5032 Components of internal control—Control environment

Sep-2022

CAS Guidance

Audit evidence for the auditor's understanding of the control environment may be obtained through a combination of inquiries and other risk assessment procedures (i.e., corroborating inquiries through observation or inspection of documents) (CAS 315.A101).

In considering the extent to which management demonstrates a commitment to integrity and ethical values, the auditor may obtain an understanding through inquiries of management and employees, and through considering information from external sources, about (CAS 315.A102):

• How management communicates to employees its views on business practices and ethical behavior; and

• Inspecting management's written code of conduct and observing whether management acts in a manner that supports that code.

The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s system of internal control and its importance in the entity. The control environment sets the tone of an organization, influencing the control consciousness of its people and provides the overall foundation for the operation of the components of the entity’s system of internal control (CAS 315.Appendix 3.4).

An entity’s control consciousness is influenced by those charged with governance, because one of their roles is to counterbalance pressures on management in relation to financial reporting that may arise from market demands or remuneration schemes. The effectiveness of the design of the control environment in relation to participation by those charged with governance is therefore influenced by such matters as (CAS 315.Appendix 3.5):

• Their independence from management and their ability to evaluate the actions of management.

• Whether they understand the entity’s business transactions.

• The extent to which they evaluate whether the financial statements are prepared in accordance with the applicable financial reporting framework, including whether the financial statements include adequate disclosures.

The control environment encompasses the following elements (CAS 315.Appendix 3.6):

1. How management’s responsibilities are carried out, such as creating and maintaining the entity’s culture and demonstrating management’s commitment to integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical behavior are the product of the entity’s ethical and behavioral standards or codes of conduct, how they are communicated (e.g., through policy statements), and how they are reinforced in practice (e.g., through management actions to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts). The communication of entity policies on integrity and ethical values may include the communication of behavioral standards to personnel through policy statements and codes of conduct and by example.

2. When those charged with governance are separate from management, how those charged with governance demonstrate independence from management and exercise oversight of the entity’s system of internal control. An entity’s control consciousness is influenced by those charged with governance. Considerations may include whether there are sufficient individuals who are independent from management and objective in their evaluations and decision-making; how those charged with governance identify and accept oversight responsibilities and whether those charged with governance retain oversight responsibility for management’s design, implementation and conduct of the entity’s system of internal control. The importance of the responsibilities of those charged with governance is recognized in codes of practice and other laws and regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures.

3. How the entity assigns authority and responsibility in pursuit of its objectives. This may include considerations about:

   • Key areas of authority and responsibility and appropriate lines of reporting;

   • Policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties; and

   • Policies and communications directed at ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.

4. How the entity attracts, develops, and retains competent individuals in alignment with its objectives. This includes how the entity ensures the individuals have the knowledge and skills necessary to accomplish the tasks that define the individual’s job, such as:

   • Standards for recruiting the most qualified individuals – with an emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.

   • Training policies that communicate prospective roles and responsibilities, including practices such as training schools and seminars that illustrate expected levels of performance and behavior; and

   • Periodic performance appraisals driving promotions that demonstrate the entity’s commitment to the advancement of qualified personnel to higher levels of responsibility.

5. How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of the entity’s system of internal control. This may be accomplished through, for example:

   • Mechanisms to communicate and hold individuals accountable for performance of controls responsibilities and implement corrective actions as necessary;

   • Establishing performance measures, incentives and rewards for those responsible for the entity’s system of internal control, including how the measures are evaluated and maintain their relevance;

   • How pressures associated with the achievement of control objectives impact the individual’s responsibilities and performance measures; and

   • How the individuals are disciplined as necessary.

The appropriateness of the above matters will be different for every entity depending on its size, the complexity of its structure and the nature of its activities.

In understanding the control environment, the auditor may consider how management has responded to the findings and recommendations of the internal audit function regarding identified control deficiencies relevant to the preparation of the financial statements, including whether and how such responses have been implemented, and whether they have been subsequently evaluated by the internal audit function (CAS 315.Appendix 4.7).

CAS Guidance

The auditor’s evaluation of the control environment is based on the understanding obtained in accordance with paragraph 21(a) (CAS 315.A104).

Some entities may be dominated by a single individual who may exercise a great deal of discretion. The actions and attitudes of that individual may have a pervasive effect on the culture of the entity, which in turn may have a pervasive effect on the control environment. Such an effect may be positive or negative (CAS 315.A105).

