Activity Based Risk Evaluation Model of Auditing

HOME >> BASIC CONCEPTS >> AUDIT RISK CONCEPTS >> CONTROL RISK >> EVALUATION AT FINANCIAL STATEMENT LEVEL >> CONTROL ENVIRONMENT

Control environment

The control environment is the environment in which the internal control procedures operate. It may be considered a reflection of the various control polices established by the client. Some control environments, such as those with extensive control policies, will be conducive to the minimization of inherent risk (a positive control environment), while others, with few or no control policies, may do little to reduce inherent risk (a negative control environment) ^[fn].

The evidence gathered by the auditor to evaluate the control environment includes evidence referred to in ISA315 Appendix 2 such as:

• Management's philosophy and operating style. One way of considering management's operating style is to consider the extent of management's aversion to risk. Management personnel in some entity's tend to be risk-seeking in nature, some tend to be risk averse and others lie somewhere in between. Risk seekers may forgo the expense of establishing control procedures and accept the increased risk of material misstatements in the unaudited financial statements, whereas management that is risk averse may opt for controls, even though it will cost a significant sum to establish and maintain the controls.
• Organizational and authorization policies. For example, a client that has established lines of responsibility within their organization, particularly in relation to organizational independence, and responsibilities for senior management to report to the board of directors (or other persons charged with the governance of the entity) may be said to have a more positive control environment than a client that does not. Similarly, the establishment of policies relating to the assignment of authority to management and other employees is evidence of a positive control environment. An important aspect of the client's authorization policies that may be gleaned prior to the commencement of the audit is whether there is an assignment of different levels of authority to the different levels of management, with ultimate authority resting with, in a corporation, the Board of Directors.
• Internal audit, information technology and human resource policies. The existence of an internal audit function can considerably strengthen the control environment particularly where the internal auditors are responsible for the monitoring of the extent to which employees adhere to established control procedures ^[fn]. Where internal audit policies exist in relation to the design, operation and control of information within the client, the control environment is strengthened. Similarly, where human resource policies exist that aim to improve the competence of management and other staff, such as staff recruitment and training policies, the environment in which internal controls operate is more likely to be positive.
• Audit committee policy. An audit committee is, in a corporation, a committee comprising a majority of independent non-executive members of the Board of Directors to which has been assigned the oversight of the financial reporting and auditing process. The existence of an audit committee strengthens the control environment but may come at the expense of increased audit costs ^[fn]. Refer to Journal of Accountancy article The Audit Committee's Roadmap.

For existing clients, much of this information will be available from prior year's working papers or from knowledge held by the auditor and staff employed on previous engagements. However, auditors also consider any changes in policies or philosophy since the previous year.

Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.