Skip to main content

Legal

Tax & Accounting

Trade & Supply

Risk & Fraud

News & Media

Books

Developers

Internal control

Understand Controls and Evaluating Design

After you complete all of the Risk Assessment forms in Step 1 – Identify Risks, you click
Next
 to move to the
Internal Control
 section, beginning with
Understand Controls and Evaluate Design
.
Understand Controls and Evaluate Design includes the following planning forms, each a component of Internal Control as identified by COSO:
  • Control Environment
  • Risk Assessment
  • Information and Communication
  • Monitoring
  • Control Activities
In the first four forms (Control Environment, Risk Assessment, Information and Communication, Monitoring), describe each control objective to indicate how the applicable control principle has been achieved.
If you want to view a list of specific control activities related to the control principle, click the
View Entity-Level Control Form
 link.
Use the Entity-Level Control Form to view a list of specific control activities related to the control principle. You can use this feature to further document your understanding of controls and to indicate controls that you plan to test. In general, you should focus on key controls. When necessary, you can click the
Comment
 icon to add a comment to the control.
When you expand
Control Activities
 under
Understand Controls and Evaluate Design
, you access the Financial Close and Reporting and General Computer Controls forms. In these forms, you can click a link to access the Control Activities Form, which is similar to the Entity-Level Control Form. The next section describes the column heading questions found in both forms.
note
If performing a public company audit of internal control, you must evaluate entity-level controls that are important to your conclusion about whether the company has effective internal control, including the Financial Close and Reporting process and the General Computer Controls process.

Column Heading Questions

In both the Entity-Level Control Form and the Control Activities Form, the column headings contain questions for each control principle/objective and control activity. The questions are conditional and appear in blue text at the top of the form.
The sections below describe each heading.
Evaluate Objective
Indicate whether you want to evaluate the control objective. A control objective states the purpose of a control in relation to risks of material misstatements in the financial statements. By considering control objectives and how they relate to risks, you may find it easier to identify relevant controls. Furthermore, you may find it easier to evaluate whether existing controls, if operating effectively, would fully achieve the objective or if deficiencies exist either in design or through non-existent controls.
Generally, you should focus on control objectives related to the assertions you identified as potentially being higher risk. In other words, focus on those that relate to the risks that caused you to identify the transaction class as significant. Then, identify the key controls for those objectives.
This question appears only on the
Control Activities Form
 for Process Level Controls and General Computer Controls.
Addresses Significant Risk
Indicate whether the control addresses an identified fraud or other significant risk.
This question only appears on the
Control Activities Form
 for Process Level Controls.
Key Control
You are not required to understand all controls and control activities that might exist in an entity. Rather, you should focus on key controls (those that are most important in achieving the control objectives you intend to evaluate). When determining which controls are key, consider factors such as:
  • The nature of the risks being addressed
  • The characteristics of related account balances or transaction classes
  • Whether the control is preventive (prevents misstatements) or detective (detects misstatements)
  • Whether the control works in combination with or relies on the operation of other controls
  • Whether the control is manual or automated
Certain controls that typically are key are selected by default; however, you should evaluate them based on your individual client situations, considering the risks that caused you to identify the transaction class as significant.
Implemented
Indicate whether the control has been implemented. Note that not all controls listed must be implemented to achieve the control objective, but typically, those that you have identified as key controls should be appropriately designed and implemented. Generally, you can determine implementation using procedures such as observation or inspection in combination with inquiries. Note that inquiry alone is not sufficient to evaluate the design of a control and determine if it has been implemented.
Select
Yes
,
No
, or
N/A
 from the drop-down list in the
Implemented?
 column.
Control Type
For each implemented control that you intend to evaluate, indicate whether the control is preventative (prevents misstatements) or detective (detects misstatements).
Select
Preventive
 or
Detective
 from the drop-down list in the
Control Type
 column.
IT Dependent
If you selected
Yes
 for the control from the
Control has been Implemented
 drop-down list, the
IT Dependent
 check box is enabled. Select the check box if the control is dependent upon information technology (IT). Examples of IT dependent controls include automated system controls that prevent access to data by unauthorized users, manual reviews or reconciliation based on computer-generated reports or spreadsheets, and so forth. For IT dependent controls, you need to indicate whether it is automated and identify the underlying software application.
Automated
If you selected the
IT Dependent
 check box, the
Automated
 check box is enabled. Indicate whether the control requires user intervention (manual control) or is performed by the system without user intervention (automated control). Manual controls in an automated system may use information produced by the system or may be limited to monitoring the automated controls and handling exceptions. Automated controls include processes such as edit and validation routines embedded in computer programs.
The use of manual controls is often more effective when judgment and discretion are needed. For example, manual controls are generally more appropriate in the following ways:
  • For large, unusual, or nonrecurring transactions,
  • When monitoring the effectiveness of automated controls,
  • In changing circumstances where a control response may be needed outside of the scope of an automated control
  • When misstatements are difficult to anticipate, define, or predict
However, manual controls may be subject to override, misinterpretation, error, or bypass. As a result, automated controls may be more suitable in the following situations:
  • Recurring or high-volume transactions
  • Situations where errors can be anticipated, predicted, prevented, or detected by control parameters subject to automation
  • Control activities whose nature allows the use of properly designed automated control processes
Software Application
When evaluating the effectiveness of IT dependent controls, it is important to also consider the design of general computer controls around the software applications upon which the IT dependent controls rely. Evaluating the effectiveness of IT general controls is required if performing a public company audit of internal control. For example, to assess whether a control such as management’s review of sales by product is effective, you must also consider whether the general controls around the computer application that produces the sales by product report are effective and result in a reliable report.
For each IT dependent control that you intend to evaluate (for example, each IT dependent key control), indicate the computer software application upon which the control depends. This value is carried forward to the general computer controls section, where you can evaluate general computer controls over the software application.
  1. Click the browse button next to the
    Software Application
     field for the control you are describing to open the
    Software Applications
     window.
  2. At the bottom of the
    Software Applications
     window, type the name of the application in the entry field and click the
    Add Application
     button.
  3. Select the
    Significant for this Control?
     check box, if applicable.
  4. Click
    OK
    .
Effectively Designed
For those control principles/objectives that you intend to evaluate, conclude whether the control system is effectively designed to achieve the control objective.
Evaluation of design effectiveness considers whether an implemented control, individually or in combination with other implemented controls, is capable of effectively preventing or detecting and correcting errors that could result in material misstatements. That is, it considers the effectiveness of implemented controls in achieving the objective. If controls related to an objective are improperly designed, a control deficiency may exist that needs to be communicated to management and those charged with governance.
Test
If you selected
Yes
 under
Control has been Implemented
, the
Test
 column is activated. Select the check box if you plan to test the control.
Financial Statement Audit
It is necessary to test controls only if you determine the following:
  • Doing so allows you to assess control risk for an assertion at less than high and therefore reduce the nature or extent of substantive procedures, resulting in a more effective, efficient audit.
  • Substantive procedures alone are not effective.
If you plan to test and rely on information technology (IT) dependent controls, you also should test general computer controls around the software applications upon which the IT dependent controls depend.
Test only key controls that you have determined are suitably designed and have been implemented to prevent or detect material misstatements in specific assertions.
SAS No. 110
 recognizes that control test results may be relied upon for three years, subject to certain conditions, so that tests of controls can be rotated using a three-year cycle. However, controls that have changed since they were last tested or controls that mitigate fraud risks or other significant risks should be retested each year. Controls that have not changed should be retested at least every third year. In addition, if a number of controls are being rotationally tested, some controls should be tested each year.

