Page 72 - Internal Auditing Standards
P. 72

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        5.8    Monitoring



            Paragraph #           Relevant Extracts from ISAs

            315.22                The auditor shall obtain an understanding of the major activities that the entity uses to

                                  monitor internal control over financial reporting, including those related to those control
                                  activities relevant to the audit, and how the entity initiates remedial actions to defi ciencies in
                                  its controls. (Ref: Para. A98-A100)
            315.24                The auditor shall obtain an understanding of the sources of the information used in the entity’s
                                  monitoring activities, and the basis upon which management considers the information to be

                                  sufficiently reliable for the purpose. (Ref: Para. A104)








                                                       Monitoring






        Monitoring assesses the effectiveness of the internal control’s performance over time. The objective is to
        ensure that the controls are working properly and, if not, to take necessary corrective actions.

        Monitoring provides feedback to management on whether the internal control system they have designed to
        mitigate risks is:
        •     Effective in addressing the stated control objectives;

        •     Properly implemented and understood by employees;
        •     Being used and complied with on a day-to-day basis; and



        •     In need of modification or improvement to reflect changes in conditions.
        Management accomplishes the monitoring of controls through ongoing activities, separate evaluations, or a
        combination of these two.

        Ongoing monitoring activities in smaller entities are informal, and are usually built into the normal recurring
        activities of an entity. This includes regular management and supervisory activities and the review of
        exception reports that may be produced by the information system. Where management is closely involved in

        operations, they will often identify significant variances from expectations and inaccuracies in fi nancial data,
        and take corrective action to modify or improve the control.
        Periodic monitoring (separate evaluations of specific areas within the entity, such as those performed by

        an internal audit function in a much larger company) is not common in smaller entities. However, periodic

        evaluations of critical processes could be conducted by qualified employees not directly involved in those
        processes, or by hiring an external and suitably qualifi ed person.

        Management’s monitoring activities may also include the use of information received from external parties
        that indicates problems or highlights areas in need of improvement. Examples of this could include:

        •     Complaints from customers;

        •     Comments from governing bodies such as franchisors, financial institutions, and regulators; and

     70
   67   68   69   70   71   72   73   74   75   76   77