ICAEW.com works better with JavaScript enabled.
Exclusive

Understanding, documenting and testing internal controls

Helpsheets and support

Published: 18 Nov 2019 Reviewed: 18 Nov 2019 Update History

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
Log in Find out more
Contents
Back to top
Understanding and documenting internal control on audits of financial statements has always been challenging, particularly in smaller entity audits. In this Audit and Assurance Faculty guide we look at some of the continuing issues that challenge auditors and the implications for smaller entity audits.

Why are ISA requirements on internal controls so hard to apply?

Dealing with internal controls is an issue in audits of all sizes for a number of reasons. In smaller, less complex audits, one long-standing problem is the extent of the required work on the design and implementation of controls where a fully substantive approach is taken.

There are also many other issues that auditors struggle with when understanding and testing internal controls in audits of all sizes, including:

  • deciding whether to test the operating effectiveness of controls;
  • determining what constitutes a deviation and the tolerable deviation rate, and then dealing with deviations;
  • revising the control risk assessment, and the effect of a revision on other audit procedures; and
  • balancing the results of controls testing with substantive procedures.

Firms have different approaches to the requirements of the risk ISAs in this area. Some believe that there is little point in spending too much time considering controls in smaller audits because these controls are not that relevant to the risk assessment process or the wider audit. Others take the view that ISAs require work on the design and implementation of controls relevant to the audit on all audits, not least in order to understand the business properly.

Why is work on internal control necessary when auditors take a substantive approach?

Some auditors question the value of the work ISAs require on evaluating the design and implementation of controls. The purpose of this work is to help auditors properly understand the business and, very specifically, to deal with any risks arising from poor internal controls. Performing the same substantive procedures, regardless of whether controls are designed, implemented and operated properly, poorly or not at all, ignores the following:

  • ISAs require substantive procedures to be tailored to the assessed risks;
  • a substantive approach often involves analytical procedures and, if auditors ignore controls, they risk relying too much on the information on which they perform the procedures, if it is produced by a poorly-controlled system;
  • auditors may well miss something important in a key area if they do not understand that the controls over them are poor, and they may not be auditing efficiently if they do not understand that controls are good; and
  • ISAs require auditors to obtain an understanding of the internal controls relevant to the audit by evaluating the design and implementation of those controls irrespective of the size and complexity of the client and regardless of the audit strategy.

Which controls do auditors need to understand?

Auditors are only required to obtain an understanding of controls relevant to the audit. However, not all controls over financial reporting may be relevant to the audit. The only controls that auditors need to consider are those that auditors believe may prevent, detect or correct a material misstatement. It is a matter of professional judgement whether a control individually, or in combination with others, is relevant to the audit. To be able to make this judgement, auditors need to understand the system within which the controls operate.

Internal controls in smaller and less complex entities are likely to be informal, but this does not mean that there will be no controls relevant to the audit or that, if there are, they will never be good enough for auditors to test their operating effectiveness.

If auditors do not understand the system and assume that there are no controls relevant to the audit without further consideration, they write off the potential value of this work before they start.

Operational and financial controls are often tightly integrated and interdependent which means that operational controls may sometimes be relevant to the audit. Auditors need to consider this carefully and whether it is therefore necessary to assess their design and implementation.

Why is understanding and documenting controls within systems a problem?

The requirement to understand and document system processes and controls involves procedures such as talking to the client, internal control and internal control evaluation questionnaires, narrative notes and flowcharts.

On larger, more complex audits some combination of these approaches is likely.

For smaller, less complex audits with simpler controls, the extent of documentation and what is most appropriate in the circumstances are important. In very general terms, smaller, less complex audits tend to involve narrative systems notes. Budgets may, however, be cited as a reason for spending less time on documentation, though efficiently prepared, comprehensive and up-to-date documentation probably costs less in the long run than out of date and incomplete documentation, because of the long-term effects on the efficiency of the audit approach, and in terms of regulatory consequences.

Common failings in narrative systems notes include incomplete records of certain relevant control activities (such as how management accounts are prepared), how the budgeting system works and how journals are processed. While narrative notes are usually sufficient to understand how a transaction is recorded in the general ledger, they can only be adequate for the purposes of identifying controls to prevent misstatements or manipulation if they are up-to-date, and if the preparer has given active consideration to the issue.

Do auditors need to think about whether to test the operational effectiveness of controls in smaller, less complex audits?

Entities that are not dormant will have some controls in place, however rudimentary. These controls need not be formal or formally documented, they just need to be appropriate for the entity concerned.

