Understanding internal control

Understanding internal control

Understanding internal control

When designing steps and procedures the auditor should evaluate the entity's internal controls and assess the risk that the control system might not prevent or detect material deviations.
Compliance audit Financial audit
Planning
Ref: 14.140

Definitions

Internal control

Internal control is an integral process (i.e. a series of actions that permeate an entity's activities) that is effected by an entity’s management and personnel and is designed to address risks and to provide reasonable assurance that, in pursuit of the entity’s mission, the following general objectives are being achieved:
  • fulfilling accountability obligations;
  • complying with applicable laws and regulations;
  • safeguarding resources against loss, misuse and damage;
  • executing orderly, ethical, economical, efficient and effective operations.

Internal control components

Internal control systems, including IT systems, can be divided into five interrelated components:
Control environment
Risk assessment
Control activities
Information & communication
Monitoring

Principles

The auditor should obtain an understanding of the internal control components . By carrying out preliminary tests of controls, the auditor is seeking positive proof of the existence of key controls (those controls that are designed to prevent, or detect and correct, a material deviation), and their continuous, consistent and effective operation. However, the evidence obtained is often only weakly persuasive or negative (e.g. lack of a required signature), rather than convincing and positive (i.e. that the control did in fact take place).

Instructions

Understanding the entity's internal control

The auditor's objectives in understanding and making a preliminary evaluation of internal control should be defined at the outset. These objectives may include:
to help design the nature, timing and extent of audit procedures
to gain an understanding of the extent to which improvements in internal control systems are being made year-on-year
to reach conclusions about the effectiveness of an internal control system

Only those controls that are relevant to the audit objective should be considered. It is a matter for the auditor's professional judgement as to whether a control, individually or in combination with others, is relevant. Furthermore, the auditor should consider which controls are to be considered as key. The number of key controls to be selected for testing is the absolute minimum to ensure that all relevant risks are covered. Relevant factors may include such matters as:
  • Materiality
  • The significance of the related risk
  • The size of the entity
  • The nature of the entity’s business, including its organisation and ownership characteristics
  • The diversity and complexity of the entity’s operations
  • Applicable legal and regulatory requirements
  • The circumstances and the applicable component of internal control
  • The nature and complexity of the systems that are part of the entity’s internal control, including the use of service organisations
  • Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement

During the planning phase (irrespective of the auditor's objective in identifying and evaluating internal controls) the auditor:
  • Evaluates the design of internal controls relevant to the audit, by considering whether the controls, individually or in combination with other controls, are capable of effectively preventing, or detecting and correcting, deviations.
  • Determines whether they have been implemented (i.e. they exist and the entity is using them).

In order to understand and confirm the operation of a control, the auditor carries out "walk-through tests" of a small number of transactions (no more than three). Obtaining an understanding of an entity's controls should not be considered to be a test of their operating effectiveness; such testing is carried out in the examination phase.

Top-down approach

To ensure an economic, efficient and effective audit, the audit approach should seek to place reliance on controls at the highest level where the control is judged to be effective for audit purposes ("top-down approach"). In the EU context, controls exist at a number of different levels (depending on the management mode.)
  • Commission controls: The monitoring or supervisory controls implemented by the Commission are likely to involve a high degree of aggregation and a low level of detail, with a focus on exception reporting;
  • Member state controls: Controls here will be at a more detailed level, and may include budgetary monitoring, variance analysis, and monitoring of progress;
  • Controls by paying agency, managing authority, certifying body or audit authority: Control is based on detailed procedures relating to individual transactions or small groups of transactions, including controls over information processing.

Manual or automated controls

The use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported. To understand internal control, the auditor should consider whether the entity has responded adequately to the risks arising from the use of IT (inaccurate processing, unauthorised access and changes, potential loss of data) or manual systems (controls may be bypassed or overridden, simple errors and mistakes may occur) by establishing effective controls.

Inherent limitations of internal controls

When evaluating and testing controls, the auditor should carefully consider the inherent limitations of internal controls, as well as the cost-effectiveness of testing controls. Internal controls can only provide reasonable assurance that control objectives are achieved. Furthermore, audit evidence cannot be obtained solely from internal controls as the following inherent limitations can affect their effectiveness:
  • IT systems weaknesses,
  • Documents signed without verification
  • Management override of controls
  • Changes in key personnel
  • Changes in transaction processing
  • Collusion

Procedures per type of audit

Compliance audit
Financial audit
When designing steps and procedures to test or assess compliance, auditors should evaluate the entity's internal controls and assess the risk that the control system might not prevent or detect non-compliance. The aim of identifying and evaluating internal control systems is to contribute to a reasonable assurance regarding compliance with applicable laws and regulations. The auditor should focus on key controls that are relevant to the objective of compliance with applicable laws and regulations. This includes those that govern the entity’s power to make payments or receive money, or set out the value of such payments or receipts. It is not concerned with administrative rules or regulations that are not directly linked to financial transactions. The auditor's consideration will involve an assessment of the general control environment at entity level and control procedures relating to individual transaction streams. The auditor considers how the entity's management seeks to mitigate the risk of material deviations through controls. Examples of controls and procedures which the auditee implements to ensure compliance with applicable laws and regulations: Risks to compliance and related controls The auditor's consideration of how regulations are translated into subsidiary regulations The auditor considers how regulations are translated into subsidiary regulations and guidelines. This may involve reviewing the legislation to identify the provisions that authorise activities, and reviewing the process for their translation and interpretation in subsidiary regulations and guidelines. It may also extend to the process for the translation of those regulations into working manuals or other key documentation. When conducting this review, the auditor pays particular attention to the regulations which govern, for example,
  • the controls to be implemented by the entity responsible for administering a scheme;
  • the eligibility of beneficiaries to receive grants/financial support under a scheme;
  • the calculation of grants or any other payments; and
  • the setting of fees and charges and other revenues.
When considering relevant rules and procedures relating to schemes, the auditor also identifies those controls designed to prevent and detect material deviations. Where the volume of laws or regulations is significant, entities may have systems for the design and monitoring of procedures and controls to ensure that they are appropriate and meet legislative requirements. Internal audit units may also have their own programme of work for reviewing controls to ensure compliance with applicable laws and regulations. The auditor may seek to place reliance on the entity's systems governing the translation of applicable laws and regulations and the design of subsidiary rules and procedures by testing the controls over this process.  
Last Modified: 04/11/2021 12:50   Tags: