606 The Understanding of Internal Control
606.1 SAS No. 109 (AU 314), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides guidance to auditors related to consideration of internal control as part of an audit. It also provides guidance
- about how the entity's use of information technology (IT) affects the
- auditor's consideration of internal control in planning the audit.
Components of Internal Control
606.2 SAS No. 109 (AU 314.40)
requires auditors to obtain an understanding of internal control that
is sufficient to assess the risk of material misstatement of the
financial statements due to error or fraud and to design the nature,
timing, and extent of further audit procedures. SAS No. 109 requires an
understanding of the five interrelated components of internal control
defined and described in COSO's Internal Control—Integrated Framework. Those components are as follows
a. Control environment (see further discussion beginning at paragraph 606.22).
b. Risk assessment (see further discussion beginning at paragraph 606.35).
c. Information and communication (see further discussion beginning at paragraph 606.39)
d. Monitoring (see further discussion beginning at paragraph 606.58).
e. Control activities (see further discussion beginning at paragraph 606.71).
606.3 In assessing the risk of
material misstatement of the financial statements to develop an overall
audit strategy, auditors generally focus on obtaining an understanding
of the control environment, risk assessment, information and
communication, and monitoring components, typically obtaining an
understanding of the control environment first. The understanding of
control activities is not needed unti
- planning the nature, timing, and
- extent of further audit procedures at the assertion level. As a
- practical matter, however, auditors often obtain an understanding of
- control activities while obtaining an understanding of the other control
- components. As a CIRA's operations and systems become more complex,
- auditors will most likely need to increase their understanding of the
- internal control components to obtain the understanding necessary to
- assess the risk of material misstatement of the financial statements and
- to plan the nature, timing, and extent of further audit procedures.
Nature of the Auditor's Understanding
606.4 As indicated in paragraph 606.2, SAS No. 109 (AU 314)
requires auditors to obtain a sufficient understanding of the five
components of internal control to assess risk and design the nature,
timing, and extent of further audit procedures. To obtain that
- the SAS requires auditors to perform risk assessment procedures to (a)
- evaluate the design of controls that are relevant to the audit and (b)
- determine if they have been implemented. A key consideration is whether
- and how the CIRA's internal control prevents, or detects and corrects,
- material misstatements in relevant assertions related to transaction
- classes, account balances, or disclosures
606.5 Evaluation of design
considers whether the control, individually or in combination with other
controls, is capable of effectively preventing, or detecting and
correcting, material misstatements. In other words,
- the auditor considers the
- effectiveness of the control in achieving its objective. If a control is
- improperly designed, it may represent a control deficiency that needs
- to be communicated to management and those charged with governance as
- more fully described in section 812.
606.6 The documentation of a
control procedure, however, does not demonstrate that the control is
actually operating as intended. The auditor, therefore, should also
determine if the control, as documented or described, actually
- exists and the CIRA is using it. In
- other words, the auditor should use risk assessment procedures to
- obtain audit evidence that the control has actually been implemented.
- Generally, the auditor uses procedures such as observation or
- inspection, combined with inquiries, to verify implementation. Inquiry
- alone is not sufficient to evaluate the design of a control and
- determine if it has been implemented.
606.7 Normally, the auditor's
understanding of internal control design and implementation is not
sufficient to serve as testing the operating effectiveness of controls.
The same types of procedures performed to determine if a control has
been implemented (e.g., observation, inspection of documents,
reperformance, and walkthroughs) are also used when testing controls for
operating effectiveness. However, the extent of the procedures to
determine implementation may fall short of what is needed to determine
operating effectiveness because tests of operating effectiveness need to
provide audit evidence about how controls were applied throughout the
period under audit and the consistency with which they were applied.
- However, in some cases, the
- auditor's procedures may serve both purposes. For example, a walkthrough
- can serve as a test of controls for operating effectiveness and in some
- cases, along with other procedures that test operating effectiveness,
- can provide a valid basis for assessing control risk at less than high.
- In addition, for an automated control where consistency of application
- would normally occur assuming the existence of effective IT general
- controls, the auditor may be able to determine operating effectiveness
- based on procedures performed to establish that the control has been
- implemented and the auditor's assessment and testing of the related
- general controls.