The auditor may consider how the different elements of the control environment may be influenced by the philosophy and operating style of senior management taking into account the involvement of independent members of those charged with governance (CAS 315.A106).

Although the control environment may provide an appropriate foundation for the system of internal control and may help reduce the risk of fraud, an appropriate control environment is not necessarily an effective deterrent to fraud (CAS 315.A107).

The auditor’s evaluation of the control environment as it relates to the entity’s use of IT may include such matters as (CAS 315.A108):

• Whether governance over IT is commensurate with the nature and complexity of the entity and its business operations enabled by IT, including the complexity or maturity of the entity’s technology platform or architecture and the extent to which the entity relies on IT applications to support its financial reporting.

• The management organizational structure regarding IT and the resources allocated (for example, whether the entity has invested in an appropriate IT environment and necessary enhancements, or whether a sufficient number of appropriately skilled individuals have been employed including when the entity uses commercial software (with no or limited modifications)).

OAG Guidance

We evaluate the individual elements of the control environment with an objective of assessing whether the environment sets a tone for the organization that is conducive to the control consciousness of its people and provides the overall foundation for the operation of the other components of the entity’s system of internal control. This will normally involve inquiries of entity personnel together with examination of corresponding documentation that might include, for example, codes of conduct, procedural manuals, internal memos, personnel files, board and related committee minutes, internal audit reports, and management accounts and reports which may provide information that may either corroborate or contradict our preliminary understanding.

When evaluating the control environment we also consider any impacts from the entity’s use of IT. OAG Audit 5034 includes additional guidance on obtaining our understanding of the entity’s IT environment.

We collect evidence that is not biased towards corroborating our management inquiries or expectations nor do we exclude audit evidence that might be contradictory. This means that we would not only look for certain factors (policies, procedures, characteristics, attributes, etc.) that support a positive control environment, but we need to take into account all evidence available to support our evaluation as required by the standard. For example, we may consider whether the perspectives of external sources such as analyst reports or whistleblower activity provide either corroborative or contradictory information about the entity’s culture and tone.

Determining the sufficiency and appropriateness of that evidence is a matter of professional judgment. Because the control environment is foundational for the effective operation of the entity’s system of internal control, more experienced members of the engagement team would generally be involved in evaluating this component. This is because the knowledge and experience of those more experienced engagement team members can provide valuable insight that can enhance the effectiveness of our evaluation of the control environment and therefore the effectiveness and efficiency of our control testing strategy and plan at an early stage of the audit.

CAS 315 does not require us to perform an evaluation of the design and implementation of each of the individual controls within the control environment elements, and the nature and extent of our risk assessment procedures is a matter of professional judgment. As further explained below, this would depend on the engagement circumstances and in some cases in order to appropriately evaluate the control environment component as a whole and appropriately identify and assess the risks of material misstatements, procedures would need to be performed to evaluate the design and implementation of the individual controls.

Even though not required by CAS 315 when evaluating the control environment, we may decide to evaluate the design and implementation of the individual controls identified within this component. This evaluation of design and implementation may give us better insight into the entity’s system of internal control which helps us to identify and assess risks of material misstatement at a more granular level.

Designing controls, processes and structures that addresses the elements of the control environment is not enough. It is the extent to which those controls, processes and structures are applied by the entity, to provide an appropriate foundation for the other components of the entity’s system of internal control and to enable a culture of honesty and ethical behavior that is important in assessing the control environment. For example, the mere existence of a code of conduct does not evidence that it has been designed or applied in a manner that is conducive to creating an effective control environment. Depending on the size and complexity of the entity, we would also ascertain the content of the code of conduct, how the code of conduct was communicated to employees, the consistency in how it was communicated and by whom it was communicated. For a less complex entity with a limited number of employees the extent of evidence needed would generally be more limited, while for larger, more complex entities the extent of audit evidence needed would typically be higher.

In an audit of less complex entities, our evidence supporting the evaluation might be obtained through robust inquiry and observation of the application of policies and procedures by management. For example, we may identify that the entity has a human resource manual outlining its policies and procedures in order to support the fifth element of the control environment: How the entity holds individuals accountable for their responsibilities in the pursuit of the objectives of the system of internal control. Examination of the manual rarely is sufficient to conclude on the effectiveness of the controls and processes. Rather, we perform observation of individual behaviors and/or inspect documentation of accountability measures taken when individuals do not meet expectations to determine that the related policies have been implemented. When considering similar elements of the control environment for a more complex entity we might also inspect that employees received appropriate training to allow them to familiarize themselves with the policies and procedures. When relevant (e.g., for traders that act on behalf of the customers, exercising discretion over investment decisions within agreed parameters) we might also inspect customer feedback forms and annual performance summaries to consider whether individual employees are assessed using measures consistent with the entity’s stated ethical policies and expectations.

