Professional Documents
Culture Documents
Internal Control Consideration
Internal Control Consideration
Internal control structure varies with an entity’s size and complexity. Smaller entities may use less
structured means and simpler processes and procedures.
An understanding of internal control assists the auditor in identifying types of potential misstatements
and factors that affect the risk of material misstatement (ROMM), and in designing the nature, timing,
and extent of further audit procedures (test of controls and substantive procedures).
Control Environment
Control environment is the governance and management functions and the attitudes, awareness, and
actions of TCWG and management concerning the entity’s internal control and its importance in the
entity. It is the foundation of internal control as it sets the tone of an organization that influences the
control consciousness of its people.
The seven elements of the control environment are (CHAMPOI):
1. Communication and enforcement of Integrity and ethical values
2. Commitment to Competence
3. Human resource policies and practices
4. Assignment of authority and responsibility
5. Management's philosophy and operating style
6. Participation of those charged with governance
7. Organizational structure
The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
1. Management, with the oversight of TCWG, has created and maintained a culture of honesty and
ethical behavior; and
2. The strengths in the control environment elements collectively provide an appropriate foundation
for the other components of internal control, and whether those other components are not
undermined by control environment weaknesses.
Relevant audit evidence may be obtained through a combination of inquiries and other risk
assessment procedures such as corroborating inquiries through observation or inspection of
documents. For example, through inquiries of management and employees, the auditor may obtain
an understanding of how management communicates to employees its views on business practices
and ethical behavior and considering whether management has a written code of conduct and
whether it acts in a manner that supports the code.
Risk Assessment Process
The entity’s risk assessment process refers to the entity’s process for identifying business risks
relevant to financial reporting objectives and deciding about actions to address those risks, and the
results thereof. If that process is appropriate to the circumstances, including the nature, size and
complexity of the entity, it assists the auditor in identifying ROMM. Whether the entity’s risk
assessment process is appropriate is a matter of judgment.
The auditor shall obtain an understanding of whether the entity has a process for (IDEA):
1. Identifying business risks relevant to financial reporting objectives;
2. Estimating the significance of the risks;
3. Assessing the likelihood of their occurrence; and
4. Deciding about actions to address those risks.
Control Activities
Control activities are policies and procedures of the entity that help ensure that management
directives are carried out.
Examples of control activities include policies and procedures on (PIPS):
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
The auditor shall obtain an understanding of control activities relevant to the audit.
Monitoring
Monitoring is a process that assesses the effectiveness of internal control performance over time. It
includes assessing the design and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.
Documentation
The auditor shall document the key elements of each of the internal control components, including the
sources of information from which the understanding was obtained.
The auditor may document its understanding through any or combination of the following techniques:
1. Internal Control Questionnaires (ICQ) – An ICQ asks a series of questions about the controls in
each audit area as a means of identifying internal control deficiencies. Most questionnaires require a
“yes” or a “no” response, with “no” responses indicating potential internal control deficiencies.
2. Narratives/Memoranda – A narrative is a written description of a client’s internal controls.
3. Flowcharts – An internal control flowchart is a diagram of the client’s documents and their
sequential flow in the organization.
If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on
the basis of the audit work performed, whether, individually or in combination, they constitute
significant deficiencies.
Significant deficiency in internal control refers to a deficiency or combination of deficiencies in internal
control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of
those charged with governance.
Significant deficiency is less severe than a material weakness.
The auditor shall evaluate whether, on the basis of the audit work performed, the auditor has
identified a material weakness in the design, implementation or maintenance of internal control.
The types of material weaknesses in internal control that the auditor may identify when obtaining an
understanding of the entity and its internal controls may include:
• ROMM that the auditor identifies and which the entity has not controlled, or for which the relevant
control is inadequate.
• A weakness in the entity’s risk assessment process that the auditor identifies as material, or the
absence of a risk assessment process in those cases where it would be appropriate for one to have
been established.
The auditor shall communicate significant deficiencies and material weaknesses in internal control in
writing (e.g., management letter, the “by-product” of audit) identified during the audit on a timely basis
to management at an appropriate level of responsibility and with those charged with governance.
Control deficiency Not allow, in the normal course Only if it merits their attention.
of functions, to prevent or
detect and correct
misstatements on a timely
basis.
Significant deficiency Less severe than a material Yes
weakness.
Material Weakness A reasonable possibility that a Yes
material misstatement will not
be prevented, or detected and
corrected on a timely basis.