Internal Controls and Risk Management in Audit and Assurance
Expert-defined terms from the Postgraduate Certificate in Audit and Assurance course at London School of Planning and Management. Free to read, free to share, paired with a globally recognised certification pathway.
Internal Controls #
Internal Controls
Internal controls are processes implemented by an organization's management, boa… #
Internal controls help safeguard assets, ensure accurate financial reporting, promote operational efficiency, and encourage adherence to policies and procedures.
Risk Management #
Risk Management
Risk management involves identifying, assessing, and prioritizing risks followed… #
Effective risk management enables organizations to make informed decisions, allocate resources efficiently, and achieve strategic objectives.
Audit #
Audit
An audit is an independent examination of an organization's financial statements… #
Audits are typically conducted by external auditors to provide assurance to stakeholders regarding the reliability of financial information presented by the organization.
Assurance #
Assurance
Assurance refers to the process of providing confidence to stakeholders that an… #
Assurance services can be performed by internal or external auditors and are designed to enhance the credibility and reliability of information provided by the organization.
Compliance #
Compliance
Compliance refers to the act of adhering to laws, regulations, policies, and pro… #
Compliance ensures that the organization operates within the boundaries set by authorities and industry standards, thereby minimizing legal and reputational risks.
Control Environment #
Control Environment
The control environment represents the overall attitude, awareness, and actions… #
A strong control environment promotes a culture of accountability, integrity, and ethical behavior, which is essential for effective internal control implementation.
Control Activities #
Control Activities
Control activities are the policies, procedures, and practices established by ma… #
Control activities can include segregation of duties, authorization procedures, physical controls, and information processing controls, among others.
Risk Assessment #
Risk Assessment
Risk assessment involves identifying and analyzing potential risks that may affe… #
By assessing risks, organizations can prioritize their response strategies and allocate resources accordingly to mitigate the impact of potential threats.
Monitoring #
Monitoring
Monitoring is the process of assessing the effectiveness of internal controls ov… #
Monitoring activities can include ongoing monitoring, separate evaluations, and periodic assessments to identify deficiencies and implement corrective actions.
Information and Communication #
Information and Communication
Information and communication are essential components of internal control syste… #
Effective communication helps stakeholders understand roles and responsibilities, objectives, risks, and expectations.
Audit Evidence #
Audit Evidence
Audit evidence refers to the information gathered and documented by auditors dur… #
Audit evidence can take various forms, such as documents, records, physical observations, inquiries, and calculations, and should be sufficient, reliable, and relevant to provide a basis for the audit opinion.
Audit Risk #
Audit Risk
Audit risk is the risk that auditors may express an inappropriate opinion on an… #
Audit risk comprises inherent risk, control risk, and detection risk, and auditors must assess and manage these risks to ensure the reliability of their audit opinions.
Inherent Risk #
Inherent Risk
Inherent risk is the susceptibility of an account balance, class of transactions… #
Inherent risk is influenced by various factors, such as complexity, volatility, and industry trends, and auditors consider inherent risk when planning and performing audit procedures.
Control Risk #
Control Risk
Control risk is the risk that a material misstatement could occur in an account… #
Control risk assessment is based on the effectiveness of internal control activities implemented by the organization.
Detection Risk #
Detection Risk
Detection risk is the risk that auditors' substantive procedures will not detect… #
Auditors can control detection risk by performing appropriate audit procedures, considering the effectiveness of internal controls and the nature of the account balances.
Audit Planning #
Audit Planning
Audit planning involves developing an overall audit strategy, determining the sc… #
Audit planning helps auditors identify key risks, allocate resources efficiently, and set the direction for conducting the audit in a systematic and organized manner.
Audit Procedures #
Audit Procedures
Audit procedures are specific tests and activities performed by auditors to obta… #
Audit procedures can be substantive procedures (tests of details or substantive analytical procedures) or tests of controls, depending on the audit objectives and risks identified.
Materiality #
Materiality
Materiality is the concept that misstatements, errors, or omissions in financial… #
Auditors consider materiality when planning and performing audit procedures, as material misstatements may impact the overall fairness and reliability of financial information.
Audit Sampling #
Audit Sampling
Audit sampling is the process of selecting a representative sample of items from… #
Auditors use statistical or non-statistical sampling methods to draw conclusions about the entire population based on the results obtained from the sample, balancing efficiency and effectiveness in audit procedures.
Internal Audit #
Internal Audit
Internal audit is an independent, objective assurance and consulting activity de… #
Internal auditors evaluate internal controls, risk management processes, and governance practices to provide recommendations for enhancing organizational performance and achieving strategic objectives.
External Audit #
External Audit
External audit is an independent examination of an organization's financial stat… #
External audit reports are typically issued to stakeholders, such as shareholders, creditors, and regulators, to enhance the credibility and reliability of financial information.
