What is the Control Environment?
ISA 315.21(a) requires the auditor to evaluate the control environment on every engagement. This is not optional and does not depend on the planned audit approach. Whether you intend to rely on controls or take a fully substantive approach, the control environment evaluation must be performed because it informs the overall risk assessment.
ISA 315.A77 identifies the elements that make up the control environment: the entity's commitment to integrity and ethical values, the oversight role of those charged with governance, the organisational structure, the assignment of authority and responsibility, and human resource policies and practices. These elements set the tone for how the entity operates and whether internal control is taken seriously at every level.
The sharpest test comes from ISA 315.A85: if management can override controls without consequence, the control environment is weak regardless of what the policy manual says. A company may have a comprehensive code of conduct, segregation of duties charts, and a whistleblower hotline. If the managing director routinely approves payments outside the authorisation matrix and no one questions it, those policies are decoration. The evaluation is about behaviour, not documentation.
Key Points
- ISA 315.21(a) requires evaluation on every engagement, regardless of the planned audit approach.
- The control environment is about behaviour, not policies on paper.
- ISA 315.A85 is the sharpest test: if management overrides without consequence, the environment is weak.
- A weak control environment increases risk across all financial statement assertions.
Why it matters in practice
The AFM has identified control environment assessments as a recurring weak point in inspection findings. Teams document the governance structure — the board composition, the reporting lines, the existence of an audit committee — without evaluating whether those structures actually function. The file shows what exists on paper but not how it operates in practice.
On smaller engagements, teams frequently skip the control environment evaluation on the assumption that a fully substantive approach makes it irrelevant. ISA 315.21(a) does not allow this. The control environment informs the risk assessment, which in turn determines the nature, timing, and extent of substantive procedures. A weak control environment on a substantive engagement means higher assessed risk and more extensive testing, not the same testing with the evaluation omitted.
ISA 315.24 links the control environment directly to the risk assessment. A control environment that permits management override without challenge increases the risk of material misstatement due to fraud. This affects how the team designs its response to fraud risk under ISA 240, not just the controls reliance decision.
Key standard references
- ISA 315.21(a): Requires evaluation of the control environment on every engagement.
- ISA 315.A77: Identifies the elements of the control environment.
- ISA 315.A85: Tests whether management can override controls without consequence.
- ISA 315.24: Links the control environment to the overall risk assessment.
Related terms
Frequently asked questions
Must the control environment be evaluated on a fully substantive engagement?
Yes. ISA 315.21(a) requires this evaluation on every engagement, regardless of the planned audit approach. The control environment informs the overall risk assessment, not just the controls reliance decision.
How does the auditor distinguish a strong control environment from a weak one?
ISA 315.A85 provides the sharpest test: if management can override controls without consequence, the environment is weak regardless of what policies say. The evaluation is about behaviour, not documentation.