[toc-this] Show
DefinitionsInternal controlInternal control is an integral process (i.e. a series of actions that permeate an entity's activities) that is effected by an entity’s management and personnel and is designed to address risks and to provide reasonable assurance that, in pursuit of the entity’s mission, the following general objectives are being achieved:
Internal control componentsInternal control systems, including IT systems, can be divided into five interrelated components: [toggles class="list2left"] [toggle title="Control%20environment"]To provide for the fundamental organisational structure, discipline and values of the entity. This creates and appropriate framework to ensure good governance of the resources entrusted. [/toggle] [toggle title="Risk%20assessment"]To identify and analyse internal and external risks to the achievement of the entity's objectives. In the Commission, all activities must have objectives that are intended to be specific, measurable, achievable, relevant and timely (SMART), as well as risk analysis and risk management of the main activities. [/toggle] [toggle title="Control%20activities"]To define the policies and specific procedures implemented by the entity to ensure that the identified risks are appropriately managed. They include a range of activities as diverse as authorisations, verifications, reviews of operating performance, information processing, physical controls and segregation of duties. Control activities include controls over related party relationships and transactions. [/toggle] [toggle title="Information%20%26%20communication"]To ensure an appropriate framework for achieving the financial reporting and compliance objectives; it includes the accounting system, procedures and records to initiate, record, process and report transactions and to maintain accountability for the related assets, liabilities and equity. [/toggle] [toggle title="Monitoring"]To ensure ongoing assessment of performance. This includes internal audit and evaluation, as well as the annual review of internal control. [/toggle] [/toggles] PrinciplesThe auditor should obtain an [link title="understanding%20of%20the%20internal%20control%20components" link="%2Faware%2FDocuments%2FInternal-control-components-list.docx" icon="file-word-o" /] InstructionsUnderstanding the entity's internal controlThe auditor's objectives in understanding and making a preliminary evaluation of internal control should be defined at the outset. These objectives may include: [toggles class="list2left"] [toggle title="to%20help%20design%20the%20nature%2C%20timing%20and%20extent%20of%20audit%20procedures"]The auditor may be able to limit the amount of substantive testing if key controls are found to be properly designed and operating continuously and effectively throughout the period under review. Under this system-based approach, the auditor aims to obtain some of the required confidence from the entity's internal control and can thus reduce the degree of confidence to be obtained from substantive testing. [/toggle] [toggle title="to%20gain%20an%20understanding%20of%20the%20extent%20to%20which%20improvements%20in%20internal%20control%20systems%20are%20being%20made%20year-on-year"]In this way, feedback can be provided to auditee management and the [a-glossary term="Discharge%20authority"]discharge authority[/a-glossary] , e.g. conclusions on the effectiveness of internal control which helps to fulfil ECA's mission of contributing to improving the financial management of EU funds. [/toggle] [toggle title="to%20reach%20conclusions%20about%20the%20effectiveness%20of%20an%20internal%20control%20system"]where this is the specific objective of the audit, e.g. for certain selected audit tasks or for additional reporting on the effectiveness of internal control in the context of the statement of assurance. [/toggle] [/toggles] Only those controls that are relevant to the audit objective should be considered. It is a matter for the auditor's professional judgement as to whether a control, individually or in combination with others, is relevant. Furthermore, the auditor should consider which controls are to be considered as key. The number of key controls to be selected for testing is the absolute minimum to ensure that all relevant risks are covered. Relevant factors may include such matters as:
During the planning phase (irrespective of the auditor's objective in identifying and evaluating internal controls) the auditor:
In order to understand and confirm the operation of a control, the auditor carries out "walk-through tests" of a small number of transactions (no more than three). Obtaining an understanding of an entity's controls should not be considered to be a test of their operating effectiveness; such testing is carried out in the examination phase. Top-down approachTo ensure an economic, efficient and effective audit, the audit approach should seek to place reliance on controls at the highest level where the control is judged to be effective for audit purposes ("top-down approach"). In the EU context, controls exist at a number of different levels (depending on the management mode.)
