Internal Control Environment

Client Substantiation File.

Why do your auditors want to understand the internal control environment?

Your auditors assess whether your entity has an effective internal control environment in place that will either prevent or detect and correct a material misstatement in your entity’s financial statements, and, where applicable, statement of service performance.

The internal control environment consists of:

  • the control environment;
  • the entity’s risk assessment process;
  • the information system, including the related business processes, relevant to financial reporting and communication;
  • control activities; and
  • monitoring of controls.

In understanding and assessing the internal control environment, your auditors consider these five elements individually and collectively.

Control environment

The control environment reflects the overall attitudes, awareness, and actions of management, the governing body, owners, and others concerning the importance of control and the emphasis given to control in the entity’s policies, procedures, methods, and organisational structure. The control environment encompasses management’s attitude towards the development of accounting and performance estimates and its external reporting philosophy, and is the context in which the accounting system and control procedures operate. The control environment sets the tone of an organisation, influencing the control consciousness of its people.

Risk assessment process

The entity’s risk assessment process forms the basis for how management and the governing body determine the risks to be managed. If that process is appropriate to the circumstances, including the nature, size, and complexity of the entity, it assists the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgement.

The information system, including the related business processes, relevant to financial reporting and communication

Obtaining an understanding of the entity’s information systems and business processes, which include how transactions originate, assists the auditor to obtain an understanding of the entity’s systems relevant to financial reporting in a manner that is appropriate to the entity’s circumstances.

Control activities

Control activities are those policies and procedures established and maintained by management that provide the necessary discipline to enable controls over specific accounting and performance applications and processes to function effectively. They encompass management control methods, the organisational structure and methods of assigning authority and responsibility, and personnel policies and practices.

Monitoring of controls

Monitoring of controls relates to management’s direct control over the exercise of authority delegated to others and its ability to exercise effective overall supervision of the organisation’s activities. These methods are reflected in accounting and reporting systems, budgetary and plan achievement controls, and controls over the information systems environment. Effective management control methods provide a basis for expecting that accounting and performance recording systems and management controls will function as prescribed, and that they will be modified in a controlled and appropriate manner to meet changing conditions.

An effective internal control environment enables auditors to reduce the amount and nature of audit work they need to do to gain sufficient assurance over an account balance and/or performance measure. If, however, your auditor concludes your internal control environment is “ineffective” this will result in your auditor needing to carry out additional audit work to gain the required assurance.

If auditors identify effective internal controls, they will test those internal controls to assess whether the internal controls have been operating effectively during the financial year under review.

It is the responsibility of the governing body and senior management to ensure that effective internal controls are in place and have operated throughout the year under review.

What do your auditors specifically focus on when understanding internal controls?

When understanding and assessing internal controls, your auditor focuses on the different activities performed for processing of data (both financial and non-financial, where relevant).

Most data processes involve a series of tasks such as validating or editing input data, sorting and merging data, making calculations, updating transaction and master files, generating transactions or events, and summarising and displaying or reporting data. The processing procedures of relevance to the auditor in understanding the flow of transactions or events, are those activities required to initiate, process, and record any significant type of transactions or events. These include the procedures for correcting and reprocessing previously rejected transactions or events and for correcting erroneous transactions or events through adjusting entries. For example, in understanding an expenditure/accounts payable process, we wish to understand what triggers the process (usually the raising of a purchase order) through to the payment to the supplier. Within understanding this we would also understand and assess the process for updating the supplier’s master file.

The understanding by the auditor will be at a level that allows them to identify whether effective internal controls are in place to ensure data is recognised, measured, presented and disclosed correctly.

The data processes the auditor will assess are usually processes that have high volume transactions. Some common processes are:

  • revenue/Accounts receivables;
  • purchases/Accounts payables;
  • payroll/Employee entitlements;
  • property, plant, and equipment (additions, disposals, and so on);
  • cost allocation;
  • journals; and
  • non‑financial measures.

When identifying internal controls, your auditor assesses whether internal controls are in place to reduce the risk of a material misstatement arising from the recognition, measurement, presentation and disclosure of various balances in the financial statements, their related disclosures, and performance measures.

To assist with this, your auditor uses the concept of assertions, that is, when representing that the financial statements are in accordance with the applicable financial reporting framework, an entity implicitly or explicitly makes assertions regarding the recognition, measurement, presentation, and disclosure of the various elements of financial statements, related disclosures, and service performance information.

The assertions for financial and non‑financial data are shown below:

Assertions about classes of transactions, account balances, related disclosures and service performance results

Account assertion Internal controls should be in place to ensure:
Occurrence Financial and service performance transactions and events that have been recorded has occurred and relates to the entity.
Completeness Financial and service performance transactions and events that should have been recorded have been recorded.
Accuracy Financial and service performance transactions and events have been recorded correctly.
Cut-off Financial and service performance transactions and events have been recorded in the correct accounting period.
Classification Financial and service performance transactions and events have  been recorded in the proper accounts.
Presentation Financial and service performance transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosure are relevant and understandable in the context of the requirements of the applicable financial reporting framework

Account assertions for account balances and related disclosures at the period end

Account assertion Internal controls should be in place to ensure:
Completeness Assets, liabilities, and equity interests that should have been recorded have been recorded.
Existence Assets, liabilities, and equity interests exist.
Rights/obligations The entity holds or controls the rights to assets and liabilities that are the obligations of the entity.
Accuracy, valuation and allocation Assets, liabilities, and equity interests have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described.
Classification Assets, liabilities and equity interests have been recorded in the proper accounts.
Presentation Assets, liabilities and equity interests are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework.

Assertions about other disclosures

The assertions described in the tables above, adapted as appropriate, may also be used when including any additional disclosures that are not directly related to recorded classes of transactions, events, or account balances.

How do we do this?

Understanding of the flow of transactions, or events, is acquired by a combination of:

  • asking appropriate staff at your entity;
  • observing the processing methods and procedures used;
  • reviewing your entity’s manuals and other written instructions; and
  • “walk throughs” that is, tracing transactions through the relevant system.

At the conclusion of this exercise, the auditor concludes whether or not there are internal controls in place that are designed appropriately and will either prevent or detect a material error with respect to the various assertion risks described above.

Page last updated: 10 April 2019