Description
Risks of Material Misstatement through Understanding the Entity and Its Environment, sets out the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment including the entity’s internal control.
RELEVANT TO FOUNDATION LEVEL PAPER FAU (INT) AND (UK) AND ACCA
QUALIFICATION PAPERS F8 (INT) AND (UK) AND P7 (INT) AND (UK)
© 2013 ACCA
The control environment of a company
ISA 315, Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment, sets out the auditor’s responsibility
to identify and assess the risks of material misstatement in the financial
statements, through understanding the entity and its environment including
the entity’s internal control. One of the five components of internal control is
the control environment and it is recognised that the control environment
within small entities is likely to differ from larger entities. Many candidates
have not yet had the opportunity of working in larger entities, or have chosen
not to, so have not been exposed to working within the type of strong control
environment often referred to in auditing texts. Consequently, they often have
limited experience on which to draw when answering exam questions that
require anything other than superficial knowledge of an entity’s control
environment.
This article aims to provide common examples of matters the auditor needs to
consider when assessing an entity’s control environment, and in making an
assessment as to their impact on the risk of material misstatement in the
financial statements. Reflecting the general trend of exam questions testing
knowledge of this area, the article focuses on the need for the auditor of a large
limited liability company (in the UK – a limited company) to evaluate the
effectiveness of the company’s control environment.
A company’s control environment comprises seven elements each requiring
careful consideration by the company’s auditor, recognising that some
elements may be more pertinent than others – depending on the subject
company. Each one of these elements is identified below, along with an
explanation of specific practical aspects that may be considered by the auditor
when evaluating its effectiveness. Candidates should be aware that this process
forms part of the auditor’s assessment of the overall effectiveness of the
company’s internal control, relevant to the audit.
1 Communication and enforcement of integrity and ethical values
Many companies have high values and seek to promote honesty and integrity
among their employees on a day-to-day basis. Clearly, if it is evident that such
values do exist and are communicated effectively to employees and enforced,
this will have the effect of increasing confidence in the design, administration
and monitoring of controls – leading to a reduced risk of material
misstatement in a company’s financial statements. For example, where a
company adopts comprehensive anti-bribery and corruption policies and
2
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
procedures with regard to contract tendering, and has formal employee
notification and checking practices in this regard, it follows that there is
reduced risk of material misstatement due to the omission of provisions for
fines for the non-compliance with relevant laws and regulations. Alternatively,
the existence in a company of comprehensive and ethical procedures with
regard to the granting of credit facilities to customers and the pursuance of
payment of for goods and services supplied, together with regular supervisory
control in this respect, is likely to lead to increased audit confidence in the
trade receivables area. This is because the existence of a system allowing
goods and services to be a supplied on credit to customers provides the
opportunity for fraud to be perpetrated against the company by employees and
customers, particularly if controls are deficient in terms of their design or
implementation.
2 Commitment to competence
Competence is the knowledge and skills necessary to accomplish tasks that
define the individual’s job. It is self-evident that if individual employees are
tasked with carrying out duties that are beyond their competence levels, then
desired objectives are unlikely to be met. For example, there is an increased
probability that the objective of avoiding material misstatement in a set of
complex financial statements will not be met if prepared by an inexperienced
company accountant. This is simply due to the inexperience (translating to a
lower competence level) of the accountant. From this, it follows that the
auditor will have increased confidence in internal control relevant to the audit,
where management have taken measures to ensure employees who participate
in internal control are competent to carry out relevant tasks effectively.
Measures taken by management in this regard can cover a range of activity
including for example, rigorous technical and aptitude testing at the employee
recruitment stage and in-house or external training courses and mentoring
from more senior colleagues
3 Participation by those charged with governance
The directors of a limited liability/limited company are charged with the
company’s governance. As such, they are responsible for overseeing the
strategic direction of the company and its obligations related to its
accountability – for example, to governments, shareholders and to society in
general. In particular, in most jurisdictions the company’s directors are
responsible for the preparation of its financial statements. Given the influence
that the actions of directors have on a company’s internal control, the extent of
their day-to-day active involvement in the company’s operations has a
pervasive effect on the internal control of the company.
