Page 58 - Internal Auditing Standards
P. 58
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Key Elements Description
to Address
Management’s Management’s approach to taking and managing business risks, and management’s
Philosophy and attitudes and actions toward financial reporting, information processing, accounting
Operating Style
functions, and personnel.
Organizational The framework within which an entity’s activities for achieving its objectives are
Structure planned, executed, controlled, and reviewed.
Assignment of How authority and responsibility for operating activities are assigned, and how
Authority and reporting relationships and authorization hierarchies are established.
Responsibility
Human Resources Recruitment, orientation, training, evaluating, counselling, promoting, compensating,
Policies and and remedial actions.
Practices
The controls outlined above are pervasive to the entire entity and are often more subjective to evaluate than
the traditional control activities (such as segregation of duties). Therefore, the auditor will exercise professional
judgment in this evaluation.
Control-environment strengths can compensate or even replace weak transactional controls in some
situations. However, control-environment weaknesses can undermine and even negate good design in other
components of internal control. For example, if a culture of honesty and ethical behavior did not exist, the
auditor would have to consider carefully what types of (additional) audit procedures would be eff ective in
finding material misstatements in the financial statements. In some cases, the auditor may conclude that
internal control has broken down to such an extent that the only option is to withdraw from the engagement.
The Control Environment in Smaller Entities
The control environment within small entities will differ from larger entities, but is just as important. This
is particularly true when the entity does not have the staff or resources to implement traditional control
activities such as segregation of duties.
In smaller entities, the active involvement of a competent owner-manager (a control-environment strength)
may well reduce the need for other control activities such as segregation of duties. Consequently, control
environment strengths can serve to indirectly prevent or detect and correct certain types of misstatement.
For example, when the owner-manager reviews and approves individual transactions before they are
completed, it may serve to prevent or detect and correct certain specific errors or fraud. However, this control
environment strength would not mitigate other risks such as management override of controls.
In smaller entities, there will typically be less documentation available to support control environment
controls. Consequently, the attitudes, awareness, and actions of management (such as owner-managers) will
often form the basis for evaluating control design and implementation. For example, larger entities are likely
to provide staff with a code of conduct that outlines acceptable behaviors and consequences for violating
codes or rules. Smaller entities may communicate similar values and acceptable behaviors through oral
communications and by management example.
Where there is no supporting documentation for a particular control, the auditor would prepare a
memorandum for the file. For example, in addressing whether there is communication and enforcement of
integrity and ethical values, the auditor could:
56