Extent of the Auditor's Understanding
606.8 As indicated in paragraph 606.2, the overriding requirement regarding the understanding of internal control is that it should be sufficient to assess
- the risk of material misstatement of the financial statements due to
- error or fraud and to design the nature, timing, and extent of further
- audit procedures. Obtaining an understanding that is sufficient to
- assess the risks of material misstatement requires the auditor to
- develop a fairly thorough and robust knowledge of the components of
- internal control. That is primarily because the auditor is required to
- have, and document, the basis for his or her risk assessment. The
- auditor is not permitted to simply default to high control risk. 5
- In most situations, the auditor's understanding of internal control
- will be more comprehensive than the understanding of the other aspects
- of the CIRA and its environment discussed in section 605,
- and obtaining it will require more time. In addition, for initial audit
- engagements, the effort and time to gather information on the
- components of internal control that is sufficient to assess risk will
- most likely exceed that necessary for engagements in following years.
606.9 In general terms, the extent
of the understanding, along with the nature, timing, and extent of the
associated risk assessment procedures performed to obtain the
understanding, are affected by factors such as the following:
The auditor's prior experience with the client.
• Materiality and tolerable misstatement.
• Size of the CIRA
.• Type of legal entity (corporation, association, etc.) and development (condominium, planned unit development, etc.)
• Number and nature of operating locations.
• Degree of diversity of systems within the CIRA, including the use of service organizations.
• Nature of the CIRA industry.
• Applicable legal and regulatory requirements.
• Level of business and financial sophistication of the client.
606.10 The auditor's understanding of the CIRA and its environment other than internal control as discussed in paragraph 605.7 (as well as preliminary engagement activities discussed in section 601)
will generally influence the extent of the understanding of internal
control components. Most of the factors noted in paragraph 606.9
are determined to a major degree when the auditor performs risk
assessment procedures to understand the entity and its environment.
- that understanding often results in the identification of risks of
- material misstatement that further shape the direction, extent, and
- depth of the auditor's understanding of internal control. (However, the
- auditor should be aware that additional risks of material misstatement
- may be identified when obtaining an understanding of internal control
- and by performing further audit procedures.) The authors recommend that
- the auditor perform risk assessment procedures related to the
- understanding of the CIRA and its environment discussed in section 605 before obtaining an understanding of internal control.
606.11 How Are the Results of the Understanding Used? As noted in paragraph 606.2,
the understanding of internal control should be sufficient to assess
the risks of material misstatement and to design the nature, timing, and
extent of further audit procedures. Specifically, the understanding is
• Identify types of potential misstatements.
• Consider factors that affect the risks of material misstatement.
• Design tests of controls, when applicable, and substantive procedures.
- addition, the auditor should be alert for risks that may be identified
- during the process of obtaining an understanding of internal controls.
- Where applicable, identified risks can be documented on “Understanding
- the Entity and Identifying Risks” (HOA-CX-3.1) or the “Risk Assessment Summary Form” (HOA-CX-7.1).
of Information Technology (IT) on Internal Control
606.12 SAS No. 109 (AU
314.96) notes that the auditor should consider whether the entity established
effective controls that adequately respond to the risks that arise from IT.
Such controls include
- both properly designed and
- implemented application controls and general controls upon which application
- controls depend. The AICPA risk assessment guide, Assessing and Responding
- to Audit Risk in a Financial Statement Audit (paragraph 4.63), notes that
- the auditor should evaluate the design of IT general controls and determine
- whether they have been implemented when assessing the risks of material
- misstatement. Auditors should consider testing general controls when they plan
- to rely on IT application controls to modify the nature, timing, and extent of
- substantive tests
606.13 In addition to the
risks of material misstatement due to error or fraud that IT may introduce, the
auditor should be aware that the use of IT may affect the availability of
information needed for the audit. Furthermore,
- in certain situations the
- auditor may be precluded from using only substantive procedures when the role
- of IT is significant to the processing of transactions. For example, in highly
- automated processing with little or no manual intervention where information is
- initiated, authorized, recorded, processed, or reported electronically, the
- auditor may determine that detection risk cannot be adequately reduced without
- testing the operating effectiveness of controls
606.14 Considering Whether
Specialized IT Skills Are Needed to Understand Internal Control Auditors should consider whether specialized IT
skills are needed to determine the effect of IT on the audit, understand IT
controls, or design and perform tests of IT controls or substantive procedures. That determination should
be made relatively early in the planning process to assure that the necessary
resources are available on a timely basis. The decision to use an IT specialist
is a matter of auditor judgment. SAS No. 108 (AU 311.23) states that auditors
should consider the following factors in determining whether the audit team
should include individuals who possess specialized IT skills:
- • The significance of changes made to
- existing systems or the implementation of new systems.
