Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5036 Components of internal control—The entity’s process to monitor the system of internal controls
Sep-2022

In This Section

Understanding of the entity’s process to monitor the system of internal controls

Understanding of the entity’s internal audit

Scalability

Understanding of the sources of information used

Evaluation of the entity’s process to monitor the system of internal controls

Understanding of the entity’s process to monitor the system of internal controls

CAS Requirement

The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.24):

(a) Understanding those aspects of the entity’s process that address:

(i)  Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and remediation of control deficiencies identified; and

CAS Guidance

Matters that may be relevant for the auditor to consider when understanding how the entity monitors its system of internal control include (CAS 315.A116):

  • The design of the monitoring activities, for example whether it is periodic or ongoing monitoring;

  • The performance and frequency of the monitoring activities;

  • The evaluation of the results of the monitoring activities, on a timely basis, to determine whether the controls have been effective; and

  • How identified deficiencies have been addressed through appropriate remedial actions, including timely communication of such deficiencies to those responsible for taking remedial action.

The auditor may also consider how the entity’s process to monitor the system of internal control addresses monitoring information processing controls that involve the use of IT. This may include, for example (CAS 315.A117):

  • Controls to monitor complex IT environments that:

    • Evaluate the continuing design effectiveness of information processing controls and modify them, as appropriate, for changes in conditions; or

    • Evaluate the operating effectiveness of information processing controls.

  • Controls that monitor the permissions applied in automated information processing controls that enforce the segregation of duties.

  • Controls that monitor how errors or control deficiencies related to the automation of financial reporting are identified and addressed.

The entity’s process to monitor the system of internal control is a continual process to evaluate the effectiveness of the entity’s system of internal control, and to take necessary remedial actions on a timely basis. The entity’s process to monitor the entity’s system of internal control may consist of ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and may include regular management and supervisory activities. The entity’s process will likely vary in scope and frequency depending on the assessment of the risks by the entity. (CAS 315.Appendix 3.10).

Controls related to the entity’s process to monitor the entity’s system of internal control, including those that monitor underlying automated controls, may be automated or manual, or a combination of both. For example, an entity may use automated monitoring controls over access to certain technology with automated reports of unusual activity to management, who manually investigate identified anomalies (CAS 315.Appendix 3.12).

When distinguishing between a monitoring activity and a control related to the information system, the underlying details of the activity are considered, especially when the activity involves some level of supervisory review. Supervisory reviews are not automatically classified as monitoring activities and it may be a matter of judgment whether a review is classified as a control related to the information system or a monitoring activity. For example, the intent of a monthly completeness control would be to detect and correct errors, where a monitoring activity would ask why errors are occurring and assign management the responsibility of fixing the process to prevent future errors. In simple terms, a control related to the information system responds to a specific risk, whereas a monitoring activity assesses whether controls within each of the five components of the entity’s system of internal control are operating as intended (CAS 315.Appendix 3.13).

OAG Guidance

Ongoing monitoring of activities

Ongoing monitoring of activities (controls) is built into the normal recurring activities of an entity, at either the entity level or business process level, and includes regular management and supervisory activities focused on the operating effectiveness of the control.

Example:

A staff accountant is responsible for reconciling the Rebates Receivable account on a monthly basis. The Assistant Controller reviews the reconciliations prepared by the staff accountant to ensure that the reconciliation is performed and appropriately prepared and that appropriate follow up is performed to address reconciling items (i.e., the objective of the ongoing monitoring activity performed by the Assistant Controller is to determine that the reconciliation control is being executed effectively).

Ongoing monitoring activities may use information obtained from external third parties. Guidance on understanding the sources of information used in the entity’s process to monitor the system of internal control is included in the block Understanding of the sources of information used.

Business performance reviews (BPRs) are a form of ongoing monitoring and they are relevant to two of the components of internal controls: monitoring the system of internal controls and control activities. See OAG Audit 5035.1 for further guidance regarding the factors that could be relevant to our evaluation of the design effectiveness of a BPR control.

