ICAEW.com works better with JavaScript enabled.
Exclusive

Understanding internal control in a smaller ISA (UK) audit

Helpsheets and support

Published: 24 Oct 2017 Reviewed: 30 Jan 2019 Update History

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
Log in Find out more
Contents
Back to top
Understanding and documenting internal control has always been a challenging area in smaller entity audits. This guide helps auditors to understand the requirements in this area and addresses common questions from auditors such as how to evaluate the control environment and deal with the entity’s information system.
Key ISAs*
ISA (UK) 315 (Revised June 2016) Identifying and assessing risks of material misstatement through understanding the entity and its environment
ISA (UK) 230 (Revised June 2016) Audit documentation
* The guidance below focuses on key issues in implementing ISAs (UK). It does not address all ISA (UK) requirements.
 * All references to "ISAs" in this guide refer to "ISAs (UK)" and are abbreviated for ease of reference only.

Why is it important?

In the audit of a smaller entity, the auditor may decide that most of the audit evidence will be obtained from substantive tests of detail. Notwithstanding this, as part of the process of assessing the risks of material misstatement, ISA 315 (Revised) requires the auditor to obtain and document an understanding of the components of the entity’s internal control relevant to the audit [ISA 315 (Revised).12 and ISA 315 (Revised).32].

Even though the auditor is not expecting to gain any assurance from testing the effectiveness of internal control and regardless of size or complexity of an entity, obtaining an understanding of the entity’s internal control is a critical step in identifying potential misstatements and other factors that affect the risk of material misstatement.

For example, as noted below, segregation of duties and the opportunity for management override are particularly important considerations for the auditor of owner-managed businesses. Although the ability to closely supervise and oversee the business is potentially a strong control for the owner-manager, this dominant position can be abused. Without an understanding of the dynamics of any particular client, the auditor might not fully appreciate where the potential risks of material misstatement lie or the most effective testing strategy.

Requirements and challenges

How do auditors decide which components of internal control are relevant?

The auditor uses professional judgement to determine which of the entity’s controls are relevant to the audit. Internal control in a smaller entity is likely to be much less formal than in a larger entity. However, it may still be sufficient to provide the auditor with assurance on the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The time incurred by the auditor in assessing these systems should be commensurate with the size and complexity of the systems. For a large complex entity, understanding the entity’s internal control is likely to be a significant exercise. For a smaller entity, it may be relatively straightforward.

ISA 315 (Revised) requires the auditor to obtain an understanding of the control environment, the entity’s risk assessment process, the information system, control activities relevant to the audit and monitoring of controls.

How do auditors evaluate the control environment?

As part of obtaining an understanding of the control environment, the auditor is required to evaluate whether:

  • management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour; and
  • the strengths of the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deficiencies in the control environment [ISA 315 (Revised).14].

The control environment is all about the “tone at the top”. In a smaller entity, management and those charged with governance are likely to be the same body or person. In entities where there is a single owner, governance will be provided by the owner-manager. In a smaller entity, there are unlikely to be formalised policies such as a written code of conduct. Still, a culture of ethical behaviour can be established through oral communication and management example.

The auditor may obtain an understanding of the control environment in a smaller entity by enquiry of management or the owner-manager. They do this by considering the attitudes and motives of management based on prior year experience, and by observing management’s actions during the audit.

How do auditors deal with the entity’s risk assessment process?

The auditor is required to obtain an understanding of the entity’s risk assessment process to:

  • identify business risks relevant to financial reporting;
  • estimate the significance of those risks;
  • assess the likelihood of the risks resulting in material misstatements; and
  • decide on actions to address those risks.

In a smaller entity, it is unlikely that such a process will be in place. However, ISA 315 (Revised) states that if the entity has not established such a process or has an ad hoc process, the auditor is required to discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed [ISA 315 (Revised).17]. Following discussions with management, the auditor considers whether the risk assessment process, or lack of one, is appropriate given the size and complexity of the entity.