- • The extent to which data is shared among
• The CIRA's use of emerging technologies.
- • The significance of audit evidence that
- is available only in electronic form.
- • The extent of the CIRA's participation in
- An IT specialist may be either a member of the auditor's firm or
- an outside professional.
606.15 However, an IT specialist might not be needed, even for
complex computer systems, if one or more of the following conditions exist:
- a. The CIRA uses only purchased software
- and has no access to the source code.
- b. The CIRA uses a service organization for
- its computer services and there is a recent service auditor's SAS 70 report on
- the service organization's internal control.
- c. The auditor believes he or she can
- identify types of potential misstatements. This will normally be the case when
- manual control procedures are adequate to prevent or detect material
- misstatements in computer-processed information.
606.16 If a CIRA's systems are complex, such as when a
significant amount of information is electronically initiated, recorded,
processed, or reported, or when evidence is available only in electronic form,
specialized skills may be needed. In those cases, either a professional on the
audit staff who possesses IT skills or an outside professional may be needed.
An IT specialist may help the auditor by—
- • Inquiring of a CIRA's IT personnel about
- how data and transactions are initiated, authorized, recorded, processed, and
- reported and how IT controls are designed.
• Inspecting systems documentation.
• Observing the operation of IT controls.
- • Planning and performing tests of IT
606.17 If the auditor uses
an IT specialist on the engagement team, the auditor should be knowledgeable
enough to communicate the audit objectives to the specialist, evaluate whether
the procedures performed by the specialist meet the auditor's objectives, and
determine the effects of the procedures on the nature, timing, and extent of
other planned procedures. That does not mean auditors have to be experts in
- The auditor's responsibility
- when using a computer specialist is the same as for other members of the
- engagement team. To effectively supervise an IT specialist, auditors need a
- basic understanding of computer applications and controls, especially those
- most relevant to particular client systems. That understanding can be gained
- from experience with the client or from attending training classes or seminars.
- The extent of the understanding will vary with the nature of the entity's IT
- environment. If the firm uses an outside professional, the guidance in SAS No.
- 73 (AU 336) should be considered.
606.18 SAS No. 109 requires
documentation of the understanding of the CIRA and its environment, including
- For internal control, the
- auditor is required to document the understanding obtained for the five
- components of internal control. The auditor should also document the sources of
- the information used and risk assessment procedures that were performed to
- obtain the understanding
606.19 SAS No. 109 permits
auditors flexibility in the manner of documentation. The form and extent of
documentation is influenced by factors such as the complexity, size, and nature
of the CIRA and the use of technology. Where applicable, some auditors have
supplemented their documented understanding with
- existing documentation of control systems prepared by the
- client. Due to the increasing visibility of the importance of controls, some
- CIRAs have developed or enhanced their internal documentation and evaluation of
- internal controls. Auditors may consider inquiring of the client about the
- existence of such documentation along with any supporting evaluation of the
- effectiveness of controls. In those cases, the auditor may gain additional
- audit efficiencies and a better understanding of the CIRA's internal control.
606.20 This Guide provides the following practice aids
that can be used to document the auditor's understanding of internal control,
including the evaluation of its design and implementation:
- • “Understanding the Design and Implementation
- of Internal Control” (HOA-CX-4.1). This form can be used to document the
- understanding of entity-level controls along with the sources of information
- used and procedures performed to obtain or update the understanding. The
- auditor also uses this form to document his or her evaluation of the design and
- implementation of entity-level controls and to identify and link to the
- documentation of general controls and significant transaction classes.