Separate evaluations (Periodic monitoring)

The purpose of separate evaluations is to periodically monitor the effectiveness of the entity’s system of internal control, and to take necessary remedial actions on a timely basis. Separate evaluations are often performed by the internal audit function (see OAG Audit 6031 for further guidance on how internal audit acts as a control) but can be performed by other functions where an internal audit function does not exist. This evaluation can be performed at the request of those charged with governance/Audit Committee, senior management, or business unit and divisional executives. These periodic evaluations provide information about the functioning of internal controls, and result in communication about strengths and deficiencies in internal control and recommendations for improving internal control, as applicable.

Example:

Additional supervisory reviews over customer warranty claims related to a new product might be instituted for a temporary period as a periodic monitoring control. Monitoring of the control might include the internal audit department visiting the claims department to review some of the claims being processed for the new product to determine whether the processes and controls for review and approval of customer warranty claims are designed and operating effectively. The decision to engage the internal audit department might be made by the claims process owner, or it might be made at a more senior level of management.

When obtaining the understanding of how the entity monitors its system of internal control we also consider how any identified deficiencies are being communicated to those responsible for taking remedial actions and whether the actions taken are appropriate. An example of such communication could be management communicating the identified deficiencies to the Audit Committee (or equivalent function). We would typically be able to further understand the remedial actions communicated and any remedial actions planned by attending the meeting, performing additional inquires of the Audit Committee members and/or inspecting the minutes of the meetings where the deficiencies and planned remedial actions were discussed.

Understanding of the entity’s internal audit

CAS Requirement

The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.24):

(a) Understanding those aspects of the entity’s process that address:

(ii) The entity’s internal audit function, if any, including its nature, responsibilities and activities;

CAS Guidance

The auditor’s inquiries of appropriate individuals within the internal audit function help the auditor obtain an understanding of the nature of the internal audit function’s responsibilities. If the auditor determines that the function’s responsibilities are related to the entity’s financial reporting, the auditor may obtain further understanding of the activities performed, or to be performed, by the internal audit function by reviewing the internal audit function’s audit plan for the period, if any, and discussing that plan with the appropriate individuals within the function. This understanding, together with the information obtained from the auditor’s inquiries, may also provide information that is directly relevant to the auditor’s identification and assessment of the risks of material misstatement. If, based on the auditor’s preliminary understanding of the internal audit function, the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed, CAS 610 applies (CAS 315.A118).

The objectives and scope of internal audit functions typically include activities designed to evaluate or monitor the effectiveness of the entity’s system of internal control. The entity’s process to monitor the entity’s system of internal control may include activities such as management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal department’s oversight of compliance with the entity’s ethical or business practice policies. Monitoring is done also to ensure that controls continue to operate effectively over time. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them (CAS 315.Appendix 3.11).

The objectives and scope of an internal audit function, the nature of its responsibilities and its status within the organization, including the function’s authority and accountability, vary widely and depend on the size, complexity and structure of the entity and the requirements of management and, where applicable, those charged with governance. These matters may be set out in an internal audit charter or terms of reference (CAS 315.Appendix 4.1).

The responsibilities of an internal audit function may include performing procedures and evaluating the results to provide assurance to management and those charged with governance regarding the design and effectiveness of risk management, the entity’s system of internal control and governance processes. If so, the internal audit function may play an important role in the entity’s process to monitor the entity’s system of internal control. However, the responsibilities of the internal audit function may be focused on evaluating the economy, efficiency and effectiveness of operations and, if so, the work of the function may not directly relate to the entity’s financial reporting (CAS 315.Appendix 4.2).

If the entity has an internal audit function, inquiries of the appropriate individuals within the function may provide information that is useful to the auditor in obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control, and in identifying and assessing risks of material misstatement at the financial statement and assertion levels. In performing its work, the internal audit function is likely to have obtained insight into the entity’s operations and business risks, and may have findings based on its work, such as identified control deficiencies or risks, that may provide valuable input into the auditor’s understanding of the entity and its environment, the applicable financial reporting framework, the entity’s system of internal control, the auditor’s risk assessments or other aspects of the audit. The auditor’s inquiries are therefore made whether or not the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed. Inquiries of particular relevance may be about matters the internal audit function has raised with those charged with governance and the outcomes of the function’s own risk assessment process (CAS 315.Appendix 4.3).