How do auditors deal with the information system?

The auditor is also required to obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including:

  • the classes of transactions in the entity’s operations that are significant to financial statements;
  • the procedures, within both information technology and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements;
  • the related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger;
  • how the information system captures events and conditions, other than transactions, that are significant to the financial statements;
  • the financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and
  • controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments [ISA 315 (Revised).18].

Again, the related business processes relevant to financial reporting in a smaller entity are likely to be much simpler than in larger entities, but equally as important. The auditor’s approach to this understanding is also likely to be different for smaller entities. It is more likely to be gained through enquiry of management and other relevant personnel rather than a review of formal documentation and pre-prepared systems notes.

ISA 315 (Revised) also requires the auditor to obtain an understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting. This includes communications between management and those charged with governance, and external communications, such as those with regulatory authorities [ISA 315 (Revised).19].

In practice, for a smaller entity, management and those charged with governance are likely to be the same body or person. Communication is likely to be informal and more easily achieved due to fewer levels of responsibility and management’s greater direct involvement with the entity. An understanding of the communication processes can often be obtained easily through discussion with management.

Which control activities are relevant to the audit?

The auditor is required to obtain an understanding of control activities relevant to the audit. In other words, those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and to design further audit procedures responsive to assessed risks [ISA 315 (Revised).20].

Control activities are policies and procedures relating to authorisation, performance reviews, information processing, physical controls, and segregation of duties. The concepts are likely to be similar for a smaller entity but, due to management’s greater direct involvement, control activities are likely to be less formal. Control activities in a smaller entity are likely to be limited to the main transaction cycles such as revenues, purchases and payroll expenses.

An understanding of the control activities in place can be obtained through discussion with management and other relevant personnel.

Why are monitoring controls important?

The auditor is required to obtain an understanding of how the entity monitors internal control over financial reporting and how the entity initiates remedial actions to deal with deficiencies in its control [ISA 315 (Revised).22].

In a smaller entity, management’s monitoring of controls may be achieved by management’s own close involvement with the entity. Management’s involvement will often result in identification of variances from expectations and inaccuracies in financial data requiring remedial action. An understanding of management’s monitoring activities may be obtained by enquiry of management, inspection of items (such as completed bank reconciliations) and perhaps evidence of adjustments made in previous years.

How does the dominant position of management in a smaller entity affect the audit?

Management’s direct involvement with the entity does form a large part of a smaller entity’s internal control. However, the position may be abused and result in management override of controls or manipulation of financial data for personal gain. For example, personal tax matters may be important to an owner-manager and therefore provide motivation for bias in the financial statements. This is an important area for the auditor to consider in deciding whether management’s dominant position increases audit risk and has any effect on the audit strategy.

How do auditors document components of internal control?

The objective of ISA 230 states that the auditor is to prepare documentation that provides a sufficient and appropriate record of the basis for the auditor’s report and evidence that the audit was planned and performed in accordance with ISAs and applicable legal and regulatory requirements.

The auditor is required to document key elements of each of the components of internal control and information from which the auditor’s understanding was obtained. Key elements of understanding documented by the auditor include those on which the auditor based the assessment of the risk of material misstatement.

The auditor applies professional judgement in determining the extent and formality of documentation. This decision is affected by the:

  • nature, size and complexity of the entity and its internal control;
  • availability of information from the entity; and
  • size, experience and ability of the audit engagement team.

The appropriate depth of documentation is therefore very much a decision for the auditor to take based on facts and circumstances.

More guidance on ISAs (UK)

Read our collection of guides on how to implement International Standards on Auditing (UK) (ISAs (UK)).

View more
Copyright notice

Extracts from ISAs (UK) are adapted and reproduced with the kind permission of the Financial Reporting Council. All rights reserved. For further information please visit www.frc.org.uk or call +44 (0)20 7492 2300.

Open AddCPD icon