5031 Entity’s system of internal control and its relevance to the audit

Sep-2022

CAS Guidance

The entity’s system of internal control may be reflected in policy and procedures manuals, systems and forms, and the information embedded therein, and is effected by people. The entity’s system of internal control is implemented by management, those charged with governance, and other personnel based on the structure of the entity. The entity’s system of internal control can be applied, based on the decisions of management, those charged with governance or other personnel and in the context of legal or regulatory requirements, to the operating model of the entity, the legal entity structure, or a combination of these (CAS 315.Appendix 3.1).

Included within the entity’s system of internal control are aspects that relate to the entity’s reporting objectives, including its financial reporting objectives, but it may also include aspects that relate to its operations or compliance objectives, when such aspects are relevant to financial reporting (CAS 315.Appendix 3.3).

Example: Controls over compliance with laws and regulations may be relevant to financial reporting when such controls are relevant to the entity’s preparation of disclosures of contingencies in the financial statements.

Controls are embedded within the components of the entity’s system of internal control (CAS 315.A2).

Policies are implemented through the actions of personnel within the entity, or through the restraint of personnel from taking actions that would conflict with such policies (CAS 315.A3).

Procedures may be mandated, through formal documentation or other communication by management or those charged with governance, or may result from behaviors that are not mandated but are rather conditioned by the entity’s culture. Procedures may be enforced through the actions permitted by the IT applications used by the entity or other aspects of the entity’s IT environment (CAS 315.A4).

Controls may be direct or indirect. Direct controls are controls that are precise enough to address risks of material misstatement at the assertion level. Indirect controls are controls that support direct controls (CAS 315.A5).

Risks to the integrity of information arise from susceptibility to ineffective implementation of the entity’s information policies, which are policies that define the information flows, records and reporting processes in the entity’s information system. Information processing controls are procedures that support effective implementation of the entity’s information policies. Information processing controls may be automated (i.e., embedded in IT applications) or manual (e.g., input or output controls) and may rely on other controls, including other information processing controls or general IT controls (CAS 315.A6).

OAG Guidance

Internal Control—integrated framework

The CAS internal control framework is similar to the one used in the COSO framework, published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (Internal Control—Integrated Framework) in 2013.

The COSO framework addresses the entity’s business operations, their need to prepare reliable reports and financial statements, and compliance with laws and regulations to which the entity is subject. These overlapping high level internal control objectives can be applied to the entity’s different business activities and management units, as illustrated below:

While the COSO framework considers overall reporting, our primary focus is on the financial reporting area.

In order to understand how management has designed and implemented internal control over financial reporting, we obtain an understanding of the various types of controls (i.e., policies or procedures to achieve the control objectives of management or those charged with governance) and processes that are embedded within each of the five components of the entity’s system of internal control. These are further discussed in:

• Control environment OAG Audit 5032.
• Risk assessment OAG Audit 5033.
• Information and communication OAG Audit 5034.
• Control activities OAG Audit 5035.
• Monitoring activities OAG Audit 5036.

Each of the five internal control components is relevant to the entity’s financial reporting objectives (i.e., to provide financial information about the entity that is useful to decision making by its stakeholders) and the components of internal control are relevant to every level of the organization (i.e. at the entity, group, division, operating unit, subsidiary and/or business process level).

Even though the COSO control framework may help management to design, implement and maintain effective internal control over financial reporting, it does not prescribe any specific controls that need to be designed and operated effectively for an entity to have an effective system of internal control. For the purposes of our audit, we focus on whether and how management has implemented control activities embedded within business processes relevant to preparation of financial statements (i.e., information processing controls) and general IT controls (ITGCs)) with a level of precision to prevent or detect and correct on a timely basis a misstatement that could be material to the financial statements. These controls identified in the information system and communication and control activities components are therefore more likely to affect the identification and assessment of risks of material misstatement at the assertion level. Further, processes and controls embedded within the other components of internal control would have an important effect on the design and operation of control activities, but they would only have an indirect effect on the likelihood that a misstatement is detected or prevented and corrected on a timely basis and, as a result, are more likely to affect the identification of risks of material misstatement at the financial statement level. Therefore, an entity’s system of internal control over financial reporting usually has a substantially larger number of control activities that operate at the transaction level than controls that operate in the other components of internal control.