Auditors are required to perform some work to evaluate the design and implementation of controls in order to assess control risk. However, auditors cannot allow an expectation that controls are operating effectively to have any effect on the nature, timing and extent of substantive procedures unless the operational effectiveness of the controls is tested.

Auditors may believe that controls are, or may be, operationally effective but choose to assume that they are not, and take a purely substantive approach. This may not be the most efficient approach but it is not prohibited. Even if auditors have decided to take a substantive approach, regardless of the quality of controls, or whether the control risk assessment has no effect on the nature or extent of procedures performed, ISA 315 still requires the control risk assessment to be performed.

It is very common in smaller audits for a fully substantive approach to be taken, even though there are controls that could be tested, because it is quicker and easier. However, work to update and document the auditor’s understanding of the design and implementation of controls has to be performed annually regardless, and that work can be leveraged if controls are tested.

Situations in which a move from substantive to controls testing might be worth considering, and factors to take into account include:

  • the implementation of extensive changes recommended in a management letter, combined with improved operating effectiveness in transaction cycles;
  • significant other improvements to controls, such as the financial statement closing process;
  • improvements in the technology available or the recruitment of more IT literate staff;
  • the development of knowledge or skills within the audit firm through training or recruitment, bringing with it the confidence to try a change in approach;
  • the formalisation and documentation of new controls by the client as a result of expansion, for example, which makes testing of those controls more feasible. However, the size of the entity is not the only factor to take into account and where larger audits remain less complex, a substantive approach may still be perfectly reasonable.

Is dealing with deviations from the application of control procedures a problem in smaller, less complex audits?

In performing controls testing, methodologies must help auditors determine what constitutes a deviation and the tolerable deviation rate. Statistical methods can be used when dealing with lower-level tests of controls. For higher-level controls, more judgement is required. It is the level of judgement required in dealing with deviations that gives rise to many of the problems in controls testing, particularly in some smaller, less complex audits.

For example, in not-for-profit organisations, a control over donations received by mail often involves the mail being opened by two persons. There is no real “fully substantive” alternative to testing this type of control if this is the principal control that serves to ensure the completeness of income and the absence of fraud. If it is not effective, it can be difficult to obtain any other evidence to support the assertion. Testing the operational effectiveness of such controls is sometimes essential. Auditor observation of this procedure and a review of documentation evidencing the presence of two persons are two common tests of control. The opening of the mail by one person might constitute a deviation. How many times does this have to happen before the control ceases to be effective? Anything happening on a systematic basis is likely to be a cause for concern.

The tolerable level of deviation within automated systems is likely to be zero in many cases, but the tolerable level of deviation in the application of controls that require more human intervention is not, and requires more judgement.

When should auditors revise the control risk assessment?

When extrapolation of deviations from the application of a control procedure across the population exceeds the tolerable level, and/or further testing fails to provide evidence that supports an alternative conclusion that can be reconciled to the original evidence, auditors must conclude that the control is not operating effectively. This affects the control risk assessment, other tests of controls in the same area (there may be compensating controls), and subsequent substantive procedures.

Having to revise the control risk assessment upwards, particularly if it happens after the first year, causes problems because there is rarely, if ever, any contingency in the budget for the additional work required.

Are there other considerations for smaller entity audits?

Some auditors struggle with the difference between tests to check that the auditors’ recording of the design and implementation of controls is accurate, tests of the operational effectiveness of controls and related substantive procedures. This is partly because audit firm terminology sometimes uses terms such as “walk-through tests” to describe any or all of these procedures, and partly because a single test can perform multiple functions. It is important to understand the nature of any particular test, however described, and especially its limitations. The tendency to overstate, rather than understate the various conclusions that can be drawn from a single test is almost universal.

The results of substantive analytical procedures are important in providing audit evidence to address the assessed risks, and in determining sample sizes. However, it is important to distinguish between substantive analytical procedures and analytical procedures performed for planning or review purposes, the performance of which are often erroneously taken to permit a reduction in sample sizes.

A lack of segregation of duties and the potential for management override are particularly important considerations for auditors of smaller, less complex entities, particularly those that are owner-managed. While the owner-manager’s ability to closely supervise and oversee the business is potentially a strong control, in some situations this dominance can lead to the override of controls and the manipulation of financial data and business assets for personal objectives. Personal tax matters are usually important to owner-managers and provide the motive for bias in or manipulation of the financial statements.

Auditors need to assess risks relating to the completeness of recorded assets and income in such cases. Auditors need to understand the dynamics in place and the motivation of management to fully appreciate the nature and extent of potential risks of material misstatement. If auditors do not properly understand the design and implementation of its internal controls, how can they properly understand the business? If they do not properly understand the business, how can they design and perform the necessary further audit procedures?

Open AddCPD icon