Source: SAS No. 55; SAS No. 78; SAS No. 94.

You are watching: The control environment is influenced by all of the following primary factors except:

fn*Effective for audits of financial statements for periods beginning on or after January 1, 1990, uneven otherwise indicated.



This section offers guidance on the independent auditor’s consideration of one entity’s internal control in an audit of jae won statements in accordance v generally accepted auditing standards. It defines internal control, fn1 defines the objectives and also components of internal control, and explains just how an auditor should consider internal manage in planning and performing one audit. In particular, this section offers guidance around implementing the second standard of field work: “A enough understanding the internal control is to be obtained to plan the audit and to identify the nature, timing, and also extent of test to be performed.”


In every audits, the auditor should acquire an expertise of internal control sufficient to setup the audit by performing steps to recognize the architecture of controls relevant to an audit of jae won statements and determining whether they have been put in operation. In obtaining this understanding, the auditor considers just how an entity’s usage of information an innovation (IT) fn2 and manual measures may affect controls pertinent to the audit. The auditor then assesses regulate risk for the appropriate assertions embodied in the account balance, transaction class, and disclosure contents of the gaue won statements. Regardless of the assessed level of manage risk, the auditor have to perform substantive steps for all relevant assertions concerned all far-ranging accounts and disclosures in the jae won statements.

Note: describe paragraph A9 of appendix A, Definitions, of PCAOB Auditing standard No. 5, An Audit the Internal regulate Over financial Reporting that Is integrated with an Audit of financial Statements for the meaning of a relevant assertion and paragraphs 28-33 that PCAOB Auditing standard No. 5, An Audit the Internal regulate Over financial Reporting that Is integrated with an Audit of jae won Statements for conversation of identifying relevant assertions.


The auditor may determine that assessing control risk listed below the maximum level fn3 for certain assertions would certainly be effective and an ext efficient 보다 performing only substantive tests. In addition, the auditor may identify that it is not useful or feasible to limit detection risk to an acceptable level by performing just substantive tests because that one or much more financial statement assertions. In such circumstances, the auditor should achieve evidential matter about the effectiveness of both the design and operation of controls to minimize the assessed level of regulate risk. Together evidential matter may be derived from exam of controls planned and also performed concurrent v or subsequent to obtaining the understanding. Fn4 together evidential matter likewise may be derived from procedures that were not particularly planned as tests of controls but that nevertheless provide evidential matter about the performance of the design and also operation the the controls. For specific assertions, the auditor might desire to additional reduce the assessed level of manage risk. In together cases, the auditor considers even if it is evidential matter adequate to support a more reduction is most likely to be accessible and even if it is performing extr tests the controls to achieve such evidential matter would it is in efficient.


Alternatively, the auditor might assess regulate risk in ~ the preferably level due to the fact that he or she to trust controls room unlikely come pertain to an assertion or are unlikely to it is in effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor demands to it is in satisfied the performing only substantive tests would certainly be reliable in restricting detection threat to an acceptable level. When proof of one entity’s initiation, recording, or handling of financial data exists only in digital form, the auditor’s capacity to achieve the wanted assurance only from substantive tests would considerably diminish.


The auditor supplies the understanding of internal control and also the assessed level of control risk in determining the nature, timing, and extent the substantive tests because that financial statement assertions.

Definition of internal Control


Internal control is a process—effected by an entity’s plank of directors, management, and other personnel—designed to carry out reasonable assurance concerning the success of missions in the following categories: (a) integrity of gaue won reporting, (b) effectiveness and also efficiency that operations, and also (c) compliance with applicable laws and regulations.


Internal control consists of five interrelated components:

Control environment sets the ton of one organization, influencing the control consciousness the its people. It is the foundation for all other materials of inner control, providing discipline and also structure.Risk evaluate is the entity’s identification and evaluation of relevant threats to achievement of the objectives, developing a basis because that determining just how the risks should be managed.Control tasks are the policies and procedures that help ensure that administration directives are lugged out.Information and communication systems assistance the identification, capture, and exchange of info in a form and time structure that allow people to bring out their responsibilities.Monitoring is a process that assesses the top quality of internal control performance end time.

Relationship in between Objectives and also Components


There is a direct relationship in between objectives, which room what an reality strives come achieve, and components, which stand for what is necessary to attain the objectives. In addition, internal manage is pertinent to the whole entity, or to any of the operating devices or business functions. This relationship is depicted as follows:



Although an entity\"s internal regulate addresses missions in every of the categories described in paragraph .06, not every one of these objectives and related controls are relevant to one audit of the entity\"s financial statements. Also, back internal control is appropriate to the whole entity or to any type of of its operating units or organization functions, an understanding of internal regulate relevant to every of the entity\"s operation units and business features may no be necessary to plan and perform an effective audit.