- • “Financial Reporting System
- Documentation Form—Significant Transaction Classes” (HOA-CX-4.2.1). This
- form can be used to document the understanding of the flow of information
- through the CIRA's financial reporting system (which includes the accounting
- system) for significant transaction classes. The auditor can also indicate if
- the controls are properly designed and implemented and document the sources of
- information used and procedures performed to obtain or update the
- • “Financial Reporting System
- Documentation Form—IT Environment and General Computer Controls”
- (HOA-CX-4.2.2). This form can be used to document the understanding of the
- CIRA's IT environment (including consideration of controls at a service
- organization) and general computer controls, as well as the decision about
- whether to use an IT specialist. The auditor can also indicate if general
- controls are properly designed and implemented and document the sources of
- information used and procedures performed to obtain or update the
- • “Walkthrough Documentation Table”
- (HOA-CX-4.3). This form can be used to document the performance of a
- walkthrough. A walkthrough confirms the understanding of the design and
- implementation of controls by tracing a transaction through the CIRA's system
- from its initiation to inclusion in the general ledger and financial
- • “Activity and Entity-level Control
- Forms” (HOA-CX-5). These forms are optional source lists of control
- activities and entity-level controls by transaction class (for each audit area)
- or by objective (for entity-level controls). The forms provide a list of common
- key controls that are applicable for many CIRAs. The forms can be used as a
- memory jogger to assist the auditor in identifying and describing the CIRA's
- controls or as a supplement to narratives or flowcharts to further document the
- understanding of controls and to indicate which controls are being tested. In
- addition, Appendix 6A lists common control objectives by transaction class for
- various audit areas.
606.21 When a further
understanding of control activities is needed, the auditor can document this
understanding using the “Control Activities Forms” at HOA-CX-5.
- These forms allow the
- documentation of whether a control activity is properly designed and
- implemented as well as whether it is operating effectively.
606.22 The control
environment sets the tone of the CIRA and influences the control consciousness
of its people. The control environment is the foundation
- for all other components of internal control
- and provides structure and discipline. Among the important elements of the
- control environment are the attitude, awareness, and actions of management, as
- well as those charged with governance, concerning internal control. Control
- environment considerations as discussed in this and the following paragraphs
- generally are relevant, regardless of whether the CIRA has a managing agent
606.23 The control environment includes the following elements:
- • Communication and enforcement of
- integrity and ethical values.
• Commitment to competence.
- • Participation of those charged with
- • Management's philosophy and operating
• Organizational structure.
- • Assignment of authority and
• Human resource policies and practices.
606.24 A CIRA's control
environment is a significant factor when considering the risks of material
misstatement due to error or fraud. The integrity of the CIRA's management,
including managing agent, if any, often plays a significant role in
establishing a strong control environment. For example,
- although a CIRA might not
- have a written code of conduct, it might still have a culture that emphasizes
- the importance of integrity and ethical behavior. That culture will be
- instilled through the visibility and direct involvement of the CIRA's
- management. Obtaining an understanding of the control environment of a small or
- midsize CIRA need not be a complex process. The term is more formal and
- imposing than the idea behind it. The control environment is simply the
- conditions and circumstances that exist within the entity that demonstrate
- management's attitude about controls and other indicators of management's
- integrity and motivation.
606.25 The auditor should
obtain a sufficient knowledge of the control environment as a result of
performing risk assessment procedures to understand the attitudes, awareness,
and actions of management and those charged with governance concerning internal
control and its importance in achieving reliable financial reporting.
- The responsibilities
- assumed by management and those charged with governance related to financial
- reporting are particularly important. For example, the auditor should identify
- the members of management, and directors if any, who are expected to understand
- the CIRA's business transactions and to evaluate whether they are appropriately
- reflected in the financial statements. The auditor considers both (a) the
- aspects of the control environment that help insure the integrity of financial
- reporting (that is, the key control environment controls) and (b) any control
- environment weaknesses that could have a pervasive effect on the financial
606.26 The audit evidence
for elements of the control environment is often not available in documentary
form. When it is available, the auditor may inspect documents, for example, a
written code of conduct, as evidence of how management communicates its views
of business practices and ethical behavior.
- While formal documentation
- may be preferable, it is not always necessary in order for a policy to be in
- place and operating effectively. This is emphasized in a nonauthoritative AICPA
- Technical Practice Aid, Obtaining an Understanding of the Control
- Environment (TIS 8200.08). TIS 8200.08 notes that if an auditor decides to
- rely on these controls (whether documented or not), they are required to test
- the controls. For example, in a small CIRA human resource policies may not be
- formally documented as they would in a larger CIRA. Even so, policies and
- practices can still exist and be communicated orally. When documentary evidence
- is not available, the auditor might observe management's and directors' actions
- and attitudes.
606.27 Factors to consider
for each element of the control environment to understand its design and
implementation and identify risks are provided
- at HOA-CX-4.1, “Understanding the Design and
- Implementation of Internal Control.”