The extent to which directors do get involved will, to some extent, depend on
legislation or codes of practice setting out guidance for best practice in given
jurisdictions. For example, the UK Corporate Governance Code (with which
3
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
companies listed on the London Stock Exchange should comply) sets out
standards of good practice, including those pertaining to board leadership and
effectiveness. Notwithstanding legislation and codes of practice, the extent of
each director’s participation is largely influenced by the nature of their
professional discipline and their individual perspective about how they should
carry out their respective roles. Some may see themselves as micromanagers,
while others will trust subordinates to carry out defined duties with minimal
interference. Frequently, directors will be very experienced and adopt an arms-
length approach to getting involved in operational tasks. However, they may
insist on monitoring activity by way of receipt of formal narrative reports. Other
directors may adopt a more casual (but equally thorough!) ‘working alongside
subordinates’ approach as a method of monitoring activities.
All of the variables mentioned above with regard to director involvement,
should be important considerations of an auditor as part of the process of
ascertaining the extent of internal control in the company and in assessing its
effectiveness.
4 Management’s philosophy and operating style
A company’s board of directors will comprise of individuals each with a
different mind – set as to philosophy and operating style, manifested in
characteristics such as their:
• approach to taking and managing business risk
• attitudes and actions toward financial reporting
• attitudes toward information processing and accounting and functions
personnel.
Each of the above characteristics underlie a company’s control environment
and it is crucial for an auditor to have an understanding of them. Dealing with
each in turn:
Approach to taking and managing business risk. Business risk is the risk inherent
in a company as a consequence of its day-to-day operations and it comprises
several components. The first of these is financial risk – for example, the risk
that the company may have insufficient cash flow to continue in operation. The
second component is operational risk – for example, the risk that the
company’s product lines may decline in popularity leading to a sharp decline
in sales and profitability. The final component of business risk is compliance
risk – for example, the risk that the company may be in breach of health and
safety regulations, leading to the possibility of hefty fines or even the
closedown of operational activity.
Candidates should be aware that a risk-based approach to an audit requires
the identification and assessment of inherent risk factors and then of the
control risk pertaining to these, in order to determine the risk of material
4
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
misstatement, prior to carrying out substantive procedures. By adopting a
top-down approach to the audit and first identifying business risks, auditors
should be able to identify the associated inherent risks arising. They can then
progress through the audit using the audit risk model (audit risk = the risk of
material misstatement x detection risk) to determine the amount of detailed
testing required in each area of the financial statements. To illustrate this
approach, referring to the compliance risk example above, an inherent risk
arising from the risk of a breach of health and safety regulations. As a
consequence, there is a risk that the company’s liabilities may be understated
due to the omission of a provision required in the financial statements, in
respect of a fine for a non-compliance.
The directors’ approach to taking and managing business risk has obvious
ramifications on a company’s financial statements, and the auditor should be
aware of the various factors that influence directors in this area, and of
applicable controls in place. It is often the case that a newly established
company with young entrepreneurial directors and a flat management
structure will have a more liberal approach to taking and managing business
risk than a well-established company with more experienced directors, and a
steep hierarchical management structure. Consequently, it is likely that there
would be a lower level of a risk of material misstatement in the financial
statements of the latter company.
Attitude and actions toward financial reporting. Financial Reporting Standards
exist to help facilitate fairness, consistency and transparency of financial
reporting. However, some determinants of profitability such as the measure of
depreciation, the valuation of inventory or the amount of a provision remain
open to the subjective judgment of management. Consequently, the auditor
needs to gain an understanding of directors’ attitudes and actions to financial
reporting issues and then make a judgment as to the extent of reliance that
can be placed upon these. It may be that a company that is struggling in a
faltering economy, and in another driven by a culture to report increasing
profits, there is a tendency to adopt aggressive (as opposed to conservative)
accounting principles, in order to meet profit expectations. Clearly, on such
audit engagements it is important for the auditor to remain resolute in
exercising appropriate levels of professional sceptism throughout.
