Page 54 - Internal Auditing Standards
P. 54
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Paragraph # Relevant Extracts from ISAs
315.4(c) Internal control—The process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard to reliability of fi nancial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the components of
internal control.
315.12 The auditor shall obtain an understanding of internal control relevant to the audit. Although
most controls relevant to the audit are likely to relate to financial reporting, not all controls that
relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional
judgment whether a control, individually or in combination with others, is relevant to the
audit. (Ref: Para. A42-A65)
315.13 When obtaining an understanding of controls that are relevant to the audit, the auditor shall
evaluate the design of those controls and determine whether they have been implemented, by
performing procedures in addition to inquiry of the entity’s personnel. (Ref: Para. A66-A68)
5.1 Overview
Internal control is designed, implemented, and maintained by those charged with governance and
management of other personnel to address identified business and fraud risks that threaten the achievement
of stated objectives, such as the reliability of fi nancial reporting.
Note: A control is always designed to respond (mitigate) to a possible risk. A control that does not address a
risk is obviously redundant.
The first step in evaluating control design is to identify the risks that require mitigation by control. The second
step is then to identify what controls are in place to address those risks.
5.2 Internal Control Objectives
Internal control is management’s response intended to mitigate an identified risk factor or achieve a control
objective. There is a direct relationship between an entity’s objectives and the internal control it implements
to ensure their achievement. Once objectives are set, it is possible to identify and assess potential events
(risks) that would prevent the achievement of the objectives. Based on this information, management can
develop appropriate responses, which will include the design of internal control.
Internal control objectives can be broadly grouped into four categories:
• Strategic, high-level goals that support the mission of the entity;
• Financial reporting (internal control over fi nancial reporting);
• Operations (operational controls); and
• Compliance with laws and regulations.
Internal control relevant to an audit primarily pertains to financial reporting. This addresses the entity’s
objective of preparing financial statements for external purposes.
Operational controls, such as production and staff scheduling, quality control, and employee compliance with
health and safety requirements, would not normally be relevant to the audit, except where:
52
