You are on page 1of 7

AUDITING THEORY CONSIDERA TIONS OF ENTITY’S INTER NA L CONTROL

Red Sir ug

INTER NA L CONTROL – the process designed, implemented and maintained by those charged with gover nance,
management and other personnel to provide reasonable assurance abou t the achieve ment of an entity’s objectives Essent ial Concepts of Internal Control: Internal control is (a): 1. Process – a means of achieving the entity's objectives 2. Effected by: a. Those char ged with governance: ensure the integrity of accounting and financial reporting systems through oversight of management b. Management: design, implement and maintain internal control c. Staff personnel: perform their respective functions 3. Prov ides reasonable assurance about the achievement of an ent ity’s object ives – internal control is be designed to prevent, or detect and correct problems to help in achieving entity’s objectives  Inherent limitat ions of internal control system: Even a well designed and effective internal control system cannot eliminate material misstatements, w hether due to fraud or error. Examples of inherent limitations of internal control: 1. Management overriding the inter nal control. 2. Circumvention of internal controls through the collusion among employees. 3. Cost-benefit considerations (concept of reasonable assurance) – the costs of a control to be established should not exceed its expected benefits 4. Most controls tend to be directed at routine transactions rather than non-routine transactions. 5. Human error (such as due to carelessness, distraction, mistakes of judgment, the misunderstanding of instructions, errors in the design or use of automated controls 6. The possibility that procedures may become inadequate due to changes in conditions, and compliance with procedures may deteriorate. 7. Segregation of duties may be difficult to achieve in a smaller entity. 4. Helps to achieve the entity's object ives  Objectives represent what an entity strives to achieve.  Categor ies of ent ity's objectives: 1. Financial report ing objective – this objective relates to reliability of financial repor ting 2. Operational objective – this objective is intended to enhance effectiveness and efficiency of operations 3. Compliance objective – this objective relates to entity’s compliance with applicable laws and regulations Benefits of Strong Internal Control:  Reliability of financial information for decision-making purposes  Enhances the effectiveness and efficiency of operations  Assurance of compliance with applicable laws and regulations  Protection of assets and impor tant documents and recor ds  Reduced cost of an external audit – because the auditor may rely on the effectiveness of internal control Classification of Internal Control: 1. According to objectives: a. Financial report ing controls – controls to achieve reliability of financial reporting objective b. Operational effectiveness controls – controls to achieve operational effectiveness objective c. Compliance controls – controls to achieve compliance objective Relationship between the ent ity’s objectives and internal control: There is a direct relationship between the entity’s objectives and the internal control it implements to provide reasonable assurance about their achievement. According to functions: a. Preventive controls – controls that deter problems before they arise (for example, segregation of incompatible employee functions/duties and control physical access to assets, facilities and information) b. Detective controls – controls that discover or detect problems as they arise (for example, preparing bank reconciliation and preparing monthly trial balance) c. Corrective controls – controls that remedy problems discovered with detective controls (for example, maintaining backup copies of transactions and master files)

2.

AT – Considering the Entity’s Internal Control

Red Sirug

Page 1

with the oversight of those charged with governance. Management’s philosophy and operating style – Management’s approach to taking and managing business risks. Considering the information system: The auditor shall obtain an understanding of the information system. process. including the following areas: AT – Considering the Entity’s Internal Control Red Sirug Page 2 . Entity’s risk assessment process – entity’s own process of identification. Open communication channels help ensure that exceptions are reported and acted on. liabilities. Control env ironment – it includes the gover nance and management functions and the attitudes. Participation by those char ged with governance (BOD and audit committee) 4. relevant to financial reporting. executed. 7. Estimating the significance of the risks c. consists of the methods and records established to record. Deciding about actions to address those risks 3. attitudes and actions toward financial reporting. counseling. evaluation. has create d and maintained a culture of honesty and ethical behavior b. 5. Assessing the likelihood of their occurrence d. Elements of control environment: 1. Organizat ional structure – The framework within which an entity’s activities for achieving its objectives are planned. Whether other components of internal control are not undermined by control environme nt weaknesses 2. Personnel or Human resource policies and procedures – Policies and practices that relate to recruitment/hiring. analysis. and remedial actions. Whether the strengths in the control environment provide foundation for the other components of internal control c. and actions of those charged with governance and management concerning the entity’s internal control and its impor tance in the entity  It sets the tone of an organization. controlled and reviewed. 3. summarize. Considering the control environment: The auditor shall obtain understanding of control environment and evaluate: a. including the related business processes. awareness.  It is a set of characteristics that defined good control wor king relationships in an entity. Assignment of author ity and respo nsibility – How authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established.  It is the foundation for effective internal control for it provides an appropriate foundation for other components of inter nal control. and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets. and management of risks relevant to the preparation and fair presentation of financial statements Considering the entity’s risk assessment process: The auditor shall obtain understanding of whether the entity has a process for: a. w hich includes the accounting system. Identifying business risks relevant to financial reporting objectives b. Whether the management. 6. capture.  Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. influencing the control consciousness of its people. 2. Communication and enforcement of integr ity and ethical va lues – These influence the effectiveness of the design.Components of Internal Control: Obtaining understanding of internal control means obtaining understanding of the five interrelated and essential components or aspects of internal control as follows: 1. and attitudes toward information processing and accounting functions and personnel. and exchange of information in a timely and useful manner  The information system relevant to financial reporting objectives. promotion. administration and monitoring of controls. Infor mation system (including the related business processes. Appropriate methods of assigning responsibility must be implemented to avoid incompatible functions and to minimize the possibility of errors because of too much work load assigned to an employee. compensation. and equity. training. orientation. Communication may take such forms as policy manuals and financial reporting manuals. Commit ment to competence – Management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and k nowledge. relevant financial reporting and communicat ion) – information and communication systems support the identification.