The internal control components, excluding control activities, may have fewer tangible elements or controls such as “tone at the top.” Consequently, these components are more judgmental in nature but this is not intended to suggest that these components are any less important than control activities. The internal control components of the internal control framework may have a pervasive effect on the overall system of control activities, therefore we typically understand and evaluate them and, where applicable, begin to test their operating effectiveness earlier in the audit process.

Types of controls

OAG Audit recognizes different types of controls that we can expect to identify in the entity’s system of internal control:

• Preventative vs detective controls
• Indirect vs direct controls
• Entity-level controls
• Business performance reviews
• Information technology general controls
• Information processing controls

Preventive vs. detective controls

Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements. Detective controls have the objective of detecting errors or fraud that has already occurred and correcting them to avoid a misstatement of the financial statements.

The following are some examples of detective and preventive controls:

Preventive	Detective
System automatically populates costs in the purchase order based on the approved vendor price master file for the applicable inventory SKU number entered	Payments recorded in the general ledger are reconciled to the check register to ensure that all disbursements are recorded accurately and in the correct period. Differences are investigated and resolved on a timely basis.
System automatically calculates payroll related accruals	The payroll manager reviews the payroll register prior to payment distribution. Unusual items are investigated and resolved on a timely basis.
Open sales orders (not shipped/invoiced) are investigated and resolved on a daily basis	Cash receipts are recorded upon receipt and applied to customer accounts/invoices via remittance advice. A system generated exception report is reviewed to identify cash receipts without remittance advices. Differences are investigated and resolved on a timely basis.
Purchase orders for more than a defined monetary threshold are reviewed and require evidence of approval by the entity’s controller before the order can be submitted to the entity’s vendor or processed in the entity’s ERP system	Approved purchase orders in excess of a defined value are reviewed by the supervisor on a timely basis who follows up with the approver to resolve any questions that arise.

Some controls can be designed in a way that have both preventive and detective characteristics. Some IT applications, especially for newer or emerging technologies, can include ’real time’ controls designed to avoid creating a ’hard stop’ that interrupts business operations, while enabling controls that support the business (see example below). When understanding and evaluating the design of the entity’s control we consider both preventive and detective characteristics of the control to the extent they are responsive to the identified risk of material misstatement.

Example: An entity has a purchase order approval policy with defined approval thresholds. Within the policy members of the purchase team are allowed to initiate orders up to the defined monetary threshold without additional approval. A detective control requires that all purchase orders exceeding the defined monetary threshold up to a maximum of 150% of the original limit be approved by the supervisor. When such an order is initiated the system automatically sends a communication to the supervisor to review the purchase order and retrospectively approve, or to follow up if required. A preventive control does not allow purchase team members to initiate orders exceeding 150% of the original limit without preapproval from the supervisor.

Indirect controls

Indirect controls work to support direct controls and therefore have only an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis. Indirect controls are not sufficiently precise to prevent, detect or correct misstatements at the assertion level by themselves. Indirect controls are typically implemented within the control environment, risk assessment process or process to monitor the system of internal control component of an entity’s system of internal control.

Examples of indirect controls may include:

• Communication and enforcement of integrity and ethical values
• Human resource policies and procedures
• Delegation of authority matrices used to establish appropriate authorization hierarchies
• Controls over the completeness and accuracy of a report used in monitoring the entity's system of internal controls.

Direct controls

Direct controls, when designed and operating effectively and at a sufficient level of precision, can adequately prevent, or detect and correct on a timely basis, material misstatements at the assertion level.

We ordinarily identify direct controls within the information system and communication and the control activities components of an entity’s system of internal control.