Attitude towards information processing and accounting functions and personnel.
Properly financed and resourced with sufficient numbers of appropriately
qualified staff and contemporary information and communications technology,
the financial reporting (accounting) and information processing functions of a
company are vital to a company’s ongoing existence. They are key to the
facilitation of compliance with laws and regulations, transactions with third
parties, administration and control systems and in the provision of information
for decision making. In most very large companies many aspects of the
5
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
accounting function are inextricably intertwined with specific aspects of the
company’s information processing systems, and there is an ongoing
programme of investment in these, to ensure that the accounting and
information processing systems are contemporary and fit for purpose. This is
reflective of a situation where directors recognise that business risk will be
significantly reduced, if the company has effective information processing and
accounting functions. However, this situation does not apply to all companies.
In some, both functions may be seen by the directors merely as necessary
functional overhead areas of the business and, as such, they become
under-funded and inadequately resourced in terms of staffing and equipment.
An auditor engaged on an audit in such a company should be aware that there
is an increased risk of material misstatement in the financial statements.
5 Organisational structure
ISA 315 describes a company’s organisational structure as being ‘the
framework within which an entity’s activities for achieving its objectives are
planned, executed, controlled and reviewed’. The appendix to the ISA then
explains ‘that the appropriateness of an entity’s organisational structure
depends, in part, on its size and the nature of its activities’. It follows from this
that an international consulting company with offices and operations in several
countries has different priorities in terms of organisational structure to a
national car sales company with several offices and a number of sales
branches in a single country. Similarly, the organisational structure deemed
suitable for such a car sales company would not be appropriate for a single
site manufacturing company. Generally, an auditor may reasonably expect
there to be a positive correlation between the level of inherent risk and the size
and complexity of a company’s operations. In assessing, the level of the risk of
material misstatement the auditor should consider as to whether the
company’s organisational structure in terms of authority, responsibility and
lines of reporting meet desired objectives.
6 Assignment of authority and responsibility
Normally, the larger a company’s scale of operations, then the larger the size of
the workforce and, inevitably, the larger the amount of assignment of authority
and responsibility that is required. Consequently, companies need to deal not
only with ensuring that appropriate levels of authority and responsibility are
assigned to appropriately qualified and experienced individuals. They also need
to ensure that adequate reporting relationships and authorisation hierarchies
are in place. Additionally, individuals need to be properly resourced and made
fully aware of their responsibilities and of how their actions interrelate with the
actions of others and contribute to the objectives of the company. If a company
is not successful in meeting each of these needs, then there is an increased
probability of ineffective decisions, errors and oversights by employees leading
to an increased risk of material misstatement in its financial statements. For
example, where a wages clerk is authorised to process the wages payroll and is
6
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
then assigned the (inappropriate!) authority to enter new employee details into
the wages master file.
7 Human resources policies and practices
As explained in ISA 315, ‘human resource policies and practices demonstrate
important matters in relation to the control consciousness of an entity’. This
implies that if human resources policies and practices are considered to be
sound both in design and in implementation over a range of matters, then the
risk of material misstatement will be reduced.
Examples of these matters include:
• Recruitment policies and procedures. These should ensure that only
competent individuals with integrity are employed by the company.
Interview procedures should ensure that only candidates meeting the
company’s criteria for recruitment are engaged.
• There should be adequate induction procedures for new employees, such
that they can carry out their assigned responsibilities effectively and
efficiently soon after being engaged by the company.
• Employees should be provided with ongoing training, support and
mentoring as appropriate, such that they can continue to carry out their
assigned responsibilities effectively and efficiently.