Note: once performing an incorporated audit of gaue won statements and also internal control over gaue won reporting, describe paragraphs B10 - B16 of postposition B, Special Topics, of PCAOB Auditing standard No. 5, An Audit of Internal manage Over financial Reporting that Is integrated with one Audit of financial Statements, for conversation of considerations when a company has multiple areas or business units.

Financial report Objective


Generally, controls that are appropriate to an audit pertain come the entity\"s objective of preparing financial explanation for outside purposes the are reasonably presented in conformity with generally accepted accounting principles or a considerable basis of accounting other than generally accepted accountancy principles. Fn5

Operations and Compliance Objectives


The controls relating come operations and compliance fn6 objectives may be relevant to one audit if castle pertain come data the auditor evaluate or provides in using auditing procedures. For example, controls pertaining to nonfinancial data that the auditor offers in analysis procedures, such as manufacturing statistics, or pertaining to detecting noncompliance v laws and also regulations that may have a direct and material effect on the financial statements, such as controls over compliance with revenue tax laws and regulations used to determine the revenue tax provision, might be pertinent to one audit.


An entity generally has controls relating to missions that space not relevant to an audit and also therefore need not it is in considered. For example, controls worrying compliance v health and also safety regulations or concerning the effectiveness and efficiency of specific management decision-making procedures (such together the proper price to fee for its products or even if it is to do expenditures for specific research and development or proclaiming activities), although necessary to the entity, ordinarily perform not relate come a financial declare audit. Similarly, one entity may rely on a advanced system of automated controls to carry out efficient and effective work (such together a commercial airline\"s mechanism of automated controls to maintain flight schedules), however these controls ordinarily would certainly not be appropriate to the financial declare audit and also therefore need not be considered.

Safeguarding the Assets


Internal manage over safeguarding the assets versus unauthorized acquisition, use, or disposition may incorporate controls relating to financial reporting and operations objectives. This connection is depicted as follows:


In obtaining an expertise of each of the materials of internal control to arrangement the audit, the auditor\"s factor to consider of safeguarding controls is generally limited to those relevant to the reliability of gaue won reporting. For example, usage of a lockbox system for collecting cash or accessibility controls, such together passwords, that limit accessibility to the data and programs that procedure cash disbursements might be relevant to a financial explain audit. Whereas controls to protect against the excess use of products in production usually are not relevant to a financial declare audit.

Application of components to a Financial declare Audit


The division of internal regulate into five materials provides a useful framework for auditors to consider the affect of one entity\"s internal control in one audit. However, it does not necessarily reflect just how an reality considers and implements inner control. Also, the auditor\"s primary consideration is whether a specific control affects financial statement assertions fairly than its category into any certain component. Controls pertinent to the audit room those the individually or in combination with rather are most likely to prevent or detect material misstatements in financial explain assertions. Together controls may exist in any kind of of the five components.


The five materials of internal control are applicable come the audit of every entity. The materials should be considered in the paper definition of—

The entity\"s size.The entity\"s organization and also ownership characteristics.The nature the the entity\"s business.The diversity and complexity the the entity\"s operations.Applicable legal and regulatory requirements.

Effect that Information modern technology on interior Control


An entity’s usage of the may impact any of the five materials of internal regulate relevant come the accomplishment of the entity’s jae won reporting, operations, or compliance objectives, and its operating systems or company functions. For example, an entity might use that as component of discrete solution that assistance only specific business units, functions, or activities, such as a distinctive accounts receivable mechanism for a certain business unit or a device that controls the operation of factory equipment. Alternatively, an reality may have complex, highly combined systems the share data and that are provided to assistance all aspects of the entity’s financial reporting, operations, and also compliance objectives.


The usage of IT additionally affects the an essential manner in i m sorry transactions are initiated, recorded, processed, and also reported. Fn8 In a hands-on system, an reality uses hand-operated procedures and also records in file format (for example, people may manually record sales assignment on record forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in together a system also are manual and may include such measures as approvals and also reviews the activities, and also reconciliations and follow-up the reconciling items. Alternatively, an entity may have information equipment that use automated measures to initiate, record, process, and also report transactions, in which instance records in digital format replace such file documents as purchase orders, invoices, shipping documents, and related accountancy records. Controls in solution that usage IT covers a mix of automatically controls (for example, controls embedded in computer programs) and also manual controls. Further, hands-on controls may be elevation of IT, may use information created by IT, or might be limited to monitoring the reliable functioning that IT and also of automatically controls, and to dealing with exceptions. An entity’s mix the manual and automated controls varies with the nature and complexity that the entity’s usage of IT.


