Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5031 Entity’s system of internal control and its relevance to the audit
Sep-2022
In This Section
Types of controls and the role of internal controls to an entity
Limitations of internal control
Overview
Obtaining an understanding of the entity’s system of internal control is an important part of the risk assessment process. The risk assessment process is an iterative, dynamic process of gathering, updating, and analyzing information throughout the audit. Our understanding establishes a frame of reference that enables us to identify and assess risks of material misstatements and design our responses to the identified risks.
Why is this important? |
An understanding of the entity’s system of internal control allows us to better understand what risks management believes warrant their resources and attention which helps to inform our identification of potential risks of material misstatement. Undertaking a robust process to understand the entity’s system of internal control therefore enables engagement teams to identify and assess the risk of material misstatement specific to the entity. The understanding obtained, as well as the identification and assessment of risks specific to the entity and its environment, facilitates the development of audit responses that effectively and efficiently address the identified risks of material misstatement. |
Within OAG Audit 5030, we will address in more detail the Understand and Identify elements of the OAG Risk Assessment Process illustrated below:
We obtain an understanding regarding the entity-specific risks, through research and analysis of the components of the entity’s system of internal control relevant to the preparation of the financial statements, including its IT environment.
There are a variety of information sources available to us to obtain an understanding of the entity’s system of internal control. We develop a robust understanding by making use of available and relevant information. The table below provides some areas we consider when obtaining an understanding as well as some examples of sources for obtaining relevant information in these areas.
What we understand | Potential sources of information to obtain our understanding |
---|---|
Control environment relevant to the preparation of the financial statements |
|
The entity’s risk assessment process relevant to the preparation of the financial statements |
|
The entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements |
|
The entity’s information system and communication relevant to the preparation of the financial statements |
|
When obtaining an understanding of the entity’s system of internal control we identify entity-specific risks and controls that address those risks by performing the following:
-
Identifying risks arising from the use of IT and IT general controls that address such risks
-
Evaluating the design and implementation of controls within the control activities component including the IT general controls
-
Evaluating control deficiencies identified within the entity’s system of internal control
We are required by CAS 315 to obtain an understanding of the entity’s system of internal control (comprising the control environment, entity’s risk assessment process, process to monitor the system of internal control, information system and communication and control activities) to identify the types of potential misstatements and other factors that impact our assessed risks of material misstatement at the financial statement and assertion levels – whether due to fraud or error – and thereby providing a basis for designing the nature, timing, and extent of further audit procedures (i.e., tests of controls and substantive procedures) for obtaining audit evidence.
A simple way to think about identifying potential misstatements is to ask ourselves, “what could go wrong?” in our client’s accounting and reporting processes (i.e., inherent risk). Once we identify these potential misstatements, we can ask ourselves, what does the entity do to mitigate those risks (i.e., the entity’s controls), and what audit procedures do we need to perform (i.e., our audit response) to obtain sufficient evidence that there is not a reasonable possibility of a material misstatement of the entity’s financial statements arising from the identified potential misstatements.
Understanding how the entity processes transactions, what systems they use, and how they affect the applicable financial reporting framework, enables us to plan and execute audit procedures that are responsive to entity-specific risks of material misstatement.
Our required understanding includes obtaining evidence about whether controls within the control activities component have been effectively designed and implemented. This is an important element of obtaining our understanding of internal control as our audit responses to risks of material misstatement may differ if we conclude that the entity’s controls have not been effectively designed or implemented.
An important part of our understanding of the entity’s system of internal control is obtaining an understanding of the entity’s business processes. Obtaining this understanding allows us to understand how transactions are initiated, recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial statements. To understand an entity’s end-to-end flow of transactions and business processes, we need to understand the nature, volume, and magnitude of transactions, the financial statement accounts impacted, and the relevant accounting principles used by the entity and we develop that understanding at the transaction cycle or business process level. Activities that occur at service organizations and shared service centers also form part of an entity’s business process.
