How do you evaluate a control environment?

In both the Entity-Level Control Form and the Control Activities Form, the column headings contain questions for each control principle/objective and control activity. The questions are conditional and appear in blue text at the top of the form.

The sections below describe each heading.

Indicate whether you want to evaluate the control objective. A control objective states the purpose of a control in relation to risks of material misstatements in the financial statements. By considering control objectives and how they relate to risks, you may find it easier to identify relevant controls. Furthermore, you may find it easier to evaluate whether existing controls, if operating effectively, would fully achieve the objective or if deficiencies exist either in design or through non-existent controls.

Generally, you should focus on control objectives related to the assertions you identified as potentially being higher risk. In other words, focus on those that relate to the risks that caused you to identify the transaction class as significant. Then, identify the key controls for those objectives.

This question appears only on the for Process Level Controls and General Computer Controls.

Addresses Significant Risk

Indicate whether the control addresses an identified fraud or other significant risk.

This question only appears on the for Process Level Controls.

You are not required to understand all controls and control activities that might exist in an entity. Rather, you should focus on key controls [those that are most important in achieving the control objectives you intend to evaluate]. When determining which controls are key, consider factors such as:

  • The nature of the risks being addressed

  • The characteristics of related account balances or transaction classes

  • Whether the control is preventive [prevents misstatements] or detective [detects misstatements]

  • Whether the control works in combination with or relies on the operation of other controls

  • Whether the control is manual or automated

Certain controls that typically are key are selected by default; however, you should evaluate them based on your individual client situations, considering the risks that caused you to identify the transaction class as significant.

Indicate whether the control has been implemented. Note that not all controls listed must be implemented to achieve the control objective, but typically, those that you have identified as key controls should be appropriately designed and implemented. Generally, you can determine implementation using procedures such as observation or inspection in combination with inquiries. Note that inquiry alone is not sufficient to evaluate the design of a control and determine if it has been implemented.

Select , , or from the drop-down list in the column.

For each implemented control that you intend to evaluate, indicate whether the control is preventative [prevents misstatements] or detective [detects misstatements].

Select or from the drop-down list in the column.

If you selected for the control from the

Control has been Implemented

drop-down list, the check box is enabled. Select the check box if the control is dependent upon information technology [IT]. Examples of IT dependent controls include automated system controls that prevent access to data by unauthorized users, manual reviews or reconciliation based on computer-generated reports or spreadsheets, and so forth. For IT dependent controls, you need to indicate whether it is automated and identify the underlying software application.

If you selected the check box, the check box is enabled. Indicate whether the control requires user intervention [manual control] or is performed by the system without user intervention [automated control]. Manual controls in an automated system may use information produced by the system or may be limited to monitoring the automated controls and handling exceptions. Automated controls include processes such as edit and validation routines embedded in computer programs.

The use of manual controls is often more effective when judgment and discretion are needed. For example, manual controls are generally more appropriate in the following ways:

  • For large, unusual, or nonrecurring transactions,

  • When monitoring the effectiveness of automated controls,

  • In changing circumstances where a control response may be needed outside of the scope of an automated control

  • When misstatements are difficult to anticipate, define, or predict

However, manual controls may be subject to override, misinterpretation, error, or bypass. As a result, automated controls may be more suitable in the following situations:

  • Recurring or high-volume transactions

  • Situations where errors can be anticipated, predicted, prevented, or detected by control parameters subject to automation

  • Control activities whose nature allows the use of properly designed automated control processes

When evaluating the effectiveness of IT dependent controls, it is important to also consider the design of general computer controls around the software applications upon which the IT dependent controls rely. Evaluating the effectiveness of IT general controls is required if performing a public company audit of internal control. For example, to assess whether a control such as management’s review of sales by product is effective, you must also consider whether the general controls around the computer application that produces the sales by product report are effective and result in a reliable report.

For each IT dependent control that you intend to evaluate [for example, each IT dependent key control], indicate the computer software application upon which the control depends. This value is carried forward to the general computer controls section, where you can evaluate general computer controls over the software application.

  1. Click the browse button

    next to the field for the control you are describing to open the window.

  2. At the bottom of the window, type the name of the application in the entry field and click the button.

  3. Select the

    Significant for this Control?

    check box, if applicable.

For those control principles/objectives that you intend to evaluate, conclude whether the control system is effectively designed to achieve the control objective.

Evaluation of design effectiveness considers whether an implemented control, individually or in combination with other implemented controls, is capable of effectively preventing or detecting and correcting errors that could result in material misstatements. That is, it considers the effectiveness of implemented controls in achieving the objective. If controls related to an objective are improperly designed, a control deficiency may exist that needs to be communicated to management and those charged with governance.

If you selected under

Control has been Implemented

, the column is activated. Select the check box if you plan to test the control.

Financial Statement Audit

It is necessary to test controls only if you determine the following:

  • Doing so allows you to assess control risk for an assertion at less than high and therefore reduce the nature or extent of substantive procedures, resulting in a more effective, efficient audit.

  • Substantive procedures alone are not effective.

If you plan to test and rely on information technology [IT] dependent controls, you also should test general computer controls around the software applications upon which the IT dependent controls depend.

Test only key controls that you have determined are suitably designed and have been implemented to prevent or detect material misstatements in specific assertions. recognizes that control test results may be relied upon for three years, subject to certain conditions, so that tests of controls can be rotated using a three-year cycle. However, controls that have changed since they were last tested or controls that mitigate fraud risks or other significant risks should be retested each year. Controls that have not changed should be retested at least every third year. In addition, if a number of controls are being rotationally tested, some controls should be tested each year.

What makes a good control environment?

An effective control environment is defined as follows: An environment in which competent people understand their responsibilities, the limits of their authority, and are knowledgeable, mindful and committed to doing what is right and doing it the right way.

What factors should an auditor consider when evaluating the control environment?

Control environment factors include the following:.
Integrity and ethical values..
Commitment to competence..
Board of directors or audit committee participation..
Management's philosophy and operating style..
Organizational structure..
Assignment of authority and responsibility..
Human resource policies and practices..

What are the six elements of control environment?

Control environment factors include:.
Integrity and ethical values;.
The commitment to competence;.
Leadership philosophy and operating style;.
The way management assigns authority and responsibility, and organizes and develops its people;.
Policies and procedures..

What are the five control environment principles?

Each organization must start by establishing its internal control environment. It has been said that five things are needed to successfully effect change—vision, skills, incentives, resources, and a plan.