Entity-level controls

Entity level controls (ELCs) operate at the entity level and can be direct and indirect in nature. Some entity level controls (e.g., controls identified within the control environment component of the entity’s system of internal control) have an important, but indirect, role in addressing the risks of material misstatement at the assertion level. Such controls are called Indirect ELCs. Indirect ELCs could have an impact across more than one business process and are considered when evaluating the effectiveness of transaction level or direct entity level controls at the transaction level within a business process.

Some entity level controls might however be designed to operate at a level of precision that would address risks of material misstatement at the assertion level (e.g., business performance reviews). Such controls are called Direct ELCs.

OAG Audit 5035.1 provides further guidance on the audit evidence provided by ELCs.

Business performance reviews (BPRs)

Business performance reviews (BPRs) are one form of direct ELCs. BPRs include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data - operating or financial - to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance. The following are some of the characteristics we consider when obtaining an understanding of BPRs:

• The primary purpose of BPRs is to assist management with monitoring business operations and decision-making. BPRs tend to be detective rather than preventive (i.e., they may alert management to an operational issue requiring management action)

• When directed to a matter with financial significance a BPR may be used by management to identify misstatements that may have occurred, either due to fraud or error

• The reliability of the information used in the BPR, as well as the frequency, precision and timeliness of review and extent of follow-up by management are considered in assessing the effectiveness of BPRs as controls relevant to the preparation of the financial statements

• BPRs are likely to be more effective when performed using disaggregated information rather than aggregated information

• BPRs are likely to be more effective when applied to accounts, classes of transactions or other information with predictable behaviors/correlations

See OAG Audit 5035.1 for further guidance regarding the factors that could be relevant to our evaluation of the design effectiveness of a BPR control.

Information Technology General Controls (ITGCs)

Information technology general controls (ITGCs) establish and preserve the ongoing integrity of the IT environment. ITGCs over the entity’s IT processes support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information. ITGCs address four ITGC domains:

• Program Development
• Program Changes
• Access to Programs and Data
• Computer Operations

OAG Audit 5035.2 provides further guidance on the identification and understanding of ITGCs.

Information Processing Controls

Information processing controls relate to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information).

Information processing controls can be either detective or preventive in nature and can be manual (e.g., input or output controls), automated (e.g., embedded in IT applications), or IT-dependent manual controls (e.g., manual controls that rely on system-generated information and therefore their effectiveness relies on other automated information processing or general IT controls). The greater the extent of an entity’s reliance on automated controls, or IT-dependent manual controls, in its financial reporting processes, the more important it may become for the entity to implement general IT controls that address the continued functioning of the automated and IT-dependent information processing controls.

When determining the testing approach for a control, we identify if the effectiveness of the control is dependent on an indirect control. If so, we consider whether it is necessary to also test the indirect control that may impact the design and operating effectiveness of the control we have planned to rely upon.

The operation of certain controls may rely on the use of system generated reports. In such cases, we may substantively test the reliability of the information included in the system generated reports or we may test the controls addressing the reliability of the system generated report. Guidance to assist in planning an appropriate approach for testing the reliability of system generated information is included in OAG Audit 2051.

The following are some examples of information processing controls, system generated information and other IT dependencies:

Information processing controls	System generated information and other IT dependencies used in the execution of the controls
An exception report of unbilled shipments is reviewed and items that remain unbilled for a predetermined amount of time are investigated and resolved on a timely basis.	The exception report used in the control is generated from the entity’s ERP system. The direct control is a manual IT dependent control that relies upon the entity’s controls over the accuracy and completeness of the information included in the exception report.
Manual review for reasonableness of assumptions, mathematical accuracy, and completeness and accuracy of data inputs and approval of period-end vacation accruals journal entry is performed before the journal entry is posted	The Systems ERP system automatically calculates payroll related accruals The direct control is a manual IT dependent control that relies upon the entity’s controls over the completeness and accuracy of the system information comprising approved vacation hours and pay rates.
Manual review of the goods received not invoiced account is performed. Unusual and/or all aged goods received not invoiced items are investigated and resolved on a timely basis.	Goods received not invoiced are listed in an exception report generated from the entity’s ERP system. The direct control is a manual IT dependent control that relies upon the entity’s controls over the accuracy and completeness of the information included in the exception report.