Internal Control and Risk Management in Auditing
Internal control is a process, effected by an entity’s personnel, designed to achieve specific objectives. It consists of five interrelated components that help a company direct its objectives and integrate all staff into the process. Although these components are applicable to all companies, small and medium-sized businesses may implement them differently than large ones. Their implementation may be less formal and structured, but it can still be effective.
Audit Risk
Audit risk is the possibility that, once the audit is completed, according to the NAGAs (Generally Accepted Government Auditing Standards), relevant situations remain unreported or misstatements remain in the audited object. The materialization of this risk involves the issuance of an incorrect or incomplete report. To guard against the risk associated with their professional work, the auditor must formally explain the objectives of the review. They must also ensure proper planning, implementation, and monitoring of work to reduce this risk to acceptable levels.
Types of Audit Risk
- Inherent risk is the possibility of omissions, errors, or significant irregularities in the object under examination. It is inherent in the nature of the audited object and is influenced by both internal and external factors. It cannot be eliminated and will always be present in any company.
- Control risk is the possibility that risks materialize and are not identified, controlled, or prevented by the internal control system designed for this purpose.
- Detection risk is the possibility that audit procedures cannot detect errors or irregularities in the audited object (situations not detected by the internal control system). This may stem from the scope of testing, the timing in which they were made, and the quality with which they were applied.
Joint Control and Control Activities in COSO II
Define “joint control” and exemplify the types of control activity defined by the COSO Report II.
The Internal Control Environment
The Internal Control Environment harmonizes all the circumstances that surround the actions of an entity from a risk perspective, which is determined in the behaviors and organizational procedures. It is a consequence of the attitude assumed by senior management, management, and other members of the organization regarding the importance of risk and its impact on activities and results. It carries out a system through the influence it provides on the behavior of staff as a whole.
Factors of the Control Environment According to COSO II
The COSO II report defines the factors of the Control Environment as follows:
- Risk Management Philosophy
- The amount of risk
- Culture of risk
- Subcultures of risk
- Recognizing the reality of risk
- Board of Directors and Audit Committee
- Integrity and Ethical Values
- Commitment to Staff Competence
- Management Philosophy and Style of Management
- Organizational Structure
- Allocation of Authority and Responsibility
- Human Resource Policies and Practices
Definition of Internal Control
Internal control is a process, effected by an entity’s personnel, designed to achieve specific objectives.
Environmental Factors of Control
The control environment sets the tone of running a business and influences the awareness of its employees over control. It is the foundation of all other components of internal control, providing discipline and structure. The control environment factors include the integrity, ethical values, and the ability of employees of the company; the management philosophy and management style; the way in which management assigns authority and responsibility, organizes, and develops employees professionally; and the care and guidance provided by the board.