Clarified Auditing Standards—Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AU-C 315)—Part 3

The Entity’s Internal Control

This article will focus on the basic requirements of AU-C 315 regarding the auditor’s understanding of an entity’s internal control and the nature of the basic elements in an internal control system. The following paragraphs are excerpted from AU-C 315 (this Section may be obtained from the AICPA website (www.aicpa.org) and should be read in its entirety for a complete understanding of audit-related internal control issues):

.13 The auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor's professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: par. .A42–.A67)

Nature and Extent of the Understanding of Relevant Controls (Ref: par. .14):

.A68 Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. Assessing the implementation of a control that is not effectively designed is of little use, and so the design of a control is considered first. An improperly designed control may represent a significant deficiency or material weakness in the entity's internal control.

.A69 Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include

• inquiring of entity personnel.

• observing the application of specific controls.

• inspecting documents and reports.

• tracing transactions through the information system relevant to financial reporting.

Inquiry alone, however, is not sufficient for such purposes

The Elements of Internal Control from AU-C 315

• Control Environment—The core of any business is its people and the environment in which they operate.  The tone at the top, i.e., management’s attitudes, values and behaviors, provides the control environment for other employees.
• Risk Assessment—The entity must be aware of and deal with the risks it faces; identifying the risk of error or fraud and implementing corrective actions is the primary responsibility of management.
• Control Activities—Control policies and procedures must be designed and operated to address risks to the achievement of the entity’s objectives.
• Information and Communication—These systems enable the entity’s people to obtain and use information necessary to conduct, manage and control operations.
• Monitoring—The internal control process must be monitored and changed by management as circumstances and conditions necessitate.

 In 2013, the Committee of Sponsoring Organizations (COSO) updated and issued a revision of Internal Control—Integrated Framework, originally published in 1992.  The updated report did not change to basic components of internal control but, among other clarifying issues, the Framework sets out seventeen principles for applying these components. These principles from COSO’s report are presented below as they apply to the internal control components.

Control Environment

1.      The organization demonstrates a commitment to integrity and ethical values.

2.      The board of directors demonstrates independence from management and exer­cises oversight of the development and performance of internal control.

3.      Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4.      The organization demonstrates a commitment to attract, develop, and retain com­petent individuals in alignment with objectives.

5.      The organization holds individuals accountable for their internal control responsibili­ties in the pursuit of objectives.

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identifica­tion and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achieve­ment of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

10. The organization selects and develops control activities that contribute to the miti­gation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Internal control is always relevant to the nature, size and complexity of a reporting entity.  Smaller entities will ordinarily have more informal controls that are carried out by one or a few persons.  While the basic components of internal control should be present in small- and medium-size entities, the 17 principles will ordinarily be subjectively included in an entity’s design and operation of internal controls. Larger entities may develop specific controls for these clarifying principles.

Generally, internal controls over financial reporting include those that are designed to make sure financial data is recorded, processed, summarized and reported consistent with management’s representations (assertions) in financial statements.  Management of an entity has the primary responsibility for internal control.  An auditor’s responsibilities include the evaluation of whether the five components are designed and operating effectively, given the nature, size and complexity of the entity.

The next article will begin a practical discussion of what auditors need to know about internal control and the part control activities play in the risk assessment process required by AU-C 315.

More Information

These eBook resources, without CPE credit, can be obtained from my website, www.cpafirmsupport.com :

• Small Audits Made Easy and Profitable
• Performing Auditing Tests of Balances Procedures
• Staff Training Series for Entry-Level Accountants, New In-Charge Accountants and Engagement Leaders
• Key Accounting Issues for Non-Profit Organizations
• A Practical Potpourri of Time Savings on Audits
• The Financial Reporting Framework for Small- and Medium-Sized Entities