As explained above obtaining an understanding of each of the entity’s components of internal control relevant to the preparation of the financial statements is fundamental to our identification and assessment of risks of material misstatement. As a result, we need to perform sufficient procedures to understand and evaluate the entity’s system of internal control regardless of whether or not we plan to rely on testing of operating effectiveness of internal controls as part of our audit strategy.
We perform our procedures through a combination of review of the entity’s documentation and discussions with entity personnel. Based on the understanding we have obtained, we evaluate whether the entity’s system of internal control is conducive to the preparation of the entity’s financial statements given the nature and circumstances of the entity. We apply professional skepticism and challenge management’s views and assessment of risks, where necessary.
CAS Guidance
The entity’s system of internal control may be reflected in policy and procedures manuals, systems and forms, and the information embedded therein, and is effected by people. The entity’s system of internal control is implemented by management, those charged with governance, and other personnel based on the structure of the entity. The entity’s system of internal control can be applied, based on the decisions of management, those charged with governance or other personnel and in the context of legal or regulatory requirements, to the operating model of the entity, the legal entity structure, or a combination of these (CAS 315.Appendix 3.1).
Included within the entity’s system of internal control are aspects that relate to the entity’s reporting objectives, including its financial reporting objectives, but it may also include aspects that relate to its operations or compliance objectives, when such aspects are relevant to financial reporting (CAS 315.Appendix 3.3).
Example: Controls over compliance with laws and regulations may be relevant to financial reporting when such controls are relevant to the entity’s preparation of disclosures of contingencies in the financial statements. |
Controls are embedded within the components of the entity’s system of internal control (CAS 315.A2).
Policies are implemented through the actions of personnel within the entity, or through the restraint of personnel from taking actions that would conflict with such policies (CAS 315.A3).
Procedures may be mandated, through formal documentation or other communication by management or those charged with governance, or may result from behaviors that are not mandated but are rather conditioned by the entity’s culture. Procedures may be enforced through the actions permitted by the IT applications used by the entity or other aspects of the entity’s IT environment (CAS 315.A4).
Controls may be direct or indirect. Direct controls are controls that are precise enough to address risks of material misstatement at the assertion level. Indirect controls are controls that support direct controls (CAS 315.A5).
Risks to the integrity of information arise from susceptibility to ineffective implementation of the entity’s information policies, which are policies that define the information flows, records and reporting processes in the entity’s information system. Information processing controls are procedures that support effective implementation of the entity’s information policies. Information processing controls may be automated (i.e., embedded in IT applications) or manual (e.g., input or output controls) and may rely on other controls, including other information processing controls or general IT controls (CAS 315.A6).
OAG Guidance
Internal Control—integrated framework
The CAS internal control framework is similar to the one used in the COSO framework, published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (Internal Control—Integrated Framework) in 2013.
The COSO framework addresses the entity’s business operations, their need to prepare reliable reports and financial statements, and compliance with laws and regulations to which the entity is subject. These overlapping high level internal control objectives can be applied to the entity’s different business activities and management units, as illustrated below:
While the COSO framework considers overall reporting, our primary focus is on the financial reporting area.
In order to understand how management has designed and implemented internal control over financial reporting, we obtain an understanding of the various types of controls (i.e., policies or procedures to achieve the control objectives of management or those charged with governance) and processes that are embedded within each of the five components of the entity’s system of internal control. These are further discussed in:
- Control environment OAG Audit 5032.
- Risk assessment OAG Audit 5033.
- Information and communication OAG Audit 5034.
- Control activities OAG Audit 5035.
- Monitoring activities OAG Audit 5036.
Each of the five internal control components is relevant to the entity’s financial reporting objectives (i.e., to provide financial information about the entity that is useful to decision making by its stakeholders) and the components of internal control are relevant to every level of the organization (i.e. at the entity, group, division, operating unit, subsidiary and/or business process level).