Integrated Audit #
Integrated Audit
An integrated audit is an audit engagement that combines financial statement aud… #
Integrated audits aim to provide assurance on both the accuracy of financial statements and the effectiveness of internal controls to enhance financial reporting reliability.
Control Self #
Assessment
Control self #
assessment (CSA) is a technique used by organizations to assess the effectiveness of internal controls by involving employees in evaluating risks, controls, and compliance within their areas of responsibility. CSA promotes ownership and accountability for internal control processes and helps identify control weaknesses for remediation.
Enterprise Risk Management #
Enterprise Risk Management
Enterprise risk management (ERM) is a holistic approach to managing risks across… #
ERM integrates risk management practices into daily operations to enhance decision-making, resource allocation, and performance monitoring.
Fraud Risk Assessment #
Fraud Risk Assessment
Fraud risk assessment is the process of identifying and evaluating the likelihoo… #
Auditors assess fraud risks by considering fraud risk factors, indicators, and controls to detect and prevent fraudulent activities within the organization.
Whistleblowing #
Whistleblowing
Whistleblowing is the act of reporting unethical, illegal, or fraudulent activit… #
Whistleblower protection laws are designed to encourage individuals to report wrongdoing without fear of retaliation and to promote transparency and accountability in organizations.
Conflict of Interest #
Conflict of Interest
A conflict of interest arises when an individual's personal interests or loyalti… #
Conflicts of interest can compromise objectivity, integrity, and decision-making processes, leading to ethical dilemmas and potential risks for the organization.
Segregation of Duties #
Segregation of Duties
Segregation of duties is the practice of dividing responsibilities among differe… #
Segregation of duties ensures that no single individual has control over all aspects of a transaction, preventing unauthorized activities and enhancing internal controls.
Information Technology Controls #
Information Technology Controls
Information technology controls are measures designed to protect and secure an o… #
IT controls include access controls, change management controls, backup and recovery procedures, and security measures to mitigate risks associated with IT operations and data management.
Cybersecurity #
Cybersecurity
Cybersecurity refers to the protection of computer systems, networks, and data f… #
Effective cybersecurity measures include network security, endpoint protection, encryption, and security awareness training to prevent unauthorized access and data breaches.
Data Analytics #
Data Analytics
Data analytics is the process of analyzing and interpreting large datasets to un… #
Auditors use data analytics tools and techniques to perform substantive tests, identify anomalies, and enhance the efficiency and effectiveness of audit procedures.
Continuous Auditing #
Continuous Auditing
Continuous auditing is a methodology that uses automated tools and technologies… #
Continuous auditing allows auditors to detect anomalies, errors, and deviations promptly, improving the timeliness and accuracy of audit findings and recommendations.
Internal Audit Charter #
Internal Audit Charter
An internal audit charter is a formal document that defines the purpose, authori… #
The internal audit charter outlines the objectives, independence, reporting lines, and quality assurance processes to guide internal auditors in performing their duties effectively.
Audit Committee #
Audit Committee
An audit committee is a subcommittee of the board of directors responsible for o… #
The audit committee provides independent oversight and governance to ensure the integrity and transparency of financial reporting practices.
Independence #
Independence
Independence refers to the state of being free from bias, conflicts of interest,… #
Auditors must maintain independence in fact and appearance to provide unbiased and reliable audit opinions and to comply with professional standards and ethical principles.
Professional Skepticism #
Professional Skepticism
Professional skepticism is an attitude that auditors maintain throughout the aud… #
Professional skepticism helps auditors exercise critical thinking, gather sufficient audit evidence, and detect signs of misstatement or irregularities in financial information.
Going Concern #
Going Concern
Going concern refers to the assumption that an organization will continue its op… #
Auditors assess the entity's ability to continue as a going concern when evaluating financial statement presentation and disclosure requirements in accordance with auditing standards.
Subsequent Events #
Subsequent Events
Subsequent events are events or transactions that occur between the end of the r… #
Auditors evaluate subsequent events to assess their impact on the financial position, results of operations, and cash flows of the organization.
Management Representation #
Management Representation
Management representation refers to written or oral statements provided by manag… #
Management representations are obtained to confirm management's responsibilities, representations, and commitments related to the audit process.
Internal Control Deficiency #
Internal Control Deficiency
An internal control deficiency is a weakness or gap in the design or operation o… #
Internal control deficiencies are classified as significant deficiencies or material weaknesses based on their impact on financial reporting and control effectiveness.
Audit Report #
Audit Report
An audit report is a formal document issued by auditors that communicates the re… #
Audit reports provide stakeholders with assurance regarding the reliability and accuracy of financial information presented by the organization.
Qualified Opinion #
Qualified Opinion
A qualified opinion is an auditor's report that expresses reservations about cer… #
A qualified opinion indicates that the financial statements are fairly presented except for the specific issues identified by auditors.
