Understanding internal control

When designing steps and procedures the auditor should evaluate the entity's internal controls and assess the risk that the control system might not prevent or detect material deviations.

Compliance audit; Financial audit

Planning

Ref: 14.140

[section separator="true"]

[section-item 9]

[row]

[column 12]

[toc-this]

Definitions

Internal control

Internal control is an integral process (i.e. a series of actions that permeate an entity's activities) that is effected by an entity’s management and personnel and is designed to address risks and to provide reasonable assurance that, in pursuit of the entity’s mission, the following general objectives are being achieved:

fulfilling accountability obligations;
complying with applicable laws and regulations;
safeguarding resources against loss, misuse and damage;
executing orderly, ethical, economical, efficient and effective operations.

Internal control components

Internal control systems, including IT systems, can be divided into five interrelated components:

[toggles class="list2left"]

[toggle title="Control%20environment"]To provide for the fundamental organisational structure, discipline and values of the entity. This creates and appropriate framework to ensure good governance of the resources entrusted. [/toggle]

[toggle title="Risk%20assessment"]To identify and analyse internal and external risks to the achievement of the entity's objectives. In the Commission, all activities must have objectives that are intended to be specific, measurable, achievable, relevant and timely (SMART), as well as risk analysis and risk management of the main activities. [/toggle]

[toggle title="Control%20activities"]To define the policies and specific procedures implemented by the entity to ensure that the identified risks are appropriately managed. They include a range of activities as diverse as authorisations, verifications, reviews of operating performance, information processing, physical controls and segregation of duties. Control activities include controls over related party relationships and transactions. [/toggle]

[toggle title="Information%20%26%20communication"]To ensure an appropriate framework for achieving the financial reporting and compliance objectives; it includes the accounting system, procedures and records to initiate, record, process and report transactions and to maintain accountability for the related assets, liabilities and equity. [/toggle]

[toggle title="Monitoring"]To ensure ongoing assessment of performance. This includes internal audit and evaluation, as well as the annual review of internal control. [/toggle]

[/toggles]

Principles

The auditor should obtain an

[link title="understanding%20of%20the%20internal%20control%20components" link="%2Faware%2FDocuments%2FInternal-control-components-list.docx" icon="file-word-o" /]

. By carrying out preliminary tests of controls, the auditor is seeking positive proof of the existence of key controls (those controls that are designed to prevent, or detect and correct, a material deviation), and their continuous, consistent and effective operation. However, the evidence obtained is often only weakly persuasive or negative (e.g. lack of a required signature), rather than convincing and positive (i.e. that the control did in fact take place).

Instructions

Understanding the entity's internal control

The auditor's objectives in understanding and making a preliminary evaluation of internal control should be defined at the outset. These objectives may include:

[toggles class="list2left"]

[toggle title="to%20help%20design%20the%20nature%2C%20timing%20and%20extent%20of%20audit%20procedures"]The auditor may be able to limit the amount of substantive testing if key controls are found to be properly designed and operating continuously and effectively throughout the period under review. Under this system-based approach, the auditor aims to obtain some of the required confidence from the entity's internal control and can thus reduce the degree of confidence to be obtained from substantive testing. [/toggle]

[toggle title="to%20gain%20an%20understanding%20of%20the%20extent%20to%20which%20improvements%20in%20internal%20control%20systems%20are%20being%20made%20year-on-year"]In this way, feedback can be provided to auditee management and the

[a-glossary term="Discharge%20authority"]discharge authority[/a-glossary]

, e.g. conclusions on the effectiveness of internal control which helps to fulfil ECA's mission of contributing to improving the financial management of EU funds. [/toggle]

[toggle title="to%20reach%20conclusions%20about%20the%20effectiveness%20of%20an%20internal%20control%20system"]where this is the specific objective of the audit, e.g. for certain selected audit tasks or for additional reporting on the effectiveness of internal control in the context of the statement of assurance. [/toggle]

[/toggles]

Only those controls that are relevant to the audit objective should be considered. It is a matter for the auditor's professional judgement as to whether a control, individually or in combination with others, is relevant. Furthermore, the auditor should consider which controls are to be considered as key. The number of key controls to be selected for testing is the absolute minimum to ensure that all relevant risks are covered. Relevant factors may include such matters as:

Materiality
The significance of the related risk
The size of the entity
The nature of the entity’s business, including its organisation and ownership characteristics
The diversity and complexity of the entity’s operations
Applicable legal and regulatory requirements
The circumstances and the applicable component of internal control
The nature and complexity of the systems that are part of the entity’s internal control, including the use of service organisations
Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement

During the planning phase (irrespective of the auditor's objective in identifying and evaluating internal controls) the auditor:

Evaluates the design of internal controls relevant to the audit, by considering whether the controls, individually or in combination with other controls, are capable of effectively preventing, or detecting and correcting, deviations.
Determines whether they have been implemented (i.e. they exist and the entity is using them).

