Understanding the Components of the Company’s System of Internal Control

 

Internal control is the process designed, implemented and maintained by the board of directors, management and other personnel to provide reasonable assurance about the achievement of a company’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

The auditor’s understanding of the company’s system of internal control is obtained through risk assessment procedures performed to understand and evaluate each of the components of the system of internal control.

The system of internal control consists of the following components:

*     Control environment.

*     The company’s risk assessments possess.

*     The company’s process to monitor the system of internal control.

*     Information System and Communication.

*     Control Activities.

 Control environment covers the following matters:

(a)    How management’s responsibilities are carried out, such as creating and maintaining the company’s culture and demonstrating management’s commitment to integrity and ethical value.

(b)  When those charged with governance are separate from management, how those charged with governance exercise oversight of the company’s system of internal control.

(c)    How the company assigns authority and responsibility in pursuit of its objectives.

(d)   How the company attracts, develops, and retains competent staff.

(e)  How the company holds individuals accountable for their responsibilities in pursuit of the objectives of the company’s system of internal control.

Obtaining an understanding of the control environment

The control environment provides an overall foundation for the operation of the other components of the system of internal control. The control environment does not directly prevent, or detect and correct, misstatements. But it may  influence the effectiveness of controls in the other components of the system of internal control.

The auditor obtains an understanding of the control environment relevant to the preparation of the financial statements, through performing risk assessment procedures, by

Understanding the set of controls, processes and structure that address:

·        The company’s assignment of authority and responsibility.

·        How the company attracts, develops, and retains competent individuals; and

·        How the company holds individuals accountable for their responsibilities.

·        The independence of and oversight over the company’s system of internal control by the board of directors.

·        The company’s culture and management’s commitment to integrity and ethical values.

Evaluating whether:

·        Management has created and maintained a culture of honesty and ethical behavior.

·   The control environment provides an appropriate foundation for the other components of the company’s system of internal control.

·      Control deficiencies identified in the control environment undermine the other components of the company’s system of internal control.

The company’s risk assessments possess

The company’s risk assessment process is designed to operate in a manner that also supports the entire system of internal control.

For financial reporting purposes, the company’s risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the company’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and introduced actions to manage them. For example, the company’s risk assessment process may address how the company considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements.

The auditor obtains an understanding of the company’s risk assessment process relevant to the preparation of the financial statements, through performing risk assessment procedures, by:

Understanding the company’s process for

·        Identifying business risks relevant to financial reporting objectives.

·        Assessing the significance of those risks, including the likelihood of their occurrence; and

·       Addressing those risks.

Evaluating whether the company’s risk assessment process is appropriate to the company’s circumstances .

The company’s process to monitor the system of internal control

The company’s process to monitor the system of internal control is a continual process to evaluate the effectiveness of the company’s system of internal control, and to take necessary remedial actions on a timely basis. The company’s process to monitor the company’s system of internal control may consist of ongoing activities, separate evaluations (conducted periodically), or some combination of the two

The process for monitoring the system of internal control is designed to operate in a manner that also supports the entire system of internal control.

The auditor shall obtain an understanding of the company’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by:

Understanding those aspects of the company’s process that address:

·      Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and remediation of control deficiencies identified.

·        The company’s internal audit function.

·        Understanding the sources of the information used in the company’s process to monitor the system of internal control

Evaluating whether the company’s process for monitoring the system of internal control is appropriate to the company’s circumstances.

Information System and Communication, and Control Activities

The controls in the information system and communication, and control activities components are primarily direct controls (i.e., controls that are sufficiently precise to prevent, detect or correct misstatements at the assertion level).

Information System and Communication

The information system relevant to the preparation of the financial statements designed and established to:

·        Initiate, record and process company transactions (as well as to capture, process and disclose information about events and conditions other than transactions) and to maintain accountability for the related assets, liabilities and equity.

·        Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to clear suspense items out on a timely basis.

·        Process and account for system overrides or bypasses to controls.

·     Incorporate information from transaction processing in the general ledger (e.g., transferring of accumulated transactions from a subsidiary ledger).

·      Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized and appropriately reported in the financial statements.

Communication, which involves providing an understanding of individual roles and responsibilities pertaining to the company’s system of internal control, may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

Obtaining an understanding of the company’s business processes, which include how transactions are originated, assists the auditor in obtaining an understanding of the company’s information system in a manner that is appropriate to the company’s circumstances.

 The auditor is required to understand the company’s information system and communication because understanding the company’s policies that define the flows of transactions and other aspects of the company’s information processing activities relevant to the preparation of the financial statements

The auditor obtains an understanding of the company’s information system and communication relevant to the preparation of the financial statements, through performing risk assessment procedures, by

(a)   Understanding the company’s information processing activities, including its data and information, the resources to be used in such activities and the policies that define, for significant classes of transactions, account balances and disclosures.

(b)   Understanding how the company communicates significant matters that support the preparation of the financial statements (between people within the company, between management and the board of directors, with external parties).

(c)    Evaluating whether the company’s information system and communication appropriately support the preparation of the company’s financial statements in accordance with the applicable financial reporting framework.

 The auditor’s understanding of the information system may be obtained in various ways and may include:

● Inquiries of relevant personnel about the procedures used to initiate, record, process and report transactions or about the company’s financial reporting process.

 ● Inspection of policy or process manuals or other documentation of the company’s information system.

 ● Observation of the performance of the policies or procedures by company’s personnel; or

● Selecting transactions and tracing them through the applicable process in the information system (i.e., performing a walk-through).

Control Activities

 Controls in the control activities component may consist of the following:

·        Authorization and approvals.

·        Reconciliations.

·        Verifications.

·        Physical or logical controls.

·        Segregation of duties.

The auditor shall obtain an understanding of the control activities component, through performing risk assessment procedures, by:

  Identifying controls that address risks of material misstatement at the assertion level in the control activities component as follows:

·        Controls that address a risk that is determined to be a significant risk.

·        Controls over journal entries, including non-standard journal entries.

·   Controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence.

For each control identified:

·        Evaluating whether the control is designed effectively to address the risk of material misstatement at the assertion level.

·        Determining whether the control has been implemented by performing procedures in addition to inquiry of the company’s personnel.

Significant control deficiencies identified by the auditor are reported to the board of directors and company`s management.

ISA 315

Comments

Post a Comment

Popular posts from this blog

Why do auditors use assertions?

Image
  Assertions are representations by management that are embodied in the financial statements and used by the auditor to consider the different types of potential misstatements that may occur. Assertions may fall into the following categories: Assertions about classes of transactions and events, and related disclosures, for the period under audit : ·         Occurrence —transactions and events that have been recorded or disclosed have occurred, and such transactions and events are related to the company. ·         Completeness —all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included.   ·         Accuracy —amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been app...
Read more

What is the new International Standard on Auditing for Audits of Financial Statements of Less Complex Entities?

Image
  The International auditing and assurance standards board designed “The International Standard on Auditing for Audits of Financial Statements of Less Complex Entities” which is effective for audits of financial statements of less complex entities for periods Beginning on or after December 15, 2025. The standard is based on the International Standards on Auditing (ISA) and would follow a simplified approach based on risk assessment. The standard will enable auditors to obtain reasonable assurance that financial statements are free from material misstatements, and in an independent audit`s report will be pointed out that the audit is conducted in accordance with the ISA for LCE. The ISA for LCE has the following limitations for using: 1.       Specific classes of entities for which the use of the ISA for LCE is prohibited (described below). 2.       Qualitative characteristics that describe an LCE. Qualitative characteristics rel...
Read more