If the nature of the internal audit function’s responsibilities and assurance activities are related to the entity’s financial reporting, the auditor may also be able to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the auditor in obtaining audit evidence. Auditors may be more likely to be able to use the work of an entity’s internal audit function when it appears, for example, based on experience in previous audits or the auditor’s risk assessment procedures, that the entity has an internal audit function that is adequately and appropriately resourced relative to the complexity of the entity and the nature of its operations, and has a direct reporting relationship to those charged with governance (CAS 315.Appendix 4.8).

As is further discussed in CAS 610, the activities of an internal audit function are distinct from other monitoring controls that may be relevant to financial reporting, such as reviews of management accounting information that are designed to contribute to how the entity prevents or detects misstatements (CAS 315.Appendix 4.10).

Establishing communications with the appropriate individuals within an entity’s internal audit function early in the engagement, and maintaining such communications throughout the engagement, can facilitate effective sharing of information. It creates an environment in which the auditor can be informed of significant matters that may come to the attention of the internal audit function when such matters may affect the work of the auditor. CAS 200 discusses the importance of the auditor planning and performing the audit with professional skepticism, including being alert to information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence. Accordingly, communication with the internal audit function throughout the engagement may provide opportunities for internal auditors to bring such information to the auditor’s attention. The auditor is then able to take such information into account in the auditor’s identification and assessment of risks of material misstatement (CAS 315.Appendix 4.11).

OAG Guidance

Understanding the responsibilities, tasks, and position of the internal audit (or equivalent) function within the entity, combined with inquiries of members of the internal audit function, provide information that can help supplement our risk assessment procedures.

We may consider the following when developing our understanding of the internal audit function:

  • What is the internal audit function’s mandate (internal audit charter) as prescribed by the audit committee?

  • What is the internal audit function’s position in the entity’s organization? For example, does the function report directly to the audit committee or those charged with governance?

  • How is the internal audit function structured internally in relation to the entity’s organization and business activities?

  • Does the internal audit function perform any control activities that may be considered to be part of the entity’s daily operations rather than objectively monitoring those activities?

  • Does the internal audit function have sufficient personnel and other resources to carry out its responsibilities effectively?

We may also consider performing the following to enhance our understanding of the internal audit function:

  • Attending audit committee meetings.

  • Reviewing the meeting minutes to understand the issues raised by the internal audit (or equivalent) function.

  • Reviewing the internal audit (or equivalent) function’s audit plan for the period, if any, and discussing that plan with the appropriate individuals within the function.

  • Considering our knowledge and experience from working with the internal audit in prior year audits in assessing the relevance of internal audit activities.

The results of our inquiries of management and the internal audit (or equivalent) personnel contribute to our understanding of the internal audit (or equivalent) function. Refer to OAG Audit 5011 for guidance on performing inquiries of internal audit (or equivalent) personnel and examples of documents we might review to prepare for our inquiries (e.g., Internal Audit reports summarizing control deficiencies identified).

Related guidance:

Refer to OAG Audit 6030 for guidance when we plan to use the work of the internal audit (or equivalent) function.

Scalability

CAS Guidance

In less complex entities, and in particular owner‑manager entities, the auditor’s understanding of the entity’s process to monitor the system of internal control is often focused on how management or the owner‑manager is directly involved in operations, as there may not be any other monitoring activities (CAS 315.A114).

For entities where there is no formal process for monitoring the system of internal control, understanding the process to monitor the system of internal control may include understanding periodic reviews of management accounting information that are designed to contribute to how the entity prevents or detects misstatements (CAS 315.A115).