Even though the COSO control framework may help management to design, implement and maintain effective internal control over financial reporting, it does not prescribe any specific controls that need to be designed and operated effectively for an entity to have an effective system of internal control. For the purposes of our audit, we focus on whether and how management has implemented control activities embedded within business processes relevant to preparation of financial statements (i.e., information processing controls) and general IT controls (ITGCs)) with a level of precision to prevent or detect and correct on a timely basis a misstatement that could be material to the financial statements. These controls identified in the information system and communication and control activities components are therefore more likely to affect the identification and assessment of risks of material misstatement at the assertion level. Further, processes and controls embedded within the other components of internal control would have an important effect on the design and operation of control activities, but they would only have an indirect effect on the likelihood that a misstatement is detected or prevented and corrected on a timely basis and, as a result, are more likely to affect the identification of risks of material misstatement at the financial statement level. Therefore, an entity’s system of internal control over financial reporting usually has a substantially larger number of control activities that operate at the transaction level than controls that operate in the other components of internal control.
The internal control components, excluding control activities, may have fewer tangible elements or controls such as “tone at the top.” Consequently, these components are more judgmental in nature but this is not intended to suggest that these components are any less important than control activities. The internal control components of the internal control framework may have a pervasive effect on the overall system of control activities, therefore we typically understand and evaluate them and, where applicable, begin to test their operating effectiveness earlier in the audit process.
Types of controls
OAG Audit recognizes different types of controls that we can expect to identify in the entity’s system of internal control:
- Preventative vs detective controls
- Indirect vs direct controls
- Entity-level controls
- Business performance reviews
- Information technology general controls
- Information processing controls
Preventive vs. detective controls
Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements. Detective controls have the objective of detecting errors or fraud that has already occurred and correcting them to avoid a misstatement of the financial statements.
The following are some examples of detective and preventive controls:
Preventive | Detective |
---|---|
System automatically populates costs in the purchase order based on the approved vendor price master file for the applicable inventory SKU number entered | Payments recorded in the general ledger are reconciled to the check register to ensure that all disbursements are recorded accurately and in the correct period. Differences are investigated and resolved on a timely basis. |
System automatically calculates payroll related accruals | The payroll manager reviews the payroll register prior to payment distribution. Unusual items are investigated and resolved on a timely basis. |
Open sales orders (not shipped/invoiced) are investigated and resolved on a daily basis | Cash receipts are recorded upon receipt and applied to customer accounts/invoices via remittance advice. A system generated exception report is reviewed to identify cash receipts without remittance advices. Differences are investigated and resolved on a timely basis. |
Purchase orders for more than a defined monetary threshold are reviewed and require evidence of approval by the entity’s controller before the order can be submitted to the entity’s vendor or processed in the entity’s ERP system | Approved purchase orders in excess of a defined value are reviewed by the supervisor on a timely basis who follows up with the approver to resolve any questions that arise. |
Some controls can be designed in a way that have both preventive and detective characteristics. Some IT applications, especially for newer or emerging technologies, can include ’real time’ controls designed to avoid creating a ’hard stop’ that interrupts business operations, while enabling controls that support the business (see example below). When understanding and evaluating the design of the entity’s control we consider both preventive and detective characteristics of the control to the extent they are responsive to the identified risk of material misstatement.
Example: An entity has a purchase order approval policy with defined approval thresholds. Within the policy members of the purchase team are allowed to initiate orders up to the defined monetary threshold without additional approval. A detective control requires that all purchase orders exceeding the defined monetary threshold up to a maximum of 150% of the original limit be approved by the supervisor. When such an order is initiated the system automatically sends a communication to the supervisor to review the purchase order and retrospectively approve, or to follow up if required. A preventive control does not allow purchase team members to initiate orders exceeding 150% of the original limit without preapproval from the supervisor. |
Indirect controls
Indirect controls work to support direct controls and therefore have only an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis. Indirect controls are not sufficiently precise to prevent, detect or correct misstatements at the assertion level by themselves. Indirect controls are typically implemented within the control environment, risk assessment process or process to monitor the system of internal control component of an entity’s system of internal control.