• There should be regular formal appraisal, at least annually of an
employee’s performance. Performance should be measured against
standardised criteria authorised by senior management of the company,
and there should be ongoing monitoring and feedback to employees
about their performance and development needs.
• The company should employ comprehensive and transparent
employment grievance procedures, such that employees can be
confident that grievances will be dealt with openly and impartially.
• There should be open, transparent and equitable employee disciplinary
procedures, such that employees can be confident they will not be
treated unfairly by the company in the event that an action triggers its
disciplinary process.
• Employment termination procedures should incorporate provision for an
exit interview so that the reason for the termination can be confirmed or
clarified, all emoluments due to the employee can be settled and
arrangements can be made for the return of all company assets prior to
the termination date.
While each of the above measures will have a positive impact on the internal
control of a company, to some extent they all have the effect of reducing the
risk of material misstatement in the financial statements. For example, the
existence of fair and robust grievance and disciplinary procedures reduce the
possibility of a successful claim against the company for constructive or unfair
dismissal, and the absence of a material provision in this respect. Significantly,
7
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
the existence of human resources policies and practices that are the same or
similar to those above should leave a favourable impression with the auditor,
as to the directors’ attitude toward their company’s workforce. It is likely that
such an attitude would foster good working relationships with employees,
leading to an increased likelihood that individuals would reciprocate by
carrying out their tasks diligently with integrity in the best interests of the
company – resulting in a reduced risk of material misstatement.
Summary
As indicated at the beginning of this article, the purpose of it is to provide
candidates with a more detailed appreciation of matters pertinent to an
auditor, when evaluating the control environment of a limited liability/limited
company. When asked to explain what is meant by the term ‘control
environment’, they typically comment that it is a component of a company’s
internal control and that it centres around how a company is operated by its
management, reflecting such matters as their philosophy and operating style.
While there is some merit in this answer, having now read the above
commentary, candidates should be aware that the term has much more
meaning than that.
Reference
ISA 315, Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment
Written by a member of the audit examination team
doc_602516843.pdf
Risks of Material Misstatement through Understanding the Entity and Its Environment, sets out the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment including the entity’s internal control.
RELEVANT TO FOUNDATION LEVEL PAPER FAU (INT) AND (UK) AND ACCA
QUALIFICATION PAPERS F8 (INT) AND (UK) AND P7 (INT) AND (UK)
© 2013 ACCA
The control environment of a company
ISA 315, Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment, sets out the auditor’s responsibility
to identify and assess the risks of material misstatement in the financial
statements, through understanding the entity and its environment including
the entity’s internal control. One of the five components of internal control is
the control environment and it is recognised that the control environment
within small entities is likely to differ from larger entities. Many candidates
have not yet had the opportunity of working in larger entities, or have chosen
not to, so have not been exposed to working within the type of strong control
environment often referred to in auditing texts. Consequently, they often have
limited experience on which to draw when answering exam questions that
require anything other than superficial knowledge of an entity’s control
environment.
This article aims to provide common examples of matters the auditor needs to
consider when assessing an entity’s control environment, and in making an
assessment as to their impact on the risk of material misstatement in the
financial statements. Reflecting the general trend of exam questions testing
knowledge of this area, the article focuses on the need for the auditor of a large
limited liability company (in the UK – a limited company) to evaluate the
effectiveness of the company’s control environment.
A company’s control environment comprises seven elements each requiring
careful consideration by the company’s auditor, recognising that some
elements may be more pertinent than others – depending on the subject
company. Each one of these elements is identified below, along with an
explanation of specific practical aspects that may be considered by the auditor
when evaluating its effectiveness. Candidates should be aware that this process
forms part of the auditor’s assessment of the overall effectiveness of the
company’s internal control, relevant to the audit.
