. Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples