Internal Control Components: The Control Environment

Share the Post:

The control environment is the foundation for effective internal control, providing discipline and structure for the entity.

It sets the tone of an organisation, influencing its people’s control consciousness or awareness.

The control environment addresses the governance and management functions. It also addresses the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and importance.

Note: Control-environment controls are generally pervasive in nature.

They will not directly prevent or detect and correct a material misstatement. Instead, they form an important foundation upon which all other controls will be built.







Exhibit 5.3-1 outlines the various elements of the control environment that need to be considered. Note that the importance and order (priority) of these elements will inevitably vary from entity to entity.


Control environment controls will influence the auditor’s evaluation of the effectiveness of other control activities that may address specific areas such as sales and purchase transactions.

For example, suppose management has a negative attitude toward control in general. In that case, this will undermine the effectiveness of other controls (such as sales, etc.) no matter how well they were designed.

The auditor’s evaluation of the design of the entity’s control environment would include the elements set out below.




Key Elements to Address | 需要解决的关键因素

Communication and Enforcement of Integrity and Other Ethical Values

Integrity and ethical values are essential (foundational) elements which influence the effectiveness of the design, administration, and monitoring of other controls.



Commitment to Competence

Management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.



Participation by Those Charged with Governance

Attributes of those charged with governance, such as

  • Their independence from management;
  • Their experience and stature;
  • The extent of their involvement and the information they receive, the scrutiny of activities; and
  • The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors.



  • 他们独立于管理层;
  • 他们的经验和地位;
  • 他们的参与程度和他们收到的信息,对活动的审查;以及
  • 他们行动的适当性,包括向管理层提出和追究困难问题的程度,以及他们与内部和外部审计人员的互动。

Management’s Philosophy and Operating Style

Management’s approach to taking and managing business risks and management’s attitudes and actions toward financial reporting, information processing, accounting functions, and personnel.



Organisational Structure

The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed.



Assignment of Authority and Responsibility

How authority and responsibility for operating activities are assigned, and how reporting relationships and authorisation hierarchies are established.



Human Resources Policies and Practices

Recruitment, orientation, training, evaluating, counselling, promoting, compensating, and remedial actions.



The controls outlined above are pervasive to the entire entity and are often more subjective to evaluate than the traditional control activities (such as segregation of duties).

Therefore, the auditor will exercise professional judgment in this evaluation. Control-environment strengths can compensate for or even replace weak transactional controls in some situations.

However, control-environment weaknesses can undermine and even negate good design in other components of internal control.

For example, if a culture of honesty and ethical behaviour did not exist, the auditor would have to consider carefully what types of (additional) audit procedures would be effective in finding material misstatements in the financial statements.

In some cases, the auditor may conclude that internal control has broken down to such an extent that the only option is to withdraw.






The Control Environment in Smaller Entities | 小型实体的控制环境

The control environment within small entities will differ from larger entities but is just as important.

This is particularly true when the entity does not have the staff or resources to implement traditional control activities such as the segregation of duties.

In smaller entities, the active involvement of a competent owner-manager (a control-environment strength) may reduce the need for other control activities, such as the segregation of duties.

Consequently, control environment strengths can serve to prevent or detect and correct certain types of misstatement indirectly.



在小型实体中,有能力的所有者-管理者的积极 (控制环境的优势)可能会减少对其他控制活动的需求,如职责分离。


For example, when the owner-manager reviews and approves individual transactions before they are completed, it may serve to prevent or detect and correct certain specific errors or fraud.

However, this control environment strength would not mitigate other risks, such as management override of controls.

Smaller entities will typically have less documentation available to support control environment controls.

Consequently, management’s attitudes, awareness, and actions (such as owner-managers) will often form the basis for evaluating control design and implementation.

For example, larger entities will likely provide staff with a code of conduct that outlines acceptable behaviours and consequences for violating codes or rules.

Smaller entities may communicate similar values and acceptable behaviour through oral communications and by management example.

The auditor will prepare a memorandum for the file if there is no supporting documentation for a particular control.

For example, in addressing whether there is communication and enforcement of integrity and ethical values, the auditor could:

  • Identify the entity’s values, acceptable behaviours, and enforcement actions through discussions with management. The auditor would then assess whether they sufficiently address the control design.
  • Ask one or two employees what they believe are the entity’s values, acceptable behaviours, and enforcement actions. These interviews would address whether management’s values and acceptable behaviours have been communicated and enforced. This would address control implementation.









  • 通过与管理层讨论,确定该实体的价值观、可接受的行为和执行行动。然后,审计师将评估它们是否充分涉及控制设计。
  • 询问一到两名员工,他们认为实体的价值观、可接受的行为和执行行动是什么。这些访谈将涉及管理层的价值观和可接受的行为是否被传达和执行。这将涉及到控制的实施。
Small entities are often reluctant to document internal controls which operate informally. However, management can often benefit from taking the time to document some of the more important policies and procedures. Such policies and procedures could be provided to staff joining the entity, and audit time may be saved versus making inquiries each period. In the example cited above, even the smallest entity could prepare a simple statement of values and acceptable behaviours that could be provided to employees and then referred to when an issue arises.

In smaller entities, some key areas to address in assessing the control environment are outlined in the exhibit below.


1. Control Element: Communication and Enforcement of Integrity and Ethical Values

The Key Question: What management actions serve to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts?

Possible Controls:

  • Management continually demonstrates a commitment to high ethical standards through words and actions.
  • Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts.
  • A code of conduct or equivalent exists that sets out expected standards of ethical and moral behaviour.
  • Employees clearly understand acceptable and unacceptable behaviour and know what to do when encountering improper behaviour.
  • Enforcement actions are taken when needed.