Manual or automated controlsThe use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported. To understand internal control, the auditor should consider whether the entity has responded adequately to the risks arising from the use of IT (inaccurate processing, unauthorised access and changes, potential loss of data) or manual systems (controls may be bypassed or overridden, simple errors and mistakes may occur) by establishing effective controls. Inherent limitations of internal controlsWhen evaluating and testing controls, the auditor should carefully consider the inherent limitations of internal controls, as well as the cost-effectiveness of testing controls. Internal controls can only provide reasonable assurance that control objectives are achieved. Furthermore, audit evidence cannot be obtained solely from internal controls as the following inherent limitations can affect their effectiveness:
Procedures per type of audit[tabs filled color="border-dark" css-code="div%3Anth-child(1)%20%7Bcolor%3A%20rgb(192%2C57%2C43)%7D%0Adiv%3Anth-child(2)%20%7Bcolor%3A%20%230072c6%7D" css_code_compiled=".dynamic-unique-shortpoint-class-name%20div%3Anth-child(1)%20%7B%0A%20%20%20%20color%3A%20rgb(192%2C57%2C43)%0A%7D%0A.dynamic-unique-shortpoint-class-name%20div%3Anth-child(2)%20%7B%0A%20%20%20%20color%3A%20%230072c6%0A%7D"] [tab title="Compliance%20audit"] When designing steps and procedures to test or assess compliance, auditors should evaluate the entity's internal controls and assess the risk that the control system might not prevent or detect non-compliance. The aim of identifying and evaluating internal control systems is to contribute to a reasonable assurance regarding compliance with applicable laws and regulations. The auditor should focus on key controls that are relevant to the objective of compliance with applicable laws and regulations. This includes those that govern the entity’s power to make payments or receive money, or set out the value of such payments or receipts. It is not concerned with administrative rules or regulations that are not directly linked to financial transactions. The auditor's consideration will involve an assessment of the general control environment at entity level and control procedures relating to individual transaction streams. The auditor considers how the entity's management seeks to mitigate the risk of material deviations through controls. Examples of controls and procedures which the auditee implements to ensure compliance with applicable laws and regulations: [link title="Risks%20to%20compliance%20and%20related%20controls" link="%2Faware%2FDocuments%2FRisks-to-compliance-and-related-controls-list.docx" icon="file-word-o" /] [emphasis color="primary"]The auditor's consideration of how regulations are translated into subsidiary regulations[/emphasis] The auditor considers how regulations are translated into subsidiary regulations and guidelines. This may involve reviewing the legislation to identify the provisions that authorise activities, and reviewing the process for their translation and interpretation in subsidiary regulations and guidelines. It may also extend to the process for the translation of those regulations into working manuals or other key documentation. When conducting this review, the auditor pays particular attention to the regulations which govern, for example,
When considering relevant rules and procedures relating to schemes, the auditor also identifies those controls designed to prevent and detect material deviations. Where the volume of laws or regulations is significant, entities may have systems for the design and monitoring of procedures and controls to ensure that they are appropriate and meet legislative requirements. Internal audit units may also have their own programme of work for reviewing controls to ensure compliance with applicable laws and regulations. The auditor may seek to place reliance on the entity's systems governing the translation of applicable laws and regulations and the design of subsidiary rules and procedures by testing the controls over this process. [/tab] [tab title="Financial%20audit"] Controls that are relevant to an audit of the reliability of the accounts pertain to the entity's objective of preparing accounts for external purposes that are presented fairly, in all material respects, in accordance with the applicable financial reporting framework and the management of risk that may give rise to a material misstatement in those accounts. Some controls cover the accounting processes throughout the year (e.g. accounting review activities, and development of accounting risk analysis in the Commission). Other controls relate specifically to the year-end closing process. It is a matter of the auditor's professional judgement as to whether a control, individually or in combination with others, is relevant in the context of annual accounts. When considering the accounting control environment, special attention shouldbe given to those controls that have a direct impact on the accounts assertions. The main control systems to be considered are the controls, checks, and measures undertaken by the Accounting Officer and, where relevant, the DGs themselves, as follows: [emphasis color="primary"]General[/emphasis]
[emphasis color="primary"]Organisation[/emphasis]
[emphasis color="primary"]Closing process[/emphasis]
[emphasis color="primary"]Information technology[/emphasis]
[emphasis color="primary"]Reviews[/emphasis]
Work on reliability in this regard entails updating the descriptions and evaluating the procedures relating to the significant accounting processes and systems and the application of the accounting rules, including those regarding cut-off, that lead to the annual accounts. In the case of audit work at the Commission, this includes work on the functioning of the central accounting system (ABAC) as well as the various local accounting systems. Where relevant, procedures for gathering and verifying data, which have to be shown in the accounts, but are not yet recorded, must be examined to ensure they are complete. [/tab] [/tabs] [/toc-this] Which of the following is not considered an internal control?Answer: c.
Collusion refers a group of individuals coming together for the purpose of achieving a goal through engagement in deceitful or fraudulent behaviors. Internal controls are designed to prevent such behaviors from happening within the organization. Hence, collusion is not a type of internal control.
Which of the following is correct with regard to internal controls?Answer and Explanation: The correct answer is option D. A strong internal control system provides reasonable assurance that the objectives of a company will be accomplished. Sound internal control can provide a reasonable assurance that the company's objectives can be accomplished.
What are the 4 internal controls?Preventive Controls. Separation of duties.. Pre-approval of actions and transactions (such as a Travel Authorization). Access controls (such as passwords and Gatorlink authentication). Physical control over assets (i.e. locks on doors or a safe for cash/checks). Which is related to internal control?Internal controls are typically comprised of control activities such as authorization, documentation, reconciliation, security, and the separation of duties. And they are broadly divided into preventative and detective activities.
|