Internal Control Evaluation

Standard on Internal Audit (SIA) 12: Internal Control Evaluation

Internal Control Evaluation

The Standard on Internal Audit 12 or SIA 12 states the rules and regulations related to the evaluation of the Internal Control System in an organization. The contents of the internal control evaluation are as follows-

  1. Introduction

This standard has been laid down by ICAI to achieve the following-

  1. Control Environment

The factors that are reflected during the environment of Internal Control evaluation are-

  • Organizational structure of the company
  • Control system of the management
  • Philosophy and style of operating of the management
  • Company’s integrity and ethical values
  • Commitment to competency
  • Functioning of the governing body and the Board of Directors in the company
  • Policies and practices of the human resource
  1. Inherent Limitations of Internal Controls

The Internal Control Evaluation mechanism also thoroughly investigates any inherent limitations to the control processes. These limitations are-

  • Human error potentiality
  • Manipulations by the company’s management
  • Analysis of cost benefits
  • Circumvention of the Internal Control methods by the parties inside or outside the organization
  • Power misuse
  1. Role of Internal Auditor

The auditor’s role and responsibility in the Internal Control Evaluation involves the following-

  • Using the control frameworks appropriately
  • Developing self-assessment mechanism for controls
  • Evaluating the efficacy and efficiency of the internal controls
  • Wherever required, recommending new methods of control
  • Suggesting to discontinue any unnecessary methods of control
  1. Areas of Review for Internal Auditor

The areas that must be reviewed by the Internal Auditor while performing the Internal Audit Activities are-

  • Personnel allocation and appraisal system
  • Development policies
  • Operational framework
  • Standards of documentation
  • Degree of the supervision of the management
  • Structure of Risk management
  • Communication channels and information and technology system
  • Procedures and processes followed by the company
  • Observing the entity’s vision, mission, ethical and organizational value-system
  • Continuity of business and the procedures of disaster recovery
  • Key indicators of measurement and performance and their objectivity
  • Policies related to financial and accounting reporting
  • Compliance with the regulatory standards and applicable legal provisions
  1. Evaluation of Internal Control

It involves the following-

  • Assessment of risks at the entity level
  • Assessment of the risk at the process or activity level
  • Ensuring identification of all the risks in the entity
  • Preparation of the business control worksheet
  • Verification of the statement of mission and the goals and objectives in written format
  • Ascertainment of risks for which there are no control measures or the already existing measures are inadequate
  1. System Driven Environment

It determines whether the entity uses the following or not-

  • Software for virus protection
  • Tools for encryption
  • Passwords to restrict the user access to networks, applications and data
  • Protocols for protecting all the confidential data or sensitive information
  • Back-ups and restore features for reducing the risk of losing the data permanently
  1. Tests of Control

Testing the controls in the organization is very important activity in the Internal Control Evaluation. These are to be performed for obtaining effectiveness in the following-

  • The internal control system designs
  • Analysis of cost benefits
  • Inspection of documents
  • Inquiries and observations
  • Re-performance and reconciliation proceedings
  • Testing of the internal controls
  • Operation of the control methods throughout the period of operating
  1. Communication of Internal Control Weakness

The weaknesses that have been identified by the auditor during the Internal Control Evaluation are to be communicated properly. If in any case these weaknesses continue to exist in the internal control methods, then these must be considered-

  • Acceptance of the inherent risks with the control weakness by the management
  • Increased supervision and monitoring by the management
  • Institution of additional and compensating control methods.
  1. Disclosure

The report submitted by the internal auditor to the company’s management should have the following-

  • Opinions about the possible effects of the internal control weaknesses on the control environment of the entity
  • Description about the deficiencies that are of significance and weaknesses in material of the internal control


Author: Anil Agrawal
EZYBIZ India Consulting LLP, New Delhi. The firm is business and tax consultancy firm providing consultancy in Taxation, Regulatory, Transfer pricing, Valuation, Corporate funding and Business set up matters. He may be reached at 9899217778 or