ISA 315 identifies five elements which together make up the internal control system. These are:
(1) The control environment
The control environment includes the views, awareness and actions of management regarding an entity’s internal control. It also includes moral values, managerial skill and the honesty of employees. It is the basis for good internal
control, providing guidance and structure. The control environment includes the following elements:
– Communication and enforcement of integrity and ethical values
– Commitment to competence
– Participation of management
– Management’s philosophy and operating style
– Organizational structure
– Assignment of authority and responsibility
– Human resource policies and practices
(2) The entity’s risk assessment
Within a strong system of internal control, management should identify, assess and manage business risks, on a continual basis. Significant business risks are any events or omissions that may prevent the entity from achieving its objectives. Identifying risks means recognizing the existence of risks or potential risks. Assessing the risks means deciding whether the risks are significant, and possibly ranking risks in order of significance. Managing risks means developing and implementing controls and other measures to deal with those risks.
ISA 315 requires the auditor to gain an understanding of these risk assessment processes used by the client company’s management, to the extent that those risk assessment processes may affect the financial reporting process. Risks can arise or change due to circumstances such as:
– changes in the entity’s operating environment
– new personnel
– new or revamped information systems
– rapid growth
– new technology
– new business models, products or activities
– corporate restructurings
– expanded foreign operations
– new procurement pronouncements.
(3) The information system
It consists of infrastructure, software, people, procedures and data. For financial reporting objectives, the procedures and records that initiate, record, process and report transactions and maintain accountability for assets, liabilities and equity.
(4) Control activities (internal controls)
The policies and procedures that help ensure that management directives are carried out. The categories most relevant to an audit:
– Performance reviews
– Information processing
– Physical controls
– Segregation of duties
(5) Monitoring of controls
Once the internal control system is in place, assessing the design and operation of controls over time is part of regular management activity. In addition, separate monitoring may be performed by internal auditors.