Page 59 - Internal Auditing Standards
P. 59

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        •     Identify the entity’s values, acceptable behaviors, and enforcement actions through discussions with
              management. The auditor would then assess whether they are sufficient to address the control design.


        •     Ask one or two employees what they believe are the entity’s values, acceptable behaviors, and
              enforcement actions. These interviews would address whether management’s values and acceptable
              behaviors have been communicated and enforced. This would address control implementation.


           CONSIDER POINT

           Small entities are often reluctant to document internal controls which operate informally. However,

           there can often be benefits to management in taking the time to document some of the more im-
           portant policies and procedures. Such policies and procedures could be provided to staff joining the

           entity, and audit time may be saved versus having to make inquiries each period. In the example cited
           above, even the smallest entity could prepare a simple statement of values and acceptable behaviors
           that could be provided to employees and then referred to when an issue arises.



        In smaller entities, some of the key areas to address in assessing the control environment are outlined in the
        exhibit below.

        Exhibit 5.3-3


          Control Element      The Key Question      Possible  Controls
          Communication        What management  •         Management  continually demonstrates, through words
          and Enforcement      actions serve              and actions, a commitment to high ethical standards.
          of Integrity and     to eliminate or       •    Management removes or reduces incentives or
          Ethical Values       mitigate incentives        temptations that might cause personnel to engage in
                               or temptations             dishonest or unethical acts.
                               that might            •    A code of conduct or equivalent exists that sets out
                               prompt personnel
                                                          expected standards of ethical and moral behavior.
                               to engage in          •    Employees clearly understand what behavior is
                               dishonest, illegal,
                                                          acceptable and unacceptable, and know what to do when
                               or unethical acts?
                                                          they encounter improper behavior.
                                                     •    Enforcement actions are taken when required.
          Commitment to        Do personnel have     •    Management takes the necessary steps to ensure that
          Competence           the knowledge and          personnel have the requisite knowledge and skills
                               skills necessary to        required for their jobs.
                               accomplish their      •    Job descriptions exist and are eff ectively used.
                               tasks?                •    Management provides personnel with access to training
                                                          programs on relevant topics.
                                                     •    Initial and ongoing matching of staff skills to their job

                                                          descriptions.










                                                                                                                   57
   54   55   56   57   58   59   60   61   62   63   64