Examples of indirect controls may include:
- Communication and enforcement of integrity and ethical values
- Human resource policies and procedures
- Delegation of authority matrices used to establish appropriate authorization hierarchies
- Controls over the completeness and accuracy of a report used in monitoring the entity's system of internal controls.
Direct controls
Direct controls, when designed and operating effectively and at a sufficient level of precision, can adequately prevent, or detect and correct on a timely basis, material misstatements at the assertion level.
We ordinarily identify direct controls within the information system and communication and the control activities components of an entity’s system of internal control.
Entity-level controls
Entity level controls (ELCs) operate at the entity level and can be direct and indirect in nature. Some entity level controls (e.g., controls identified within the control environment component of the entity’s system of internal control) have an important, but indirect, role in addressing the risks of material misstatement at the assertion level. Such controls are called Indirect ELCs. Indirect ELCs could have an impact across more than one business process and are considered when evaluating the effectiveness of transaction level or direct entity level controls at the transaction level within a business process.
Some entity level controls might however be designed to operate at a level of precision that would address risks of material misstatement at the assertion level (e.g., business performance reviews). Such controls are called Direct ELCs.
OAG Audit 5035.1 provides further guidance on the audit evidence provided by ELCs.
Business performance reviews (BPRs)
Business performance reviews (BPRs) are one form of direct ELCs. BPRs include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data - operating or financial - to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance. The following are some of the characteristics we consider when obtaining an understanding of BPRs:
-
The primary purpose of BPRs is to assist management with monitoring business operations and decision-making. BPRs tend to be detective rather than preventive (i.e., they may alert management to an operational issue requiring management action)
-
When directed to a matter with financial significance a BPR may be used by management to identify misstatements that may have occurred, either due to fraud or error
-
The reliability of the information used in the BPR, as well as the frequency, precision and timeliness of review and extent of follow-up by management are considered in assessing the effectiveness of BPRs as controls relevant to the preparation of the financial statements
-
BPRs are likely to be more effective when performed using disaggregated information rather than aggregated information
-
BPRs are likely to be more effective when applied to accounts, classes of transactions or other information with predictable behaviors/correlations
See OAG Audit 5035.1 for further guidance regarding the factors that could be relevant to our evaluation of the design effectiveness of a BPR control.
Information Technology General Controls (ITGCs)
Information technology general controls (ITGCs) establish and preserve the ongoing integrity of the IT environment. ITGCs over the entity’s IT processes support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information. ITGCs address four ITGC domains:
- Program Development
- Program Changes
- Access to Programs and Data
- Computer Operations
OAG Audit 5035.2 provides further guidance on the identification and understanding of ITGCs.
Information Processing Controls
Information processing controls relate to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information).
Information processing controls can be either detective or preventive in nature and can be manual (e.g., input or output controls), automated (e.g., embedded in IT applications), or IT-dependent manual controls (e.g., manual controls that rely on system-generated information and therefore their effectiveness relies on other automated information processing or general IT controls). The greater the extent of an entity’s reliance on automated controls, or IT-dependent manual controls, in its financial reporting processes, the more important it may become for the entity to implement general IT controls that address the continued functioning of the automated and IT-dependent information processing controls.
When determining the testing approach for a control, we identify if the effectiveness of the control is dependent on an indirect control. If so, we consider whether it is necessary to also test the indirect control that may impact the design and operating effectiveness of the control we have planned to rely upon.
The operation of certain controls may rely on the use of system generated reports. In such cases, we may substantively test the reliability of the information included in the system generated reports or we may test the controls addressing the reliability of the system generated report. Guidance to assist in planning an appropriate approach for testing the reliability of system generated information is included in OAG Audit 2051.