OAG Guidance

In a less complex entity, there may be a lower level of formality and/or documentation for the monitoring of controls. Often these entities won’t have an internal audit function or otherwise perform separate evaluations of controls. However, these entities are likely to perform some form of ongoing monitoring, and there may be business performance reviews, even though they are likely to be more informal. If this is the case we may still be able to obtain an understanding of the entity’s monitoring of controls and evaluate the component through observation and inquiry.

Related Guidance

See OAG Audit 5035.6 for guidance on considerations regarding scalability in control activities.
Refer to OAG Audit 5035.1 for guidance on considerations specific to business performance reviews.

Understanding of the sources of information used

CAS Requirement

The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.24):

(b) Understanding the sources of the information used in the entity’s process to monitor the system of internal control, and the basis upon which management considers the information to be sufficiently reliable for the purpose;

CAS Guidance

Management’s monitoring activities may use information in communications from external parties such as customer complaints or regulator comments that may indicate problems or highlight areas in need of improvement (CAS 315.A119).

The auditor’s understanding of the sources of information used by the entity in monitoring the entity’s system of internal control, including whether the information used is relevant and reliable, assists the auditor in evaluating whether the entity’s process to monitor the entity’s system of internal control is appropriate. If management assumes that information used for monitoring is relevant and reliable without having a basis for that assumption, errors that may exist in the information could potentially lead management to draw incorrect conclusions from its monitoring activities (CAS 315.A120).

Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of the entity’s system of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider in performing monitoring activities any communications relating to the entity’s system of internal control from external auditors (CAS 315.Appendix 3.14).

OAG Guidance

When understanding and evaluating the entity’s process to monitor the system of internal controls we need to understand the sources of information used by management in the process. The information used can be internally generated or coming from external sources. The following table includes examples of sources of information that can be used in the entity’s process to monitor the system of internal control:

Internal sources External sources

  • Segregation of duties conflicts report obtained from the entity’s IT applications

  • Automated reports of unusual activity in the entity’s IT applications (e.g., changes to the vendor/client master file)

  • Documentation of execution of manual controls (e.g., monthly subledger reconciliations)

  • Internal audit reports summarizing the results of the periodic evaluations

  • Compliance reports summarizing the status of annual training requirements by employees executing controls

  • Quality assurance reports on production defects or warranty claims

  • Budgets and forecasts developed by management

  • Customer complaints raised through the customer service hotline or other feedback mechanism available on website or mobile application

  • Communications from regulatory agencies overseeing specific industries (e.g., banking, insurance)

  • Communications and reports from rating agencies (e.g., credit rating reports)

  • Articles published on industry websites or online communities or in magazines and journals

  • External analyst reports and surveys

  • Reports prepared by experts and other third parties on the operation of the internal controls (e.g., IT security management experts evaluating the entity’s data security)

When obtaining the understanding of the source of the information we need to consider whether the information used is relevant and reliable. We obtain this understanding by considering the basis upon which management ensures the information is relevant to, and sufficiently reliable for the purposes of, the activity performed. The degree of our understanding depends on the complexity and nature of the source of information. When the effectiveness of the monitoring activity relies upon information that is sourced from multiple systems, we would need to understand the processes and controls, including applicable ITGCs, over the reliability of the information for each of the systems used as well as the aggregation process. For example, the understanding needed for a manually aggregated exception report using data from multiple different sales systems that is used by management to monitor whether required supervisory approvals were obtained and documented for exceptions to standard pricing terms would necessitate an understanding of the processes and controls management has implemented to address reliability of each exception report as well as the reliability of the aggregated information. By contrast, if the entity has one integrated sales system the effort to understand the processes and controls management has implemented to address reliability of the exception report information would involve only one report.

As explained in CAS 315.A120 the understanding obtained is intended to assist us when evaluating whether the entity’s process to monitor the entity’s system of internal control relevant to the preparation of the financial statements is appropriate to the entity’s circumstances considering the complexity of the entity. Unless we plan to rely on one or more of these controls, we would not be required to test the reliability of the information used by the entity to monitor its internal controls.