1 Communication and enforcement of integrity and ethical values
Many companies have high values and seek to promote honesty and integrity
among their employees on a day-to-day basis. Clearly, if it is evident that such
values do exist and are communicated effectively to employees and enforced,
this will have the effect of increasing confidence in the design, administration
and monitoring of controls – leading to a reduced risk of material
misstatement in a company’s financial statements. For example, where a
company adopts comprehensive anti-bribery and corruption policies and
2
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
procedures with regard to contract tendering, and has formal employee
notification and checking practices in this regard, it follows that there is
reduced risk of material misstatement due to the omission of provisions for
fines for the non-compliance with relevant laws and regulations. Alternatively,
the existence in a company of comprehensive and ethical procedures with
regard to the granting of credit facilities to customers and the pursuance of
payment of for goods and services supplied, together with regular supervisory
control in this respect, is likely to lead to increased audit confidence in the
trade receivables area. This is because the existence of a system allowing
goods and services to be a supplied on credit to customers provides the
opportunity for fraud to be perpetrated against the company by employees and
customers, particularly if controls are deficient in terms of their design or
implementation.
2 Commitment to competence
Competence is the knowledge and skills necessary to accomplish tasks that
define the individual’s job. It is self-evident that if individual employees are
tasked with carrying out duties that are beyond their competence levels, then
desired objectives are unlikely to be met. For example, there is an increased
probability that the objective of avoiding material misstatement in a set of
complex financial statements will not be met if prepared by an inexperienced
company accountant. This is simply due to the inexperience (translating to a
lower competence level) of the accountant. From this, it follows that the
auditor will have increased confidence in internal control relevant to the audit,
where management have taken measures to ensure employees who participate
in internal control are competent to carry out relevant tasks effectively.
Measures taken by management in this regard can cover a range of activity
including for example, rigorous technical and aptitude testing at the employee
recruitment stage and in-house or external training courses and mentoring
from more senior colleagues
3 Participation by those charged with governance
The directors of a limited liability/limited company are charged with the
company’s governance. As such, they are responsible for overseeing the
strategic direction of the company and its obligations related to its
accountability – for example, to governments, shareholders and to society in
general. In particular, in most jurisdictions the company’s directors are
responsible for the preparation of its financial statements. Given the influence
that the actions of directors have on a company’s internal control, the extent of
their day-to-day active involvement in the company’s operations has a
pervasive effect on the internal control of the company.
The extent to which directors do get involved will, to some extent, depend on
legislation or codes of practice setting out guidance for best practice in given
jurisdictions. For example, the UK Corporate Governance Code (with which
3
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
companies listed on the London Stock Exchange should comply) sets out
standards of good practice, including those pertaining to board leadership and
effectiveness. Notwithstanding legislation and codes of practice, the extent of
each director’s participation is largely influenced by the nature of their
professional discipline and their individual perspective about how they should
carry out their respective roles. Some may see themselves as micromanagers,
while others will trust subordinates to carry out defined duties with minimal
interference. Frequently, directors will be very experienced and adopt an arms-
length approach to getting involved in operational tasks. However, they may
insist on monitoring activity by way of receipt of formal narrative reports. Other
directors may adopt a more casual (but equally thorough!) ‘working alongside
subordinates’ approach as a method of monitoring activities.
All of the variables mentioned above with regard to director involvement,
should be important considerations of an auditor as part of the process of
ascertaining the extent of internal control in the company and in assessing its
effectiveness.
4 Management’s philosophy and operating style
A company’s board of directors will comprise of individuals each with a
different mind – set as to philosophy and operating style, manifested in
characteristics such as their:
• approach to taking and managing business risk
• attitudes and actions toward financial reporting
• attitudes toward information processing and accounting and functions
personnel.
Each of the above characteristics underlie a company’s control environment
and it is crucial for an auditor to have an understanding of them. Dealing with
each in turn:
Approach to taking and managing business risk. Business risk is the risk inherent
in a company as a consequence of its day-to-day operations and it comprises
several components. The first of these is financial risk – for example, the risk
that the company may have insufficient cash flow to continue in operation. The
second component is operational risk – for example, the risk that the
company’s product lines may decline in popularity leading to a sharp decline
in sales and profitability. The final component of business risk is compliance
risk – for example, the risk that the company may be in breach of health and
safety regulations, leading to the possibility of hefty fines or even the
closedown of operational activity.
