As per NSA 315, the auditor should obtain an understanding of internal control relevant to the audit. The auditor uses the understanding of internal control to identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design the nature, timing, and extent of further audit procedures.
Internal control is the process designed and effected those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity‟s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that internal control is designed and implemented to address identified business risks that threaten the achievement of any of these objectives.
Internal control, as discussed in this ISA, consists of the following components:
a. The control environment.
b. The entity‟s risk assessment process.
c. The information system, including the related business processes, relevant to financial reporting, and communication.
d. Control activities.
e. Monitoring of controls.
Let us now discuss in brief about these components:
a) Control Environment
The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity‟s internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.
The control environment encompasses the following elements:
Communication and enforcement of integrity and ethical values.
Commitment to competence.
Participation those charged with governance.
Management’s philosophy and operating style.
Assignment of authority and responsibility.
Human resource policies and practices.
b) Entity’s Risk Assessment Process
An entity‟s risk assessment process is its process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity‟s risk assessment process includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view (or are presented fairly, in all material respects) in accordance with the entity‟s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity‟s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity‟s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:
Changes in operating environment.
New or revamped information systems
New business models, products, or activities.
Expanded foreign operations.
New accounting pronouncements.
c) Information System, Including the Related Business Processes, Relevant to Financial Reporting, and Communication
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT).
Accordingly, an information system encompasses methods and records that:
Identify and record all valid transactions.
Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
Present properly the transactions and related disclosures in the financial statements.
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communications channels help ensure that exceptions are reported and acted on. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.
d) Control Activities
Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity‟s objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels.
Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following:
Segregation of duties.
Certain control activities may depend on the existence of appropriate higher level policies established management or those charged with governance. For example, authorization controls may be delegated under established guidelines, such as investment criteria set those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestment may require specific high-level approval, including in some cases that of shareholders.
e) Monitoring of Controls
An important management responsibility is to establish and maintain internal control on an ongoing basis. Management‟s monitoring of controls includes considering whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management‟s review of whether bank reconciliations are being prepared on a timely basis, internal auditors‟ evaluation of sales personnel‟s compliance with the entity‟s policies on terms of sales contracts, and a legal department‟s oversight of compliance with the entity‟s ethical or business practice policies.
Monitoring of controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations.
In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity‟s controls through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control.