IT offers potential benefits of effectiveness and efficiency because that an entity’s interior control due to the fact that it permits an entity to—

Consistently apply predefined business rules and also perform complicated calculations in processing huge volumes of transactions or data.Enhance the timeliness, availability, and accuracy the information.Facilitate the extr analysis the information.Enhance the capacity to monitor the performance of the entity’s activities and that is policies and procedures.Reduce the threat that controls will certainly be circumvented.Enhance the ability to accomplish effective segregation of duties through implementing defense controls in applications, databases, and also operating systems.


IT likewise poses specific risks come an entity’s internal control, including—

Reliance on equipment or program that space inaccurately processing data, handling inaccurate data, or both.Unauthorized accessibility to data the may result in devastation of data or improper transforms to data, consisting of the recording of innocuous or nonexistent transactions or inaccurate recording of transactions.Unauthorized alters to data in master files.Unauthorized alters to systems or programs.Failure to do necessary transforms to equipment or programs.Inappropriate hand-operated intervention.Potential lose of data.


The extent and nature that these risks to internal control vary relying on the nature and also characteristics of the entity’s info system. For example, lot of users, either exterior or internal, may access a usual database of info that affects financial reporting. In such circumstances, a absence of control at a single user entry point might deteriorate the security of the whole database, potentially leading to improper alters to or damage of data. When IT personnel or users room given, or can gain, accessibility privileges beyond those important to carry out their assigned duties, a breakdown in distinction of duties can occur. This could result in unauthorized transactions or alters to program or data that affect the financial statements. Therefore, the nature and also characteristics of an entity’s use of that in its information system affect the entity’s internal control.

Limitations of an Entity\"s interior Control


Internal control, no matter exactly how well designed and also operated, can administer only reasonable assurance of afford an entity\"s control objectives. The likelihood of accomplishment is impacted by limitations inherent to inner control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal manage can occur due to the fact that of human failures such as an easy errors or mistakes. For example, errors may take place in designing, maintaining, or security automated controls. If one entity’s that personnel carry out not fully understand how an bespeak entry device processes sales transactions, they might erroneously design changes come the system to procedure sales because that a new line that products. Top top the other hand, such changes may be correctly designed but misunderstood by people who translate the style into routine code. Errors additionally may occur in the use of information developed by IT. For example, automatic controls may be designed come report transactions over a stated dollar border for management review, yet individuals responsible because that conducting the review might not know the purpose of such reports and, accordingly, might fail to evaluation them or investigate inexplicable items.


Additionally, controls, whether hand-operated or automated, can be circumvented through the collusion of 2 or much more people or inappropriate monitoring override of interior control. For example, management may go into into side agreements v customers that alter the terms and conditions the the entity’s typical sales contract in means that would preclude revenue recognition. Also, edit routines in a software routine that are designed to identify and also report transactions the exceed mentioned credit borders may be overridden or disabled.


Internal regulate is affected by the quantitative and also qualitative estimates and also judgments made by administration in evaluating the cost-benefit connection of one entity’s internal control. The cost of one entity\"s internal regulate should not exceed the benefits that room expected to be derived. Return the cost-benefit relationship is a major criterion that must be taken into consideration in developing internal control, the an accurate measurement that costs and benefits commonly is no possible.


Custom, culture, and also the corporate governance system may inhibit fraud, yet they room not pure deterrents. One effective control environment, too, may aid reduce the risk of fraud. For example, an efficient board that directors, audit committee, and internal audit function may restrict improper conduct by management. Alternatively, the control environment may reduce the efficiency of other components. Because that example, once the nature of monitoring incentives rises the hazard of product misstatement of jae won statements, the effectiveness of control tasks may it is in reduced.

Obtaining an knowledge of interior Control


In every audits, the auditor should acquire an knowledge of every of the five contents of internal regulate sufficient to plan the audit. A adequate understanding is derived by performing measures to know the architecture of controls relevant to one audit of jae won statements and also determining whether they have been put in operation. In to plan the audit, such knowledge should be supplied to—

Identify types of potential misstatement.Consider factors that affect the danger of material misstatement.Design test of controls, when applicable. Paragraphs .65 with .69 the this section discuss factors the auditor considers in determining whether to perform tests the controls.Design substantive tests.