In order to understand and confirm the operation of a control, the auditor carries out "walk-through tests" of a small number of transactions (no more than three). Obtaining an understanding of an entity's controls should not be considered to be a test of their operating effectiveness; such testing is carried out in the examination phase.

Top-down approach

To ensure an economic, efficient and effective audit, the audit approach should seek to place reliance on controls at the highest level where the control is judged to be effective for audit purposes ("top-down approach"). In the EU context, controls exist at a number of different levels (depending on the management mode.)

Commission controls: The monitoring or supervisory controls implemented by the Commission are likely to involve a high degree of aggregation and a low level of detail, with a focus on exception reporting;
Member state controls: Controls here will be at a more detailed level, and may include budgetary monitoring, variance analysis, and monitoring of progress;
Controls by paying agency, managing authority, certifying body or audit authority: Control is based on detailed procedures relating to individual transactions or small groups of transactions, including controls over information processing.

Manual or automated controls

The use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported. To understand internal control, the auditor should consider whether the entity has responded adequately to the risks arising from the use of IT (inaccurate processing, unauthorised access and changes, potential loss of data) or manual systems (controls may be bypassed or overridden, simple errors and mistakes may occur) by establishing effective controls.

Inherent limitations of internal controls

When evaluating and testing controls, the auditor should carefully consider the inherent limitations of internal controls, as well as the cost-effectiveness of testing controls. Internal controls can only provide reasonable assurance that control objectives are achieved. Furthermore, audit evidence cannot be obtained solely from internal controls as the following inherent limitations can affect their effectiveness:

IT systems weaknesses,
Documents signed without verification
Management override of controls
Changes in key personnel
Changes in transaction processing
Collusion

Procedures per type of audit

[tabs filled color="border-dark" css-code="div%3Anth-child(1)%20%7Bcolor%3A%20rgb(192%2C57%2C43)%7D%0Adiv%3Anth-child(2)%20%7Bcolor%3A%20%230072c6%7D" css_code_compiled=".dynamic-unique-shortpoint-class-name%20div%3Anth-child(1)%20%7B%0A%20%20%20%20color%3A%20rgb(192%2C57%2C43)%0A%7D%0A.dynamic-unique-shortpoint-class-name%20div%3Anth-child(2)%20%7B%0A%20%20%20%20color%3A%20%230072c6%0A%7D"]

[tab title="Compliance%20audit"]

When designing steps and procedures to test or assess compliance, auditors should evaluate the entity's internal controls and assess the risk that the control system might not prevent or detect non-compliance. The aim of identifying and evaluating internal control systems is to contribute to a reasonable assurance regarding compliance with applicable laws and regulations. The auditor should focus on key controls that are relevant to the objective of compliance with applicable laws and regulations. This includes those that govern the entity’s power to make payments or receive money, or set out the value of such payments or receipts. It is not concerned with administrative rules or regulations that are not directly linked to financial transactions. The auditor's consideration will involve an assessment of the general control environment at entity level and control procedures relating to individual transaction streams. The auditor considers how the entity's management seeks to mitigate the risk of material deviations through controls. Examples of controls and procedures which the auditee implements to ensure compliance with applicable laws and regulations:

[link title="Risks%20to%20compliance%20and%20related%20controls" link="%2Faware%2FDocuments%2FRisks-to-compliance-and-related-controls-list.docx" icon="file-word-o" /]

[emphasis color="primary"]The auditor's consideration of how regulations are translated into subsidiary regulations[/emphasis]
The auditor considers how regulations are translated into subsidiary regulations and guidelines. This may involve reviewing the legislation to identify the provisions that authorise activities, and reviewing the process for their translation and interpretation in subsidiary regulations and guidelines. It may also extend to the process for the translation of those regulations into working manuals or other key documentation. When conducting this review, the auditor pays particular attention to the regulations which govern, for example,

the controls to be implemented by the entity responsible for administering a scheme;
the eligibility of beneficiaries to receive grants/financial support under a scheme;
the calculation of grants or any other payments; and
the setting of fees and charges and other revenues.

When considering relevant rules and procedures relating to schemes, the auditor also identifies those controls designed to prevent and detect material deviations. Where the volume of laws or regulations is significant, entities may have systems for the design and monitoring of procedures and controls to ensure that they are appropriate and meet legislative requirements. Internal audit units may also have their own programme of work for reviewing controls to ensure compliance with applicable laws and regulations. The auditor may seek to place reliance on the entity's systems governing the translation of applicable laws and regulations and the design of subsidiary rules and procedures by testing the controls over this process.

