Internal Control – We revisit the concepts
When thinking about internal control, and its relationship to risk assessment and the ISA 315 standard, we consider it equal to a first-year university auditing subject, and not really an area of concern when it comes to compliance and regulation, since most small-to-medium sized firms insist on following a substantive approach in auditing and do not give internal control as a risk assessment tool the required attention.
Important definitions and concepts
The definitions of the concepts and their relationship with each other present the greatest challenge to auditors when formulating an audit approach during planning. The following comparison between perceived and actual definitions of concepts demonstrates this:
| Concept | Perceived definition | Actual definition |
|---|---|---|
| Internal control | Documented processes to address assertions | All controls, in management and in activities |
| Overall controls | Monitoring, reporting and risk assessment | Control environment, management risk assessment, and monitoring controls |
| Information systems | Computer controls | Physical and computer systems controlling activities |
| Control activities | No specific application of the term | The methods applied in exercising control on each step of the information system |
| Procedures | No specific application of the term | Steps in the information system warranting separate consideration |
There is a misconception surrounding the importance of reporting. Most of the time, it is not addressed as an activity which should be controlled. It is also not seen as a procedure when documenting systems. The activity of reporting represents periodic financial reporting, which requires, for example, control over journals and the application of accounting policies. The reporting procedure represents reports generated by the information system, to which other control activities such as review and authorisation may be applied. It includes high-risk areas of judgment such as estimates and journals.
Benefits of internal control testing
Firms tend to insist on the substantive approach when designing their audit approach, and perform the minimum required procedures on internal control systems. Proper knowledge of internal control systems may add substantial value to risk assessment and even result in doing less work in areas where trusted systems are in place. These days, systems typically include automated procedures, using off-the-shelf computer programs. This provides the opportunity to place reliance on systems for certain assertions being addressed and, due to the systems being automated, the sample sizes do not need to be large.
Another benefit from relying on systems that are longstanding over a number of financial periods, is that detailed control compliance tests may be skipped for some periods. Firms found this very useful with the COVID-19 pandemic, where they could not perform system tests at the premises of the client.
In summary
Internal control systems are the backbone of any business, and the objectives of management and the auditor are the same. Creating a permanent record of detailed system descriptions which is updated every year and confirmed with the client, can go a long way in ensuring the efficiency of the audit. When control deficiencies are reported, it also adds value for the client.
References
1. IAASB: ISA 315 (Revised), Identifying and assessing the risks of material misstatement through understanding the entity and its environment
2. IAASB: ISA 330, The auditor’s responses to assessed risks
Need help?
If you need advice, guidance, assistance or training, our experienced specialists at LEAF are ready to help your firm to push above and beyond the norm.