[The following appendix was effective for audits of financial statements for periods beginning on or after June 1, 2001. Earlier application was permissible. It was deleted as a result of the adoption of Auditing Standard No. 5, effective for audits of fiscal years ending on or after November 15, 2007. See PCAOB Release 2007-005A.

Return to the current version.]


Internal Control Components


1.    This appendix discusses the five internal control components set forth in paragraph .07 and further described in paragraphs .34 through .57 as they relate to a financial statement audit.

Control Environment

2.    The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

3.    The control environment encompasses the following factors:

  1. Integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of the entity's ethical and behavioral standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example.
  2. Commitment to competence. Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
  3. Board of directors or audit committee participation. An entity's control consciousness is influenced significantly by the entity's board of directors or audit committee. Attributes include the board or audit committee's independence from management, the experience and stature of its members, the extent of its involvement and scrutiny of activities, the appropriateness of its actions, the degree to which difficult questions are raised and pursued with management, and its interaction with internal and external auditors.
  4. Management's philosophy and operating style. Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management's approach to taking and monitoring business risks; management's attitudes and actions toward financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and management's attitudes toward information processing and accounting functions and personnel.
  5. Organizational structure. An entity's organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities.
  6. Assignment of authority and responsibility. This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.
  7. Human resource policies and practices. Human resource policies and practices relate to hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial actions. For example, standards for hiring the most qualified individuals—with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior—demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behavior. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility.

Application to Small and Midsized Entities

4.    Small and midsized entities may implement the control environment factors differently than larger entities. For example, smaller entities might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, smaller entities may not have an independent or outside member on their board of directors.

Risk Assessment

5.    An entity's risk assessment for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles. For example, risk assessment may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.

6.    Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:

  • Changes in operating environment. Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks.
  • New personnel. New personnel may have a different focus on or understanding of internal control.
  • New or revamped information systems. Significant and rapid changes in information systems can change the risk relating to internal control.
  • Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.
  • New technology. Incorporating new technologies into production processes or information systems may change the risk associated with internal control.
  • New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control.
  • Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control.
  • Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
  • New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

Application to Small and Midsized Entities

7.    The basic concepts of the risk assessment process should be present in every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small and midsized entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be able to learn about risks related to these objectives through direct personal involvement with employees and outside parties.

Control Activities

8.    Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels.

9.    Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following:

  • Performance reviews. These control activities include reviews of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data—operating or financial—to one another, together with analyses of the relationships and investigative and corrective actions; and review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections.
  • Information processing. A variety of controls are performed to check accuracy, completeness, and authorization of transactions. The two broad groupings of information systems control activities are application controls and general controls. Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. General controls commonly include controls over data center and network operations; system software acquisition and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general controls are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail.
  • Physical controls. These activities encompass the physical security of assets, including adequate safeguards such as secured facilities, over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records. The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. For example, these controls would ordinarily not be relevant when any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, the physical security controls would be relevant to the audit.
  • Segregation of duties. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties.

Application to Small and Midsized Entities

10.    The concepts underlying control activities in small or midsized organizations are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, smaller entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in smaller organizations. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives.

Information and Communication

11.    An information system consists of infrastructure (physical and hardware components), software, people, procedures (manual and automated), and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology.

12.    The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in monitoring and other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports.

13.    Accordingly, an information system encompasses methods and records that—

  • Identify and record all valid transactions.
  • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
  • Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
  • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
  • Present properly the transactions and related disclosures in the financial statements.

14.    Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on.

15.    Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

Application to Small and Midsized Entities

16.    Information systems in small or midsized organizations are likely to be less formal than in larger organizations, but their role is just as significant. Smaller entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small or midsized company than in a larger enterprise due to the smaller organization's size and fewer levels as well as management's greater visibility and availability.


17.    Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

18.    Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations.

19.    In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity's activities through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control.

20.    Monitoring activities may include using information from communications from external parties. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external auditors in performing monitoring activities.

Application to Small and Midsized Entities

21.    Ongoing monitoring activities of small and midsized entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data.

Copyright © 2002, American Institute of Certified Public Accountants, Inc.