What are internal controls?

‘Internal controls’ are the processes, systems, records and activities that entities design, implement and maintain to provide reasonable assurance they are achieving their organisational objectives regarding:

  • reliability of financial reporting
  • effectiveness and efficiency of operations
  • compliance with applicable laws and regulations.

Collectively, each entities' governing body and executive management is responsible for preparing reliable financial statements in accordance with generally accepted accounting principles. They are similarly responsible for maintaining effective internal controls over financial reporting.

QAO's assessment of internal controls

The auditing standards require us to understand and assess the aspects of entities' internal controls that relate to our financial statement audit objectives. We firstly seek to understand and evaluate how entities have designed and implemented their controls. We communicate our results to each entity in their external audit plan.

If we decide we can rely on an entity's controls, we must then test them to confirm they operated effectively. The results may highlight deficiencies, which we assess to determine if they constitute, individually or in combination, a significant deficiency in internal control.

Limitations of our reporting on internal control deficiencies

No system of internal control can provide absolute assurance about the absence of error or compliance. Even in the absence of identified control weaknesses, inherent limitations in an entity's internal controls over financial reporting may not prevent or detect material misstatements.

Internal control assessments

Our assessment tool for internal controls is available on our website for entities to use. The assessment tool is scalable to an entity's size and complexity, is principle-based, and will help entities identify opportunities to improve the efficiency and/or effectiveness of their controls. For more information, please see our detailed fact sheet

QAO's rating definitions

Internal control issues

DefinitionPrioritisation of remedial action

Significant
deficiency

Icon of a capital S on a blue circle

A significant deficiency is a deficiency, or combination of deficiencies, in internal control that requires immediate remedial action.

Also, we increase the rating from a deficiency to a significant deficiency based on:

  • the risk of material misstatement in the financial statements
  • the risk to reputation
  • the significance of non-compliance with policies and applicable laws and regulations
  • the potential to cause financial loss including fraud, or
  • where management has not taken appropriate timely action to resolve the deficiency.
This requires immediate management action to resolve.

Deficiency

Icon of a capital D on a blue circle
A deficiency arises when internal controls are ineffective or missing, and are unable to prevent, or detect and correct, misstatements in the financial statements. A deficiency may also result in non-compliance with policies and applicable laws and regulations and/or inappropriate use of public resources.We expect management action will be taken in a timely manner to resolve deficiencies.

Other matter

Icon of a capital O on a blue circle
An other matter is expected to improve the efficiency and/or effectiveness of internal controls, but does not constitute a deficiency in internal controls. If an other matter is not resolved, we do not consider that it will result in a misstatement in the financial statements or non-compliance with legislative requirements.Our recommendation may be implemented at management’s discretion.

 

Financial reporting issues 

Potential effect on the financial statementsPrioritisation of remedial action

High

Icon of a capital H on a blue circle
We assess that there is a high likelihood of this causing a material misstatement in one or more components (transactions, balances and disclosures) of the financial statements, or there is the potential for financial loss including fraud.This requires immediate management action to resolve.

Medium

Icon of a capital M on a blue circle
We assess that there is a medium likelihood of this causing a material misstatement in one or more components of the financial statements.We expect management action will be taken in a timely manner.

Low

Icon of a capital L on a blue circle
We assess that there is a low likelihood of this causing a material misstatement in one or more components of the financial statements.We recommend management action to resolve; however, a decision on whether any action is taken is at management’s discretion.