The nature, timing, and extent of actions the auditor choose to carry out to achieve the knowledge will vary relying on the size and also complexity that the entity, previous suffer with the entity, the nature of the particular controls offered by the entity consisting of the entity’s use of IT, the nature and extent of changes in systems and operations, and also the nature the the entity\"s documentation of specific controls. For example, the expertise of danger assessment necessary to plan an audit for an reality operating in a reasonably stable atmosphere may be limited. Also, the expertise of monitoring essential to setup an audit because that a small, noncomplex entity may be limited. Similarly, the auditor may need only a limited understanding of control activities to setup an audit because that a noncomplex reality that has far-ranging owner-manager approval and review of transactions and audit records. On the other hand, the auditor might need a better understanding the control tasks to plan an audit for an entity that has a huge volume the revenue transactions and also that depends on IT come measure and bill for services based upon a complex, frequently transforming rate structure.


Whether a control has to be placed in operation in ~ a suggest in time is various from that is operating effectiveness end a period of time. In obtaining knowledge about whether controls have actually been placed in operation, the auditor determines that the entity is making use of them. Operation effectiveness, on the other hand, is involved with how the manage (whether hands-on or automated) to be applied, the consistency through which it to be applied, and by who it to be applied. The auditor determines whether controls have been put in operation as part of the knowledge of internal control necessary to arrangement the audit. The auditor evaluates the operating performance of controls as component of assessing control risk, as questioned in paragraphs .62 v .83 the this section. Although understanding internal control and also assessing regulate risk are questioned separately in this section, they might be performed at the same time in one audit. Furthermore, some of the measures performed to obtain the knowledge may carry out evidential matter around the operating performance of controls relevant to certain assertions.


The auditor\"s expertise of internal regulate may periodically raise doubts around the auditability of one entity\"s financial statements. Concerns around the verity of the entity\"s administration may be so serious regarding cause the auditor come conclude that the threat of administration misrepresentation in the gaue won statements is such that an audit cannot be conducted. Concerns about the nature and also extent of an entity\"s records may reason the auditor come conclude that it is i can not qualify that adequate competent evidential issue will be available to support an opinion on the gaue won statements.

Understanding of Internal regulate Necessary to setup the Audit


In making a judgment around the knowledge of internal manage necessary to plan the audit, the auditor considers the knowledge obtained from other sources about the species of misstatement that can occur, the threat that such misstatements might occur, and the factors that affect the design of test of controls, as soon as applicable, and substantive tests. Other sources of such knowledge incorporate information indigenous previous audits and also the auditor’s expertise of the industry and market in which the entity operates. The auditor also considers his or her assessment of inherent risk, judgments about materiality, and also the complexity and also sophistication of the entity\"s operations and also systems, including the extent to i beg your pardon the entity counts on manual controls or on automatic controls.

See more: Josh Radnor As Ted Mosby Family Guy " No Chris Left Behind (Tv Episode 2007)


In making a judgment around the understanding of internal regulate necessary to arrangement the audit, the auditor additionally considers IT risks that could an outcome in misstatements. Because that example, if one entity uses IT come perform complicated calculations, the reality receives the advantage of having actually the calculations continuously performed. However, the usage of IT likewise presents risks, such as the hazard that improperly authorized, incorrectly defined, or improperly implemented changes to the mechanism or programs performing the calculations, or to related regime tables or grasp files, could an outcome in repetitively performing those calculations inaccurately. Together an entity\"s operations and systems come to be more complex and sophisticated, that becomes more likely the the auditor would require to boost his or her understanding of the interior control contents to obtain the understanding vital to design tests the controls, once applicable, and also substantive tests.


The auditor should consider whether dedicated skills are essential for the auditor to recognize the impact of the on the audit, to recognize the it controls, or come design and perform tests of that controls or substantive tests. A expert possessing IT skills may be either on the auditor’s employee or an outside professional. In identify whether such a experienced is necessary on the audit team, the auditor considers determinants such together the following:

The complexity of the entity’s systems and also IT controls and the way in which lock are used in conducting the entity’s businessThe definition of changes made come existing systems, or the implementation of new systemsThe extent to which data is shared amongst systemsThe degree of the entity’s participation in digital commerceThe entity’s usage of emerging technologiesThe meaning of audit evidence that is accessible only in digital form


Procedures the the auditor may assign come a expert possessing IT an abilities include inquiring of one entity’s it personnel just how data and also transactions room initiated, recorded, processed, and reported and how it controls room designed; inspecting solution documentation; observing the operation of it controls; and planning and performing exam of that controls. If the usage of a experienced possessing IT skills is planned, the auditor must have enough IT-related expertise to interact the audit objectives to the professional, come evaluate whether the specified actions will accomplish the auditor’s objectives, and also to advice the results of the actions as castle relate come the nature, timing, and also extent of other planned audit procedures. Fn9