Page 77 - Internal Auditing Standards
P. 77
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Pervasive controls form the basis from which specific transactional controls are built. They set the “tone at
the top” and establish expectations for the organization’s control environment in general. Poorly designed
pervasive controls may actually encourage all types of error and fraud to take place. For example, an entity
may have a highly controlled and effective sales process. However, if senior management has a poor attitude
toward control and has sometimes overridden these controls, a material error could still occur in the fi nancial
statements. Management override and poor “tone at the top” are common themes in corporate wrongdoing.
Pervasive controls also include the monitoring controls that assess whether the actual tone at the top is what
was intended, and how well control expectations are being fulfi lled.
The pervasive controls (sometimes called entity level controls) could include:
• Controls related to the control environment;
• Controls over management override;
• The entity’s risk assessment process;
• Controls to monitor results of operations and other controls;
• Controls over the period-end financial reporting process; and
• Policies that address significant business control and risk management practices.
Smaller Entities
In smaller entities, the lack of specific business process controls (due to limited staff and resources) is often
offset by a high degree of involvement by management (such as the owner-manager) in performing controls.
In fact, some pervasive controls in smaller entities can often operate at a level of precision that actually serves
to prevent or detect specific misstatements. However, the increased involvement of senior management also
increases the risk of management override. This could be addressed through further audit procedures or the
design of suitable anti-fraud controls. (See Volume 1, Chapter 5.12 below.)
Pervasive Control Defi ciencies
Although weaknesses in pervasive controls do not generally result in an immediate deficiency or errors in
the financial statements, they still have a signifi cant influence on the likelihood of misstatements resulting at
the business process control level. The absence of good pervasive controls may seriously undermine other
business process controls; consequently, signifi cant deficiencies in these controls would be reported to
management and those charged with governance.
5.12 Anti-Fraud Controls
In the last few years, a new type of internal control has begun to emerge, sometimes called anti-fraud
controls. Since the vast majority of sizable frauds tend to involve senior management, the establishment of
strong anti-fraud programs and controls is considered a healthy part of the control environment in larger
entities. Anti-fraud controls can be likened to speed bumps on a road that are designed to slow down traffi c
but not stop it altogether. Anti-fraud controls are designed to deter bad behavior before it happens, but can
never stop it entirely.
Anti-fraud controls are particularly relevant for larger entities, but can also be designed to discourage fraud
in smaller entities. They may not prevent frauds from occurring, but they do provide a powerful disincentive.
They cause the perpetrators to think carefully about the repercussions of their actions.
75