Public Company Audit of Internal Control

For all Understand Controls and Evaluate Design forms, when performing a public company audit of internal control to form a conclusion about the effectiveness of the company’s internal control, you must perform sufficient tests of controls to address the assessed risk of misstatement to each relevant assertion of each significant account and disclosure.
Applying a top-down approach, focus first on entity-level controls. Evaluate entity-level controls that are important to your conclusion about whether the company has effective internal control (including the financial close and reporting process; see Significant Transaction Classes). Then test other controls that are important to your conclusion about whether the company’s controls sufficiently address the assessed risk of misstatement to each relevant assertion of each significant account and disclosure. Some entity-level controls might operate at a level of precision that, without the need for other controls, sufficiently addresses the risk of misstatement to a relevant assertion. If a control sufficiently addresses the risk, you do not need to test other controls related to that risk.
Only test the operating effectiveness of controls that are effectively designed. A control that has a design flaw cannot be an effective control, no matter how well it functions; there is no point in testing operating effectiveness.

Complete the Form

For all Understand Controls and Evaluate Design forms, as you complete the form, consider whether any risks that could result in material misstatement of the financial statements exist. If so, enter the risk in the right-hand pane by clicking the
Add Risk
 button. (See Step 1 – Identify Risks topic for the complete procedure.)
A question at the end of each form prompts you to conclude whether the applicable COSO topic is properly designed and implemented (or effectively designed for public companies).
For a financial statement audit, the Control Deficiency Evaluation Form and Aggregation Worksheet can be used to evaluate whether control deficiencies are significant deficiencies or material weaknesses.
For a public company audit of internal control, you can use the Control Deficiency Evaluation Form and Aggregation Worksheet to summarize, accumulate, and evaluate deficiencies to determine whether they (alone or in combination) represent a material weakness or significant deficiency; and to form an overall conclusion on the effectiveness of internal control.
Select the
Yes
 or
No
 option to the right of the question. Add comments, if applicable, by clicking the
Comment
 icon .

Sources of Information

For all Understand Controls and Evaluate Design forms, in the
Sources of Information
 section of each of the COSO topics, describe your sources and procedures for gaining your understanding of the flow of information. Ensure that your description satisfies auditing standards regarding documentation (see
SAS No. 103
or
PCAOB Auditing Std. No. 3
).