Candidates should be aware that a risk-based approach to an audit requires
the identification and assessment of inherent risk factors and then of the
control risk pertaining to these, in order to determine the risk of material
4
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
misstatement, prior to carrying out substantive procedures. By adopting a
top-down approach to the audit and first identifying business risks, auditors
should be able to identify the associated inherent risks arising. They can then
progress through the audit using the audit risk model (audit risk = the risk of
material misstatement x detection risk) to determine the amount of detailed
testing required in each area of the financial statements. To illustrate this
approach, referring to the compliance risk example above, an inherent risk
arising from the risk of a breach of health and safety regulations. As a
consequence, there is a risk that the company’s liabilities may be understated
due to the omission of a provision required in the financial statements, in
respect of a fine for a non-compliance.
The directors’ approach to taking and managing business risk has obvious
ramifications on a company’s financial statements, and the auditor should be
aware of the various factors that influence directors in this area, and of
applicable controls in place. It is often the case that a newly established
company with young entrepreneurial directors and a flat management
structure will have a more liberal approach to taking and managing business
risk than a well-established company with more experienced directors, and a
steep hierarchical management structure. Consequently, it is likely that there
would be a lower level of a risk of material misstatement in the financial
statements of the latter company.
Attitude and actions toward financial reporting. Financial Reporting Standards
exist to help facilitate fairness, consistency and transparency of financial
reporting. However, some determinants of profitability such as the measure of
depreciation, the valuation of inventory or the amount of a provision remain
open to the subjective judgment of management. Consequently, the auditor
needs to gain an understanding of directors’ attitudes and actions to financial
reporting issues and then make a judgment as to the extent of reliance that
can be placed upon these. It may be that a company that is struggling in a
faltering economy, and in another driven by a culture to report increasing
profits, there is a tendency to adopt aggressive (as opposed to conservative)
accounting principles, in order to meet profit expectations. Clearly, on such
audit engagements it is important for the auditor to remain resolute in
exercising appropriate levels of professional sceptism throughout.
Attitude towards information processing and accounting functions and personnel.
Properly financed and resourced with sufficient numbers of appropriately
qualified staff and contemporary information and communications technology,
the financial reporting (accounting) and information processing functions of a
company are vital to a company’s ongoing existence. They are key to the
facilitation of compliance with laws and regulations, transactions with third
parties, administration and control systems and in the provision of information
for decision making. In most very large companies many aspects of the
5
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
accounting function are inextricably intertwined with specific aspects of the
company’s information processing systems, and there is an ongoing
programme of investment in these, to ensure that the accounting and
information processing systems are contemporary and fit for purpose. This is
reflective of a situation where directors recognise that business risk will be
significantly reduced, if the company has effective information processing and
accounting functions. However, this situation does not apply to all companies.
In some, both functions may be seen by the directors merely as necessary
functional overhead areas of the business and, as such, they become
under-funded and inadequately resourced in terms of staffing and equipment.
An auditor engaged on an audit in such a company should be aware that there
is an increased risk of material misstatement in the financial statements.
5 Organisational structure
ISA 315 describes a company’s organisational structure as being ‘the
framework within which an entity’s activities for achieving its objectives are
planned, executed, controlled and reviewed’. The appendix to the ISA then
explains ‘that the appropriateness of an entity’s organisational structure
depends, in part, on its size and the nature of its activities’. It follows from this
that an international consulting company with offices and operations in several
countries has different priorities in terms of organisational structure to a
national car sales company with several offices and a number of sales
branches in a single country. Similarly, the organisational structure deemed
suitable for such a car sales company would not be appropriate for a single
site manufacturing company. Generally, an auditor may reasonably expect
there to be a positive correlation between the level of inherent risk and the size
and complexity of a company’s operations. In assessing, the level of the risk of
material misstatement the auditor should consider as to whether the
company’s organisational structure in terms of authority, responsibility and
lines of reporting meet desired objectives.
