entity’s risk assessment process,3 The information system, including processes related to financial reporting and communication,
4 Control activities, and
5 Monitoring.
(AU-C 315.A57)
These components may operate at the entity level or the individual transaction level. Obtaining an appropriate understanding of internal control requires the auditor to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client.
The Five Components of Internal Control – 1. Control Environment
The auditor should obtain a sufficient knowledge of the control environment to understand management’s and the board of directors’ attitudes, awareness, and actions concerning the environment. (AU-C 315.15) Control environment factors include:
Communication and enforcement of integrity and ethical values
Commitment to competence
Characteristics of those charged with governance
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resources policies and practices
(AU-C 315.A79)
NOTE: The auditor should concentrate on the substance of controls (established and acted upon), not their form.
The Five Components of Internal Control – 2. The Entity’s Risk Assessment Process
The auditor should obtain an understanding of the entity’s procedures for business risk, specifically:
Identifying the risks
Estimating significance
Assessing the likelihood of occurrence
Deciding on an action plan to address the risk
(AU-C 315.16)
Risks can occur because of the following:
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New technology
New business models, products, or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
Changes in economic conditions
(AU-C 315.A90)
NOTE: The auditor’s assessment of inherent and control risks is a separate consideration and not part of the entity’s risk assessment.
The Five Components of Internal Control – 3. The Entity’s Information System
The auditor should obtain sufficient knowledge of the accounting information system to understand:
The classes of transactions that are significant to the financial statements
The procedures, both automated and manual, by which those transactions are initiated, recorded, processed, and reported from their occurrence to inclusion in the financial statements
The related accounting records, whether electronic or manual, supporting information, and specific accounts involved in initiating, recording, processing, and reporting transactions
How the information system captures other events and conditions that are significant to the financial statements
The financial reporting process
Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments
(AU-C 315.19)
The auditor should understand the automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include:
The procedures used to enter transaction totals into the general ledger
NOTE: The auditor should be aware that when information technology (IT) is used to automatically transfer information from transaction processing systems to general ledger or financial reporting systems, there may be little or no visible evidence of intervention in the information systems (e.g., an individual may inappropriately override automated processes by changing the amounts being automatically passed to the general ledger or financial reporting system).
The procedures used to initiate, record, and process standard (e.g., monthly sales and purchase transactions) and nonstandard (e.g., business combinations or disposals, or a nonrecurring accounting estimate) journal entries in the general ledger
NOTE: Auditors should be aware that:
When IT is used to maintain the general ledger and prepare financial statements, such nonstandard entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.
Financial statement misstatements are often perpetrated by using nonstandard entries to record fictitious transactions or other events and circumstances, particularly near the end of the reporting period.
Other procedures used to record recurring and nonrecurring adjustments (e.g., consolidating adjustments and reclassifications that are not made by formal journal entries)
The auditor should also obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters about financial reporting. (AU-C 315.20)
The Five Components of Internal Control – 4. Control Activities
The auditor should obtain an understanding of those control activities that are relevant to the audit. (AU-C 315.21) Control activities are relevant to the audit if they are related to significant risks, as discussed later in this section. Examples of specific control activities include:
Authorization
Performance