The following are some examples of information processing controls, system generated information and other IT dependencies:
Information processing controls | System generated information and other IT dependencies used in the execution of the controls |
---|---|
An exception report of unbilled shipments is reviewed and items that remain unbilled for a predetermined amount of time are investigated and resolved on a timely basis. |
|
Manual review for reasonableness of assumptions, mathematical accuracy, and completeness and accuracy of data inputs and approval of period-end vacation accruals journal entry is performed before the journal entry is posted |
|
Manual review of the goods received not invoiced account is performed. Unusual and/or all aged goods received not invoiced items are investigated and resolved on a timely basis. |
|
CAS Guidance
The entity’s system of internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of their achievement is affected by the inherent limitations of internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in the entity’s system of internal control can occur because of human error. For example, there may be an error in the design of, or in the change to, a control. Equally, the operation of a control may not be effective, such as where information produced for the purposes of internal control (for example, an exception report) is not effectively used because the individual responsible for reviewing the information does not understand its purpose or fails to take appropriate action (CAS 315.Appendix 3.22).
Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of controls. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also, edit checks in an IT application that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled (CAS 315.Appendix 3.23).
Further, in designing and implementing controls, management may make judgments on the nature and extent of the controls it chooses to implement, and the nature and extent of the risks it chooses to assume (CAS 315.Appendix 3.24).
OAG Guidance
Because of the unique position of management, we need to consider the possibility that they override the entity’s internal controls. OAG Audit 5508 provides additional guidance regarding management override of controls.
As discussed in OAG Audit 5503 certain characteristics of the entity’s system of internal control, individually or collectively, provide an indication of fraud and therefore warrant further consideration when performing a fraud risk assessment. It is important that when we obtain our understanding of the system of internal control, we remain alert to any indicators of fraud and exercise professional skepticism and challenge management’s views and assessment of risks, where necessary.
When obtaining an understanding of the entity’s system of internal control we also need to be alert to the evolving global circumstances in the environment the entity operates. Rapid changes such as a need to switch to remote working practices due to pandemic or increased cybersecurity threats may highlight previously unidentified internal control deficiencies or may require changes in the design of internal controls in order for them to remain effective. OAG Audit 5035.2 provides additional guidance related to the impact of cybersecurity risks on our risk assessment.
Example: During the current period the entity’s personnel are required to work remotely due to an ongoing health crisis. As a result, the design and operation of some internal controls need to change or will no longer be as effective. We have evaluated the design and tested the operating effectiveness of controls, on which we plan to rely, through the first nine months of the audit period and planned to perform more limited update testing for the last three months of the audit period. This may no longer be an effective approach if the design of the controls has changed by virtue of the control operator now working remotely during the last three months. If the design of the control has not changed, the control operator working remotely may indicate that the design and/or operation of the control during the last three months of the audit period is not effective. In this latter circumstance, our planned audit response will likely require revision to obtain more substantive audit evidence since we cannot rely on the control for audit evidence at least in the last three months of the audit period. We also need to remain aware of how an entity’s personnel working remotely may have necessitated changes to the entity’s IT General Controls and/or other system changes that may create new IT risks relevant to the audit. For example, remote access rights may need to be granted to employees who previously had no such rights. If not implemented properly, these expanded remote access rights may increase the risk of unauthorized system access. In this case, we may need to update our risk assessment and audit strategy and plan, possibly including a revision to our planned reliance on IT General Controls. Another potential impact of personnel working remotely is an increased risk of fraud, including management override, resulting from the changes in internal control in ways that may involve less direct supervision of the entity’s staff, greater access authority and/or a lack of segregation of duties. The risk of fraud can result in a misstatement through actions taken after the end of the audit period (e.g., post year end journal entries). |
CAS Guidance
The auditor’s understanding of the entity’s system of internal control is obtained through risk assessment procedures performed to understand and evaluate each of the components of the system of internal control as set out in paragraphs 21 to 27 (CAS 315.A90).