6 Assignment of authority and responsibility
Normally, the larger a company’s scale of operations, then the larger the size of
the workforce and, inevitably, the larger the amount of assignment of authority
and responsibility that is required. Consequently, companies need to deal not
only with ensuring that appropriate levels of authority and responsibility are
assigned to appropriately qualified and experienced individuals. They also need
to ensure that adequate reporting relationships and authorisation hierarchies
are in place. Additionally, individuals need to be properly resourced and made
fully aware of their responsibilities and of how their actions interrelate with the
actions of others and contribute to the objectives of the company. If a company
is not successful in meeting each of these needs, then there is an increased
probability of ineffective decisions, errors and oversights by employees leading
to an increased risk of material misstatement in its financial statements. For
example, where a wages clerk is authorised to process the wages payroll and is
6
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
then assigned the (inappropriate!) authority to enter new employee details into
the wages master file.
7 Human resources policies and practices
As explained in ISA 315, ‘human resource policies and practices demonstrate
important matters in relation to the control consciousness of an entity’. This
implies that if human resources policies and practices are considered to be
sound both in design and in implementation over a range of matters, then the
risk of material misstatement will be reduced.
Examples of these matters include:
• Recruitment policies and procedures. These should ensure that only
competent individuals with integrity are employed by the company.
Interview procedures should ensure that only candidates meeting the
company’s criteria for recruitment are engaged.
• There should be adequate induction procedures for new employees, such
that they can carry out their assigned responsibilities effectively and
efficiently soon after being engaged by the company.
• Employees should be provided with ongoing training, support and
mentoring as appropriate, such that they can continue to carry out their
assigned responsibilities effectively and efficiently.
• There should be regular formal appraisal, at least annually of an
employee’s performance. Performance should be measured against
standardised criteria authorised by senior management of the company,
and there should be ongoing monitoring and feedback to employees
about their performance and development needs.
• The company should employ comprehensive and transparent
employment grievance procedures, such that employees can be
confident that grievances will be dealt with openly and impartially.
• There should be open, transparent and equitable employee disciplinary
procedures, such that employees can be confident they will not be
treated unfairly by the company in the event that an action triggers its
disciplinary process.
• Employment termination procedures should incorporate provision for an
exit interview so that the reason for the termination can be confirmed or
clarified, all emoluments due to the employee can be settled and
arrangements can be made for the return of all company assets prior to
the termination date.
While each of the above measures will have a positive impact on the internal
control of a company, to some extent they all have the effect of reducing the
risk of material misstatement in the financial statements. For example, the
existence of fair and robust grievance and disciplinary procedures reduce the
possibility of a successful claim against the company for constructive or unfair
dismissal, and the absence of a material provision in this respect. Significantly,
7
THE CONTROL ENVIRONMENT OF A COMPANY
MARCH 2013
© 2013 ACCA
the existence of human resources policies and practices that are the same or
similar to those above should leave a favourable impression with the auditor,
as to the directors’ attitude toward their company’s workforce. It is likely that
such an attitude would foster good working relationships with employees,
leading to an increased likelihood that individuals would reciprocate by
carrying out their tasks diligently with integrity in the best interests of the
company – resulting in a reduced risk of material misstatement.
Summary
As indicated at the beginning of this article, the purpose of it is to provide
candidates with a more detailed appreciation of matters pertinent to an
auditor, when evaluating the control environment of a limited liability/limited
company. When asked to explain what is meant by the term ‘control
environment’, they typically comment that it is a component of a company’s
internal control and that it centres around how a company is operated by its
management, reflecting such matters as their philosophy and operating style.
While there is some merit in this answer, having now read the above
commentary, candidates should be aware that the term has much more
meaning than that.
Reference
ISA 315, Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment
Written by a member of the audit examination team
doc_602516843.pdf