top of page
  • Writer's pictureCCS

Internal Control: Pervasive Controls (that address financial statement level risks)

We have now addressed each of the five components of internal control.

Some of these controls are pervasive in nature (financial statement-level risks).

They only indirectly serve to prevent a misstatement from occurring or to detect and correct it after it has occurred.

Other controls relate to particular transaction (assertion level) risks (such as payroll, sales, and purchases) and are designed specifically to prevent or detect and correct misstatements.

The following exhibit shows the interaction of the two levels of control over transactions as they journey from initiation and processing (transactional level) through the accounting records (financial statement level) and finally to the financial statements.






Notice that at least three of the five internal control components consist primarily of pervasive controls.



  1. The above illustration is a general guide. In some instances, pervasive controls can be designed to operate at a level of precision that would prevent or detect specific misstatements at the business process level. For example, a detailed budget approved by those charged with governance may be used by management to detect unauthorised administration expenditures. In other instances, control activities and parts of the information system may relate to financial statement-level activities.

  2. Pervasive controls relating to the entity as a whole (such as the commitment to competence) may be less tangible than those at the business process level (such as matching goods received to a purchase order) but are just as critical in preventing and detecting fraud and error.

  3. The period-end financial reporting process includes procedures to

  4. Enter transaction totals into the general ledger; • Select and apply accounting policies;

  5. Initiate, authorise, record, and process journal entries in the general ledger;

  6. Record recurring and non-recurring adjustments to the financial statements; and

  7. Prepare the financial statements and related disclosures.

  8. General information technology (IT) controls are pervasive to the entity as a whole, focusing on how IT operations (such as organisation, staffing, and data integrity) are managed across the entity.

  9. IT application controls are similar to transaction controls. They relate to how specific transactions are processed at the business process level.

Pervasive controls (at the financial statement level) form the basis or foundation upon which specific assertion-level (transactional) controls can be built.

They set the “tone at the top” and establish expectations for the organisation’s control environment in general.

Poorly designed pervasive controls may encourage all types of error and fraud. For example, an entity may have a highly controlled and effective sales process.

However, if senior management has a poor attitude toward control and has sometimes overridden these controls, a material error could still occur in the financial statements. Management override and poor “tone at the top” are common themes in corporate wrongdoing.

Pervasive controls also include monitoring controls that assess whether the actual tone at the top is what was intended and how well control expectations are being fulfilled. The pervasive controls (that pertain to the financial statements as a whole) could include

  • Controls related to the control environment;

  • Controls over management override;

  • The entity’s risk assessment process;

  • Controls to monitor results of operations and other controls;

  • Controls over the period-end financial reporting process; and

  • Policies that address significant business control and risk management practices.

Smaller Entities

In smaller entities, the lack of specific business process controls (due to limited staff and resources) is often offset by a high degree of involvement by management (such as the owner-manager) in performing controls.

In fact, some pervasive controls in smaller entities can often operate at a level of precision that actually serves to prevent or detect specific misstatements.

However, the increased involvement of senior management also increases the risk of management override. This could be addressed through further audit procedures or the design of suitable anti-fraud controls.

Pervasive Control Deficiencies

Although weaknesses in pervasive controls do not generally result in an immediate deficiency or errors in the financial statements, they still significantly influence the likelihood of misstatements resulting at the business process control level.

The absence of good pervasive controls may seriously undermine other business process controls; consequently, significant deficiencies in these controls would be reported to management and those charged with governance.


  1. 上面的说明是一个一般性的指导。在某些情况下,普遍控制可以被设计成在一定的精度水平上运行,以防止或发现业务流程层面上的特定错报。例如,管理层可以利用由负责管理的人批准的详细预算来检测未经授权的行政开支。在其他情况下,控制活动和信息系统的部分可能与财务报表层面的活动有关。

  2. 与整个实体有关的普遍性控制(如对能力的承诺)可能不如业务流程层面的控制(如将收到的货物与采购订单相匹配)那么具体,但在预防和发现欺诈和错误方面同样重要。

  3. 期末财务报告流程包括以下程序

  4. 将交易总额输入总账; - 选择和应用会计政策。

  5. 发起、授权、记录和处理总账中的日记账。

  6. 记录财务报表的经常性和非经常性调整;以及

  7. 编制财务报表和相关披露。

  8. 一般信息技术(IT)控制对整个实体来说是普遍存在的,重点是如何管理整个实体的IT业务(如组织、人员配置和数据完整性)。

  9. IT应用控制类似于交易控制。它们涉及到如何在业务流程层面上处理具体的交易。

普遍性控制(在财务报表层面)构成了基础,在此基础上可以建立具体的断言层面(交易)控制。它们设定了 "高层的基调",并确立了对组织总体控制环境的期望。




管理层的凌驾和不良的 "高层语气 "是企业错误行为的常见主题。


  • 与控制环境有关的控制。

  • 对管理层的控制。

  • 该实体的风险评估过程。

  • 监测经营结果的控制和其他控制。

  • 对期末财务报告过程的控制;以及

  • 涉及重大业务控制和风险管理实践的政策。




然而,高级管理层参与度的提高也增加了管理层越权的风险。 这可以通过进一步的审计程序或设计适当的反欺诈控制来解决。




Our website's articles, templates, and material are solely for you to look over. Although we make every effort to keep the information up to date and accurate, we make no representations or warranties of any kind, either express or implied, regarding the website or the information, articles, templates, or related graphics that are contained on the website in terms of its completeness, accuracy, reliability, suitability, or availability. Therefore, any reliance on such information is strictly at your own risk.

Keep in touch with us so that you can receive timely updates |


1. Website ✍️ 2. Telegram ✍️ 3. Facebook ✍

4. Blog ✍ 5. Google ✍

6. LinkedIn ✍

164 views0 comments

Recent Posts

See All
bottom of page