The components of the entity’s system of internal control for the purpose of this CAS may not necessarily reflect how an entity designs, implements and maintains its system of internal control, or how it may classify any particular component. Entities may use different terminology or frameworks to describe the various aspects of the system of internal control. For the purpose of an audit, auditors may also use different terminology or frameworks provided all the components described in this CAS are addressed (CAS 315.A91).
In evaluating the effectiveness of the design of controls and whether they have been implemented the auditor’s understanding of each of the components of the entity’s system of internal control provides a preliminary understanding of how the entity identifies business risks and how it responds to them. It may also influence the auditor’s identification and assessment of the risks of material misstatement in different ways. This assists the auditor in designing and performing further audit procedures, including any plans to test the operating effectiveness of controls. For example (CAS 315.A95):
The auditor’s understanding of the entity’s control environment, the entity’s risk assessment process, and the entity’s process to monitor controls components are more likely to affect the identification and assessment of risks of material misstatement at the financial statement level.
The auditor’s understanding of the entity’s information system and communication, and the entity’s control activities component, are more likely to affect the identification and assessment of risks of material misstatement at the assertion level.
The controls in the control environment, the entity’s risk assessment process and the entity’s process to monitor the system of internal control are primarily indirect controls (i.e., controls that are not sufficiently precise to prevent, detect or correct misstatements at the assertion level but which support other controls and may therefore have an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis). However, some controls within these components may also be direct controls (CAS 315.A96).
The control environment provides an overall foundation for the operation of the other components of the system of internal control. The control environment does not directly prevent, or detect and correct, misstatements. It may, however, influence the effectiveness of controls in the other components of the system of internal control. Similarly, the entity’s risk assessment process and its process for monitoring the system of internal control are designed to operate in a manner that also supports the entire system of internal control (CAS 315.A97).
Because these components are foundational to the entity’s system of internal control, any deficiencies in their operation could have pervasive effects on the preparation of the financial statements. Therefore, the auditor’s understanding and evaluations of these components affect the auditor’s identification and assessment of risks of material misstatement at the financial statement level, and may also affect the identification and assessment of risks of material misstatement at the assertion level. Risks of material misstatement at the financial statement level affect the auditor’s design of overall responses, including, as explained in CAS 330, an influence on the nature, timing and extent of the auditor’s further procedures (CAS 315.A98).
OAG Guidance
As explained in CAS 315.A95 obtaining an understanding of the entity’s system of internal control provides us with a preliminary understanding of how the entity identifies business risks and how it responds to them. Having this understanding of the areas where management believes their business risks require a response can help us to: (a) identify and assess the risks of material misstatement due to error or fraud and (b) determine the nature, timing and extent of further audit procedures (inclusive of tests of controls and substantive procedures). Having an understanding of how management views business risks can assist us in identifying and concentrating our audit work on areas where material misstatements are reasonably possible.
As highlighted above, our focus for obtaining an understanding of the entity’s system of internal control in a financial statement audit is to identify and assess risks of material misstatement and to design appropriate audit procedures to respond to the identified risks. In order to do this we identify controls within the control activities component that address identified risks of material misstatement at the assertion level relating to financial reporting, compliance with laws and regulations and business operations.
OAG Audit 5035.1 provides guidance on areas where various CASs in addition to CAS 315.26(a) (e.g., CAS 402 or CAS 600) require us to identify controls which we then determine whether or not represent controls in the control activities component.
When obtaining our understanding of the entity’s system of internal control we start with the control environment which sets the tone of an organization, influencing the control consciousness of its people and provides the overall foundation for the operation of the components of the entity’s system of internal control. Once we have an understanding of the entity’s control environment, we identify controls within the entity’s risk assessment process, the entity’s process to monitor the system of internal control and information systems and communication (including business processes) relevant to the preparation of the financial statements. This process allows us to identify controls within these components that are relevant to the preparation of the financial statements and address risks of material misstatements. If we identify controls that address risks of material misstatement at the assertion level and we consider it to be a control within the control activities component we evaluate their design effectiveness and implementation. If we find that these controls have been designed effectively and implemented as designed, we consider whether it would be effective and efficient to test the operating effectiveness of any of these controls.