[/tab]

[tab title="Financial%20audit"]

Controls that are relevant to an audit of the reliability of the accounts pertain to the entity's objective of preparing accounts for external purposes that are presented fairly, in all material respects, in accordance with the applicable financial reporting framework and the management of risk that may give rise to a material misstatement in those accounts. Some controls cover the accounting processes throughout the year (e.g. accounting review activities, and development of accounting risk analysis in the Commission). Other controls relate specifically to the year-end closing process. It is a matter of the auditor's professional judgement as to whether a control, individually or in combination with others, is relevant in the context of annual accounts. When considering the accounting control environment, special attention should be given to those controls that have a direct impact on the accounts assertions. The main control systems to be considered are the controls, checks, and measures undertaken by the Accounting Officer and, where relevant, the DGs themselves, as follows: [emphasis color="primary"]General[/emphasis]

the measures taken by the auditee to present annual accounts in compliance with the applicable accounting rules and standards and reporting deadlines;
the auditee's identification of its own accounting processes (this is a pre-requisite to the accounting risk analysis);
the auditee's process for establishing and validating its own risk analysis;
the key accounting procedures and manuals which govern the recording and quality of individual financial information throughout the year;
implementation of controls on final balances;
implementation of a customised accounting manual;
valuation and control methods specifically developed for a significant group of accounts (e.g. estimates of cut-off of accrued charges or provisions);

[emphasis color="primary"]Organisation[/emphasis]

the chain of responsibilities involved in the validation of figures presented in the annual accounts (e.g. Authorising Officer, accounting correspondent, and ultimately the Accounting Officer);
the organisation of the accounting function (staff, training, assignment of responsibilities);

[emphasis color="primary"]Closing process[/emphasis]

the specific controls during the year-end closing process to ensure and review the quality of the accounting records (e.g. to ensure completeness and valuation);
the relevance, appropriateness and consistency of cut-off methodology applied to accrued charges;
reconciliation between cut-off budgetary information and data included in systems;
internal controls over the annual accounts closing process;
the process for arriving at significant accounting estimates and disclosures;
whether closing instructions are received in time and properly applied;
correct and timely implementation of procedures, and compliance with deadlines;

[emphasis color="primary"]Information technology[/emphasis]

the accounting IT systems and their interaction (e.g. ABAC, SAP);
coherence between data in local (e.g. local systems of the DGs, institutions or agencies) and central systems (e.g. ABAC/SAP) and validation of the local systems;

[emphasis color="primary"]Reviews[/emphasis]

accounting reviews performed by the entity (e.g. DGs, agencies);
the quality of data entry, and the extent of review of the data entered in the accounting system;
the accounting review deriving from the DG's accounting risk analysis;
the extent of review by the accounting officer of the quality of the financial information received from the authorising officer to produce the annual accounts;
final validation by the Director-General of his/her DG's accounts.

Work on reliability in this regard entails updating the descriptions and evaluating the procedures relating to the significant accounting processes and systems and the application of the accounting rules, including those regarding cut-off, that lead to the annual accounts. In the case of audit work at the Commission, this includes work on the functioning of the central accounting system (ABAC) as well as the various local accounting systems. Where relevant, procedures for gathering and verifying data, which have to be shown in the accounts, but are not yet recorded, must be examined to ensure they are complete.

[/tab]

[/tabs]

[/toc-this]

[/column]

[/row]

[/section-item]

[section-item 3]

[row]

[column 12]

[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]

[standards]

[link new-window title="ISA%20315" link="https%3a%2f%2fwww.ifac.org%2fsystem%2ffiles%2fpublications%2ffiles%2fIAASB-2020-Handbook-Volume-1.pdf%23INTERNATIONAL%2520STANDARD%2520ON%2520AUDITING%2520315%2520(REVISED%25202019)" /]

[link new-window title="ISSAI%204000" link="https%3a%2f%2fwww.issai.org%2fwp-content%2fuploads%2f2019%2f08%2fISSAI-4000-Compliance-Audit-Standard.pdf" /]

[link new-window title="INTOSAI%20GOV%209100" link="https%3a%2f%2fwww.issai.org%2fwp-content%2fuploads%2f2019%2f08%2fintosai_gov_9100_e.pdf" /]

[/standards]

[/panel]

[/column]

[/row]

[row]

[column 12][/column]

[/row]

[row]

[column 12]

[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]

[/column]

[/row]

[/section-item]

[/section]

Last Modified: 04/11/2021 12:50 Tags:

Understanding internal control // <![CDATA[ _spBodyOnLoadFunctionNames.push("setupPageDescriptionCallout"); // ]]>

Understanding internal control

Definitions

Internal control

Internal control components

Principles

Instructions

Understanding the entity's internal control

Top-down approach

Manual or automated controls

Inherent limitations of internal controls

Procedures per type of audit

Understanding internal control