F.5 Evaluating Internal Controls

  1. The evaluation of the system of internal controls should provide reasonable, but not absolute, assurance that the fundamental elements of the system are sufficient to mitigate the related risks and contribute to the attainment of management’s objectives. The study and evaluation should be adequately documented and properly supported by results of tests, observations, and inquiries.

  2. Internal controls are identified and evaluated throughout the audit examination. The objective of the examination can be described as

    1. evaluating the adequacy of the design of controls in relation to the identified risks in order to develop tests to confirm the adequacy of design and continued effective operation;

    2. identifying weaknesses in controls or missing controls in order to design tests to evaluate the potential or actual effects of the weakness as input to designing improvement action to correct the weakness, if appropriate in relation to the cost and risk; and

    3. identifying areas where additional information is necessary in order to carry out either of the above.

  3. Internal auditors should rely on guidance in the Office of the Auditor General of Canada (Office) Annual Audit Manual regarding controls to assist assigned staff in performing this aspect of the audit work. Generally, the guidelines are incorporated into an audit program in the form of desirable internal control characteristics, internal control questionnaires, checklists, and specific audit tests and procedures. Although the written audit guidelines (programs) are invaluable aids, internal auditors must ensure that they are familiar with the scope and objectives of the internal control review.

  4. The review of the system of internal control is performed by discussing the adopted control procedures, methods, and plan of organization with management. The internal auditor may use internal control questionnaires or checklists as well as written narrative memoranda, flowcharts, transaction walk-throughs, and other applicable techniques in determining the adopted control procedures and the method and plan of organization. These techniques are preferred because they provide adequate documentation. In addition to discussions with management, internal auditors make inquiries and perform observations relating to the system of internal controls. These inquiries and observations, and resulting findings and conclusions are also documented in the working papers. This documentation includes identifying control strengths and weaknesses, and cross‑referencing them to the related risks and to the audit tests and procedures concerned with substantive testing.

  5. To assist in evaluating the system of internal control, the auditor should consider

    1. types of errors and irregularities that could occur;

    2. potential to degrade the likelihood of attainment of management objectives;

    3. control procedures to prevent or detect such errors and irregularities;

    4. whether the control procedures have been adopted and are being followed satisfactorily;

    5. weaknesses that would enable errors and irregularities to pass through existing control procedures; and

    6. the effect these weaknesses have on the nature, timing, and extent of auditing procedures to be applied.

  6. Audit methods used to study and evaluate existing internal controls may include the following:

    1. Internal control survey questionnaire—This guides the auditor to query responsible managers regarding specific or general internal controls. The questionnaires are usually designed so that a negative response indicates a potential internal control weakness. A negative response will cause the auditor to determine whether compensating controls are in existence that would offset the negative response.

    2. Narratives—These describe the system of internal control.

    3. Flowcharts—A flowchart visually depicts processes designed or intended for control purposes. Flowcharts provide the auditor with a good understanding of the process being evaluated. PRIA’s flowchart documentation standards are set forth in Procedure D-8.

    4. Control matrices—These can be developed or customized to provide cross-reference among risks, controls, tests, results, and recommendations for improvement.

  7. Documentation supports the internal auditor's understanding of the internal controls. Audit working papers provide the documented support for the conclusions reached by the internal auditor regarding the study and evaluation of internal controls. Only those internal control activities that are deemed critical or important related to management’s objectives and related risks should be tested and evaluated. Working papers should be prepared to highlight the internal control attributes within the processes to be evaluated.

  8. Internal auditors should also be vigilant for opportunities to improve the efficiency of processes through the elimination of controls where duplication exists or risk levels do not justify control.

  9. Statistical sampling allows the auditor to stipulate, with a given level of confidence, the condition of a large population by reviewing only a percentage of the total items. Several sampling techniques are available to the auditor:

    1. Attribute sampling is used when the auditor has identified the expected frequency or occurrence of an event.

    2. Variables sampling is used when the auditor samples for values in a population, which vary from item to item.

    3. Judgment sampling is used when it is not essential to have a precise determination of the probable condition of the universe, or where it is not possible, practical, or necessary to use statistical sampling.

  10. Computer-assisted audit techniques (CAATs) can be very effective in identifying events within a population. Data analysis techniques typically involve the use of CAATs software to test an entire population for specific events (e.g. comparing employee addresses from the human resources database to vendor addresses from the accounts payable database). In many cases, data analysis is preferable to sampling because of the accuracy and reliability of results. It also allows performance of broad-based testing that otherwise may not have occurred because of limited audit resources.

  11. Tests of compliance are performed to obtain sufficient evidence that the system is operating in accordance with the understanding the internal auditor obtained from the review. These are performed for those control procedures or methods upon which the auditor has chosen to rely. Conversely, when the auditor determines that certain controls cannot be relied upon, tests of compliance are not ordinarily performed. Rather, tests are carried out to evaluate the real or potential effect of the weakness in order to design improvement recommendations where appropriate in relation to costs and risks.

  12. The nature, timing, and extent of tests of compliance are closely related to the control procedures and methods studied by the internal auditor. Additionally, the auditor must consider the availability of evidence and the audit effort required to test compliance. In considering the required audit effort, the internal auditor assesses whether precluding certain tests of compliance will reduce the reliance on the controls and procedures, and whether such reduced reliance significantly affects subsequent audit tests and procedures.

  13. The timing of compliance testing is applied to transaction cycles throughout the period under audit.

  14. The Chief Audit Executive or director needs to approve the nature, extent, and timing of audit tests of compliance after reviewing internal control questionnaires, checklists, written narratives, and applicable flowcharts. In addition, the audit tests and procedures are to be adequately cross‑referenced to the review and preliminary evaluation of internal control strengths and weaknesses.

  15. Tests of compliance may be applied either before or after the end of the period under examination. When tests are performed prior to the end of the period, the auditor determines whether control procedures are still in operation up to the end of the audit period. This may be accomplished by inquiry, observation, or further testing. Unless the internal auditor believes it is necessary, additional tests of compliance are not required.

  16. In summary, the procedures for the study and evaluation of internal control may include the following:

    1. Preliminary survey—To obtain internal familiarization with management’s overall organization, operation, objectives, risks, and control systems.

    2. Application analysis.

    3. Determine facts—Ascertain by analysis and inquiry what controls have been established. Draft tentative organizational charts, flowcharts, and narrative procedural memoranda.

    4. Walk-through—Trace selected transactions through the system to confirm whether it is functioning as described.

    5. Document—Complete the organizational charts, flowcharts, and procedural memoranda.

    6. Evaluate—Make a tentative evaluation of the effectiveness of internal control.

    7. Test and reevaluate—Confirm, modify, or reject the tentative evaluation of internal control through the use of test samples or data analysis techniques. Document the results of the tests and the conclusions as to the effectiveness of internal control.

Last modified:
2018-03-22