Related Guidance

OAG Audit 5011 includes further guidance on performing inquiries of management and the internal audit function.

CAS Guidance

The auditor’s evaluation of how the entity demonstrates behavior consistent with the entity’s commitment to integrity and ethical values; whether the control environment provides an appropriate foundation for the other components of the entity’s system of internal control; and whether any identified control deficiencies undermine the other components of the system of internal control, assists the auditor in identifying potential issues in the other components of the system of internal control. This is because the control environment is foundational to the other components of the entity’s system of internal control. This evaluation may also assist the auditor in understanding risks faced by the entity and therefore in identifying and assessing the risks of material misstatement at the financial statement and assertion levels (CAS 315.A103). 

OAG Guidance

Because controls identified within the control environment component are primarily indirect controls, the understanding and evaluation of this component helps us to assess risks of material misstatement primarily at the financial statement level.

The existence of an effective control environment can be a positive factor when we assess the risks of material misstatement. However, although it may help reduce the risk of fraud, a satisfactory control environment cannot, alone, prevent fraud. This is because the anti-fraud programs and controls put in place can be circumvented by collusion of two or more people or by inappropriate management override of internal control. Conversely, deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud. For example, as part of the third element of control environment (The entity’s assignment of authority and responsibility), management’s failure to commit sufficient resources to address IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or unauthorized transactions to be processed.

Example of impact of the assessment of control environment

From our understanding of the control environment we learn that the entity has human resource practices or policies that, in our judgment, are conducive to attracting, developing and retaining competent individuals. This includes having recruitment standards with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior. In addition, we assessed whether the entity’s policies for communicating roles and responsibilities are conducive to holding individuals accountable for their responsibilities.

In this scenario, this conclusion, combined with our assessment of the other elements of the control environment, may contribute to determining that testing operating effectiveness of controls in specific FSLIs might be effective and efficient (i.e., we plan to achieve partial or high controls reliance to obtain audit evidence from testing of certain controls). Our assessment of the control environment and other indirect ELCs may also influence our controls testing strategy. For example, based on our assessment that the control environment is conducive to an environment for effective operation of the entity’s system of internal control, for a manual control, we may judge it sufficient to perform testing to achieve moderate assurance instead of high, or use inspection rather than reperformance as the controls testing technique.

By contrast, when we identify that the control environment within the entity is weak (e.g., identified control deficiencies undermine the other components of the entity’s system of internal control) we might conclude that testing of operating effectiveness of identified controls would not be an effective and efficient audit approach to respond to the identified risk of material misstatement. For example, this could affect our judgment when we identify that management’s attitude does not support a culture of honest and ethical behavior. We would consider the outcome of the evaluation when identifying and assessing the risks of material misstatements at the financial statement level. This would involve considering whether this weakness is indicative of a heightened risk of fraud that we would need to assess as a significant risk.

Once we identify and assess the risks impacted by the control deficiencies in the control environment, we design appropriate audit procedures, consistent with CAS 330.A1, to address the identified risks. This could result in making general changes to the nature, timing and extent of audit procedures such as performing more substantive procedures or changing the nature of the substantive procedures. For example, we might decide to:

• perform more risk based and unpredictable targeted testing,
• increase the level of additional testing performed over an untested balance.

In some circumstances we may decide to assign more experienced staff to perform the auditing procedures.

OAG Audit 5037 provides additional guidance on the impact of our determination that a component within the entity’s system of internal control is not appropriate to the nature and circumstances of the entity. It also covers the impact of identified control deficiencies on the design of further audit procedures in accordance with CAS 330.

CAS Guidance

The nature of the control environment in a less complex entity is likely to differ from a more complex entity. For example, those charged with governance in less complex entities may not include an independent or outside member, and the role of governance may be undertaken directly by the owner-manager where there are no other owners. Accordingly, some considerations about the entity’s control environment may be less relevant or may not be applicable (CAS 315.A99).

In addition, audit evidence about elements of the control environment in less complex entities may not be available in documentary form, in particular where communication between management and other personnel is informal, but the evidence may still be appropriately relevant and reliable in the circumstances (CAS 315.A100).