We use professional judgment to determine whether the extent of the understanding that has been obtained is sufficient to identify and assess the risks of material misstatement and to design and perform further audit procedures, including whether to test the operating effectiveness of selected controls and the extent of substantive testing. Additional guidance related to the extent of understanding and evaluation of each of the components of internal control is included in the following sections:
OAG Audit 5032—Control environment
OAG Audit 5033—The entity’s risk assessment process
OAG Audit 5034—The information system and communication
OAG Audit 5035—Control activities
OAG Audit 5036—The entity’s process to monitor the system of internal control
When performing group audits, appropriate consideration is necessary at the component entity level for each of the internal control components. Depending on the circumstances of the group entity we might be able to evaluate some of the components of the entity’s system of internal control (e.g., control environment, entity’s risk assessment process) at the group entity level. This would typically be most effective when the processes are performed by centralized group functions such as monitoring of controls or risk assessment activities performed by the group internal audit function. When such evaluation is obtained by the component auditors it would still be expected that they evaluate the shared evidence in the context of their entity circumstances (e.g., component entity is subject to a statutory audit for which there is a separate management risk assessment process). When serving as a component auditor on a group engagement, consider requesting information from the group engagement team as to the design of controls that are expected to operate throughout the entities in the group.
Related guidance
OAG Audit 5037 provides further guidance on the impact of identified control deficiencies within the entity’s system of internal control.
OAG Audit 5040 provides guidance on the identification and assessment of risk of material misstatement.
CAS Guidance
The way in which the entity’s system of internal control is designed, implemented and maintained varies with an entity’s size and complexity. For example, less complex entities may use less structured or simpler controls (i.e., policies and procedures) to achieve their objectives (CAS 315.A92).
OAG Guidance
Although internal controls in less complex entities may be less formal and less structured, such entities can still have a system of internal control that is effective for its circumstances.
Many entities have robust controls, but the level of evidence retained to support the implementation (and operating effectiveness) of their controls may be less formal. This does not make these systems of internal control less effective. In less complex entities where formal, documented evidence about the direct operation of a control may not exist or be substantially limited, alternative forms of evidence such as those included below may be considered:
-
Minutes of meetings (e.g. minutes taken by finance department personnel attending a periodic budget to actual review meeting).
-
Exception reports (e.g. retained copies of exception reports with supporting documentation for resolution of exceptions stapled to the report combined with robust inquiry of the personnel responsible for resolving the exceptions).
-
Written explanations, checkmarks or other indications of follow-up (e.g. checkmarks or written notes on a report combined with robust inquiry of the personnel denoting the checkmarks or written notes).
-
Controls manuals (e.g. documented policies and procedures).
-
Internal memoranda or other internal correspondence (e.g. emails).
-
Checklists (e.g. standard listing of monthly reconciliations to perform).
-
Emails with questions/responses providing evidence of a review.
-
Observation of the performance of the control.
-
Evidence of resolution of exceptions, approvals, etc. retained within the entity’s systems.
-
Other information developed by, or available to us, to reach conclusions through valid reasoning.
Related Guidance
See further guidance on the scalability of understanding and evaluation of entity’s system of internal control:
OAG Audit 5032—Control environment – Scalability
OAG Audit 5033—The entity’s risk assessment process – Scalability
OAG Audit 5034—The information system and communication – Scalability
OAG Audit 5035.6—Control activities – Scalability
OAG Audit 5036—The entity’s process to monitor the system of internal control – Scalability
CAS Guidance
Auditors of public sector entities often have additional responsibilities with respect to internal control, for example, to report on compliance with an established code of practice or reporting on spending against budget. Auditors of public sector entities may also have responsibilities to report on compliance with law, regulation or other authority. As a result, their considerations about the system of internal control may be broader and more detailed (CAS 315.A93).