Often management uses system generated information (e.g., monthly sales reports) in performing monitoring activities that is also used in the performance of controls that we plan to test and/or we plan to use the same system generated information in performing substantive testing. When we test the reliability of this information generated by an IT application in accordance with OAG Audit 2051 to support our substantive or controls testing, we might be able to leverage the work performed to support our conclusion about the effectiveness of the monitoring activity performed by management.
 

Evaluation of the entity’s process to monitor the system of internal controls

CAS Requirement

The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.24):
and

(c) Evaluating whether the entity’s process for monitoring the system of internal control is appropriate to the entity’s circumstances considering the nature and complexity of the entity.

CAS Guidance

The auditor’s evaluation about how the entity undertakes ongoing and separate evaluations for monitoring the effectiveness of controls assists the auditor in understanding whether the other components of the entity’s system of internal control are present and functioning, and therefore assists with understanding the other components of the entity’s system of internal control. This evaluation may also assist the auditor with identifying and assessing financial statement level and assertion level risks of material misstatement (CAS 315.A121).

The auditor’s evaluation of the appropriateness of the entity’s process to monitor the system of internal control is based on the auditor’s understanding of the entity’s process to monitor the system of internal control (CAS 315.A122).

OAG Guidance

Evaluating the entity’s process to monitor the system of internal controls helps us to better understand where management identifies and monitors risks related to the financial reporting. This is because looking "through the eyes of management" we can understand where they concentrate their effort when executing control and monitoring activities. CAS 315 does not require us to evaluate the design and implementation of each of the specific controls within the entity’s process to monitor the system of internal control. We are also not required to test operating effectiveness of the controls unless we plan to rely on them. When evaluating the entity’s process to monitor the system of internal control component we consider whether the monitoring process is appropriate to the entity’s circumstances given the nature and complexity of the entity. The evaluation may be based solely on the understanding procedures performed, such as inquiries of management and inspection or examination of monitoring control reports. When performing the evaluation we need to exercise professional skepticism and be prepared to challenge the entity’s process based on our knowledge of the business and our experience.

Due to the nature of the monitoring of controls processes, our evaluation procedures will primarily be inquiry, observation, or inspection. The nature and extent of work to be performed to evaluate the monitoring of controls process is a matter of professional judgment and will likely vary depending on the size and complexity of the entity, among other engagement‑specific considerations. For example, when auditing an entity that operates multiple business units in multiple geographic locations we would generally need to collect audit evidence beyond inquiries, such as examination of reports summarizing the monitoring activities performed in particular locations to evaluate whether the implemented process to monitor the system of internal control is appropriate to the entity’s circumstances. Entities with more complexity are also more likely to have internal audit (or equivalent) functions that form part of the monitoring process. By contrast, when auditing a less complex entity operating in a single management unit and location, evaluating the entity’s monitoring process might be much simpler and as such require less effort to reach our conclusion.

If, as part of our understanding procedures, we identify monitoring controls implemented by the entity that we plan to place reliance on in our audit, we would identify such controls as part of the control activities component and perform the required design and implementation evaluation. An example of such a direct ELC is business performance reviews (BPRs) that are designed to identify deficiencies in internal controls, for example by identifying unusually low gross margins that may be indicative of deficient controls over the authorization of customer discounts. The decision whether to test the operating effectiveness of such controls would be influenced by whether we consider the design of the control, including its precision, to be effective as well as management’s ability to demonstrate the presence and the degree of implementation of such controls. OAG Audit 5035.1 provides further guidance regarding understanding and evaluating business performance review controls.

If the monitoring of controls processes is considered not to be appropriate to the entity’s circumstances, we consider whether and how it impacts the effectiveness of other components of the entity’s system of internal control (including control activities), our identification and assessment of risks of material misstatements, as well as any impact on our audit strategy and plan. This includes considering how the identified deficiencies affect the identification and assessment of risks of material misstatements at the financial statement level. OAG Audit 5037 provides additional guidance on the impact of our determination that a component within the entity’s system of internal control is not appropriate to the nature and circumstances of the entity. It also covers the impact of identified control deficiencies on the design of further audit procedures in accordance with CAS 330.