Internal Control Assessment

What is an Internal Control Assessment?

ISA 315.26 requires the auditor to evaluate the design of controls relevant to the audit and determine whether they have been implemented. This evaluation is mandatory on every engagement, regardless of whether the auditor plans to rely on controls or follow a fully substantive approach. The question of whether to test operating effectiveness ( ISA 330.8 ) is separate and only arises when the auditor intends to rely on controls to reduce substantive testing, or when substantive procedures alone cannot provide sufficient appropriate evidence for a particular assertion.

The assessment covers all five components of internal control as defined by ISA 315 (Revised 2019): the control environment ( ISA 315.21 ), the entity's risk assessment process ( ISA 315.22 ), monitoring of controls ( ISA 315.23 ), the information system including related business processes ( ISA 315.24 –25), and control activities ( ISA 315.26 ). The 2019 revision expanded the scope to explicitly include IT general controls within this framework.

Design effectiveness asks whether a control, as designed, is capable of preventing or detecting a misstatement. Implementation asks whether the control actually exists and is being used. A well-designed approval process for journal entries is not effective if the CFO routinely bypasses it. The auditor evaluates both dimensions before deciding whether to test operating effectiveness.

Why it matters in practice

The AFM's 2023 inspection findings identified files where control assessments consisted of checklists confirming that controls "exist" without evaluating whether they were properly designed to address the relevant risk. A checklist that records "three-way matching is performed" without evaluating whether the matching thresholds, exception handling, and segregation of duties within the process are adequate does not satisfy ISA 315.26 .

A second common gap: teams assess process-level controls (purchase order matching, bank reconciliation sign-off) but skip entity-level controls entirely. ISA 315.26 applies to the entity's entire system of internal control, including the control environment, risk assessment process, and monitoring activities. A file that evaluates transaction-level controls in isolation without considering whether the entity-level environment supports those controls is incomplete.

The 2019 revision of ISA 315 made IT general controls an explicit part of the assessment. Teams that treat the IT section as optional or complete it with generic descriptions of accounting software do not meet the requirement. ISA 315.26 (a) requires understanding how the IT environment affects the processing and control of transactions, and which IT general controls support the application controls the auditor plans to rely on.

Key standard references

• ISA 315.26 : Requirement to evaluate design and implementation of controls relevant to the audit.
• ISA 315.21 –25: The five components of internal control.
• ISA 330.8 : Testing operating effectiveness when the auditor plans to rely on controls.
• ISA 315 .A155: Application guidance on how the five components interact.

Related terms

Related reading

Frequently asked questions