Adverse Opinion #
Adverse Opinion
An adverse opinion is an auditor's report that concludes the financial statement… #
An adverse opinion is issued when auditors identify pervasive issues or material misstatements that significantly impact the overall reliability of financial information.
Disclaimer of Opinion #
Disclaimer of Opinion
A disclaimer of opinion is an auditor's report that states the auditor is unable… #
A disclaimer of opinion indicates that auditors cannot provide assurance on the fairness of financial information.
Internal Audit Plan #
Internal Audit Plan
An internal audit plan is a formal document that outlines the scope, objectives,… #
Internal audit plans are developed based on risk assessments, stakeholder expectations, regulatory requirements, and strategic priorities to guide internal auditors in performing their duties effectively.
Internal Audit Report #
Internal Audit Report
An internal audit report is a formal document issued by internal auditors that c… #
Internal audit reports provide insights on internal control effectiveness, risk management practices, and compliance with policies and procedures to support decision-making and performance improvement.
Internal Audit Quality Assurance #
Internal Audit Quality Assurance
Internal audit quality assurance refers to the processes, activities, and measur… #
Quality assurance practices include internal assessments, external assessments, and ongoing monitoring to enhance the value and credibility of internal audit activities.
Internal Audit Follow #
Up
Internal audit follow #
up is the process of tracking and monitoring the implementation of internal audit recommendations by management to address control deficiencies, improve processes, and enhance organizational performance. Internal auditors perform follow-up reviews to evaluate the progress and impact of corrective actions taken by management in response to audit findings.
External Audit Firm #
External Audit Firm
An external audit firm is an independent accounting firm engaged by an organizat… #
External audit firms follow professional standards, ethical principles, and regulatory requirements to deliver high-quality audit services and maintain audit independence.
Material Weakness #
Material Weakness
A material weakness is a significant deficiency in internal control over financi… #
Material weaknesses are reported to management, audit committees, and regulators to address control deficiencies and enhance financial reporting reliability.
Significant Deficiency #
Significant Deficiency
A significant deficiency is a control deficiency in internal control over financ… #
Significant deficiencies are communicated to stakeholders to address control weaknesses, improve processes, and strengthen internal controls within the organization.
Control Environment Assessment #
Control Environment Assessment
A control environment assessment is a review and evaluation of an organization's… #
Control environment assessments help auditors understand the tone at the top, organizational culture, and governance practices to assess the effectiveness of internal controls and risk management processes.
Control Activities Testing #
Control Activities Testing
Control activities testing involves evaluating the design and operating effectiv… #
Auditors perform control activities testing through walkthroughs, observations, inquiries, and testing procedures to assess the reliability and efficiency of internal controls in preventing or detecting errors or fraud.
Internal Control Framework #
Internal Control Framework
An internal control framework is a structured set of guidelines, principles, and… #
Common internal control frameworks include COSO (Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and Related Technologies), which provide best practices for control implementation and evaluation.
Risk Assessment Procedures #
Risk Assessment Procedures
Risk assessment procedures involve identifying, analyzing, and evaluating risks… #
Auditors perform risk assessment procedures to understand the entity's risk environment, prioritize audit resources, and design appropriate audit procedures to address significant risks within the organization.
Internal Control Monitoring #
Internal Control Monitoring
Internal control monitoring is the ongoing process of assessing and evaluating t… #
Internal control monitoring activities include management reviews, self-assessments, internal audit testing, and control self-assessments to detect deficiencies and implement corrective actions.
Information Technology General Controls #
Information Technology General Controls
Information technology general controls (ITGCs) are controls that govern the ove… #
ITGCs include access controls, change management controls, backup and recovery procedures, and security policies to protect IT assets and data from unauthorized access or misuse.
Internal Control Documentation #
Internal Control Documentation
Internal control documentation refers to the records, policies, procedures, and… #
Internal control documentation includes process narratives, flowcharts, control matrices, control descriptions, and testing results to support the effectiveness and reliability of internal controls.
Control Environment Factors #
Control Environment Factors
Control environment factors are elements that influence the effectiveness and in… #
Control environment factors set the tone at the top, shape organizational culture, and influence employee behavior towards compliance, risk management, and accountability.
Segregation of Duties Matrix #
Segregation of Duties Matrix
A segregation of duties matrix is a tool used to map and document the segregatio… #
The segregation of duties matrix identifies roles, responsibilities, and access rights to prevent conflicts of interest, errors, and fraud by ensuring that critical functions are divided among different individuals to enhance internal controls.
Internal Control Testing #
Internal Control Testing
Internal control testing is the process of evaluating the design and operating e… #
Auditors perform internal control testing through walkthroughs, inquiries, observations, and testing procedures to obtain audit evidence and support their conclusions.
Control Environment Weakness #
Control Environment Weakness
A control environment weakness refers to deficiencies in an organization's contr… #
Control environment weaknesses can undermine the effectiveness of internal controls, increase the risk of fraud or errors, and impair the organization's ability to achieve its objectives.