  • 通过语言和行动,管理层不断展示对高道德标准的承诺。
  • 管理层消除或减少可能导致员工从事不诚实或不道德行为的激励或诱惑。
  • 有一套行为准则或类似的准则,规定了预期的伦理和道德行为标
  • 员工清楚地了解可接受和不可接受的行为,并知道在遇到不正当行为时该如何处理。
  • 必要时采取强制措施。

2. Control Element: Commitment to Competence

The Key Question: Do personnel have the knowledge and skills necessary to accomplish their tasks?

Possible Controls:

  • Management takes the necessary steps to ensure that personnel have the requisite knowledge and skills required for their jobs.
  • Job descriptions exist and are effectively used.
  • Management provides personnel with access to training programs on relevant topics.
  • Initial and ongoing matching of staff skills to their job descriptions




  • 管理层采取必要的措施,确保员工具备其工作所需的必要知识和技能。
  • 存在工作描述并得到有效利用。
  • 管理层为员工提供相关主题的培训项目。
  • 初步和持续地将工作人员的技能与他们的工作描述相匹配

Control Element: Participation by Those Charged With Governance (TCWG) (Other than Where Management is TCWG)

The Key Question: How effective is the governance (if any) being provided over entity operations?

Possible Controls:

  • A majority of TCWGs are independent of management.
  • TCWG have the appropriate experience, stature, and financial expertise.
  • Significant issues and financial results are communicated to TCWG promptly.
  • TCWG provide effective oversight over management’s activities. This includes raising difficult questions and pursuing answers.
  • TCWG meet regularly, and minutes of meetings are circulated on a timely basis.




  • 大多数负责治理的人是独立于管理层的。
  • 负责治理的人具有适当的经验、地位和财务专业知识。
  • 重大问题和财务结果会及时通报给负责治理的人。
  • 负责治理的人对管理层的活动进行有效监督。这包括提出困难问题并寻求答案。
  • 负责治理的人定期开会,并及时分发会议记录。

Control Element: Management’s Philosophy and Operating Style

The Key Question: What are management’s attitudes and actions toward financial reporting?

Possible Controls:

  • Management demonstrates positive attitudes and actions toward:
    • Sound internal control over financial reporting (including management override and other fraud),
    • Appropriate selection/application of accounting policies,
    • Information-processing controls, and
    • The treatment of accounting personnel.
  • Management has established procedures to prevent unauthorised access to or destruction of assets, documents, and records.
  • Management analyses business risks and takes appropriate action.




  • 管理层在以下方面表现出积极的态度和行动。
    • 健全的财务报告内部控制(包括管理层控制和其他欺诈)。
    • 适当地选择/应用会计政策。
    • 信息处理控制,以及
    • 会计人员的待遇。
  • 管理层已建立程序,以防止未经授权访问或破坏资产、文件和记录。
  • 管理层分析业务风险并采取适当行动。

Control Element: Organisational Structure

The Key Question: Has a relevant organisational structure been established?

Possible Controls:

  • The organisational structure is appropriate to facilitate the achievement of entity objectives, operating functions, and regulatory requirements.
  • Management clearly understands its responsibility and authority for business activities and possesses the requisite experience and levels of knowledge to properly execute its positions.
  • The entity structure facilitates the flow of reliable and timely information to the appropriate people for planning and controlling activities.
  • Incompatible duties are segregated to the extent possible.




  • 组织结构是适当的,以促进实现实体目标、经营职能和监管要求。
  • 管理层清楚地了解其在业务活动中的责任和权力,并拥有必要的经验和知识水平来正确执行其职务。
  • 实体结构有利于可靠和及时的信息流向适当的人,以规划和控制活动。
  • 不相容的职责尽可能地被分离。

Control Element: Assignment of Authority and Responsibility

The Key Question: Have key areas of authority and responsibility been appropriately assigned?

Possible Controls:

  • There are policies and procedures for the authorisation and approval of transactions.
  • Appropriate lines of reporting and accountability exist (appropriate to the entity’s size and the nature of its activities).
  • Job descriptions include control-related responsibilities.




  • 有授权和批准交易的政策和程序。
  • 存在适当的报告和问责关系(与实体的规模和活动性质相适应)。
  • 职务说明包括与控制有关的责任。

Control Element: Human Resources Policies and Practices

The Key Question: What standards are in place to ensure:

  • Recruitment of the most competent and trustworthy people?
  • Training is provided to ensure people can perform their jobs?
  • Promotions are driven by performance appraisals?

Possible Controls:

  • Management establishes/enforces standards for hiring the most qualified individuals.
  • Recruiting practices include employment interviews, background checks, communication of values, expected behaviours, and management’s operating style.
  • Job performance is periodically evaluated, the results reviewed with each employee, and appropriate action is taken.
  • Training policies address prospective roles and responsibilities, expected levels of performance, and evolving needs.







  • 管理部门制定/执行了雇用最合格人员的标准。
  • 招聘方式包括就业面试、背景调查、价值观的沟通、预期行为以及管理层的运作风格。
  • 定期对工作表现进行评估,与每个员工一起审查评估结果,并采取适当的行动。
  • 培训政策涉及未来的角色和责任、预期的绩效水平和不断变化的需求。
Our website's articles, templates, and material are solely for you to look over. Although we make every effort to keep the information up to date and accurate, we make no representations or warranties of any kind, either express or implied, regarding the website or the information, articles, templates, or related graphics that are contained on the website in terms of its completeness, accuracy, reliability, suitability, or availability. Therefore, any reliance on such information is strictly at your own risk.

Keep in touch with us so that you can receive timely updates |


1. Website ✍️ 2. Telegram ✍️ 3. Facebook ✍

4. Blog ✍ 5. Google ✍

6. LinkedIn ✍

Share the Post:

Related Posts