606.28 Owner/managers are
common in small commercial businesses, and comparable situations exist in many
small CIRAs. For example, a small association may, in effect, be controlled by
a president or chairman of the board who operates much like an owner/manager in
that he or she is heavily involved in daily operations and designing accounting
- Consideration of management
- integrity (or of the integrity of the management of the managing agent) is an
- important factor in deciding whether to accept a CIRA engagement, as explained
- in section 601. Factors such as management's tendency to take unusual or unnecessary
- business risks may increase audit risk. In preliminary planning, an auditor
- needs to reconsider the background information on management integrity along
- with the knowledge that has been obtained about the client's business, its
- operations, and its industry.
606.29 The purpose of the
auditor's reconsideration is to assess whether the attitude of management or
the managing agent, if applicable, in the particular circumstances might create
an increased risk of material misstatement of the financial statements.
- CIRA management that is
- dominated by a single individual or small group with out compensating controls,
- because of the ability to dominate activities or override controls, is in a
- position to execute and conceal improper transactions. (A managing agent may
- have similar opportunities if the CIRA board of directors does not exercise
- sufficient control over the managing agent's activities.) Even basically honest
- management may be motivated in some cases to materially misstate the financial
- statements, and an auditor needs to recognize those circumstances and consider
- them in planning, especially when identifying risks of material misstatement of
- the financial statements due to fraud.
606.30 Some of the circumstances that increase the risk of
material misstatement of the financial statements of a small CIRA because of
their effect on management's (or the managing agent's) attitude are as follows:
- a. A threat to management's personal net
- worth resulting from a poor or deteriorating financial condition when
- management has a significant interest in the CIRA.
- b. A significant portion of management's
- compensation depends on incentives, the value of which is dependent on the CIRA
- meeting performance targets (for example budget, cash flow, or other financial or
- operating goals, such as a percentage of delinquent dues collected).
- c. Managing agents feel they deserve perks
- such as free landscaping, etc. for the time they have invested in the CIRA.
606.31 In a smaller CIRA, a
strong control environment can partially compensate for control deficiencies in
other areas, including inadequate segregation of duties. The control
environment is often viewed
- synonymously with “tone at
- the top.” Employees of smaller CIRAs often interact with management and
- typically are influenced by the tone at the top. Consequently, smaller CIRAs
- often develop a culture that emphasizes the importance of integrity and ethical
- behavior through oral communication and by management example.
606.32 Due to the role of
the control environment, the auditor's understanding of this area may influence
how the auditor approaches obtaining an understanding of other areas of
- as well as the ultimate
- assessment of risk at the overall financial statement level. Risk at the
- overall financial statement level is discussed beginning with paragraph 607.23.
606.33 All CIRAs should be proactive in reducing fraud
opportunities by identifying and measuring fraud risks, taking steps to
mitigate identified risks, and implementing and monitoring appropriate
preventive and detective controls and other antifraud measures. However, the
nature and extent of these risk assessment and monitoring activities should be
commensurate with the size and complexity of the CIRA. It is important for
management to understand its responsibility for establishing and monitoring the
CIRA's fraud risk assessment process. That process is likely to be less formal
and structured in a smaller CIRA than in a larger CIRA, but should include a
sufficient degree of fraud awareness on the part of the CIRA's president and
board of directors and appropriate fraud risk management activities with
oversight from those charged with governance. The fraud risk assessment and
monitoring process for a typical small to midsize CIRA may include:
- a. Communicating to employees the
- management's views on business practices and ethical behavior, either orally or
- by example.
- b. Thoroughly investigating any incidents
- of alleged fraud, taking appropriate and consistent actions against violators,
- assessing how relevant controls could be improved, correcting any effects on
- the financial statements, and reinforcing the CIRA's values and expectations
- through appropriate communication.
- c. Considering standards of ethical
- behavior and appropriate business practices in the CIRA's employee training and
- evaluation procedures.
- d. Identifying fraud risks and taking
- appropriate action to reduce or eliminate the risks.
- e. Appropriate oversight of the CIRA's
- fraud risk assessment and monitoring activities by the board of directors or
- audit committee (if the CIRA has one).
606.34 Documentation of the
The “Understanding the Design and Implementation of Internal Control” form at
HOA-CX-4.1 can be used to document the auditor's understanding of the CIRA's
- along with sources of
- information and procedures performed to obtain or update the understanding