receivable reports. Prenumbering of documents – helps to assure that: a. f. forecasts. including significant accounting estimates and disclosures. the management of a sports team might use attendance data to ascertain the reasonableness of ticket sales). Control activities address risks that if not mitigated would threaten the achievement of the entity’s objectives. The records may be in either manual or electronic form. etc. b. The related accounting records. Examples of s pecific control act ivit ies that may be relevant to an audit: 1. Applicat ion controls – controls which apply to the processing of individual applications Examples of application controls:  Checking the arithmetical accuracy of records  Maintaining and reviewing accounts and trial balance  Automated controls such as edit checks of input data and numerical sequence checks  Manual follow-up of exception reports  Controls surrounding receivables AT – Considering the Entity’s Internal Control Red Sirug Page 3 . transferred to the general ledger and reported in the financial statements. properly authorized. Relationship between different sets of data to one another. 6. Perfor mance reviews – includes review and analyses of the following: a. Examples of specific control activities include those relating to:  Authorization  Performance reviews  Information processing  Physical controls  Segregation activities Considering the control activities: The auditor shall obtain understanding of control activities relevant to the audit. The procedures. Design further audit procedures responsive to the assessed risks. 2. Functional or activity performance (for example. d. The classes of transactions in the entity’s operations that are significant to the financial statements. the auditor shall obtain understanding of how the entity has responded to risks arising from IT. 4. sales repor ts. The financial reporting process used to prepare the entity’s financial statements. that are significant to the financial statements. An audit does not require an understanding of all the control activities. record. Infor mation processing controls – ensure that transactions are valid. process and report transactions.. Authorization of transact ions – authorization should occur before commitment of resources 3. Assess the risks of material misstatement at the assertion level and b. Independent checks to maintain asset accountability – independent checks involve the verification of wor k previously performed by others.a. No transactions are recorded more than once (existence). In understanding the entity’s control activities. and d. Controls surrounding journal entries. and g. processed. Control act iv ities – the policies and procedures that help ensure management’s directives are carried out and that necessary steps to address risks are taken. Comparison between internal data and exter nal sources of information. other than transactions. supporting information and specific accounts in the financial statements that are used to initiate. Actual performance versus budgets. e. including non-standard journal entries used to record nonrecurring. b. c. such as:  Review of bank reconciliations  Comparison of subsidiar y records to control accounts  Comparison of physical counts of inventory to perpetual records 4. and prior period performance b. by which those transactions are initiated. Documentation – provides evidence of the underlying transactions and is a basis for establishing responsibility for the execution and recor ding of transactions 5. How the information system captures events and conditions. and completely and accurately recor ded a. unusual transactions or adjustments. may be used to analyze performance and to identify errors). Control activ it ies relevant to the audit are those that the auditor judges it necessary to understand i n order to: a. c. within both information techno logy (IT) and manual systems. corrected as necessary. recorded. this includes the correction of incorrect information and how information is transferred to the general ledger. All transactions are recorded (completeness). together with analyses of the relationships and investigative and corrective actions (for example.

highlight areas in need of impr ovement Considering the monitoring of controls: The auditor shall obtain understanding of: a. Physical segregation and security of assets. and required signatures on documents for the removal or disposition of assets) d. Examples of physical controls:  Protective or security devices  Bonded or independent custodians  Physical and security of assets:  Cash – placed in cash boxes. Monitoring – the process to assess the effectiveness (or quality) of internal control performance over time Management’s monitoring of controls includes:  Assessing the effectiveness of controls on a timely basis and ta king necessar y corrective actions  Monitoring of controls through ongoing activities  Using information from communications from exter nal parties such as customer complaints and regulator comments that may indicate problems.  A proper segregation of duties (or incompatible functions) requires that one person should not be responsible for all phases of a transaction.  Segregation of duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties. depends on circumstances such as w hen assets are highly susceptible to misappropriation. How the entity initiates corrective actions to its controls c.  Duties should be segregated such that the work of one individual provides a crosscheck on the wor k of another individual. This means that different employees should be assigned to the following functions:  Authorizing transactions  Recording transactions – recordkeeping  Maintaining custody of assets involved in the transactions For example. The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation. Segregation of dut ies – involves ensuring that individuals do not perform incompatible duties. 5. vault or safe deposit boxes  Cash – deposited in a bank  Inventor y – placed in a warehouse  PPE items – tagged with non-movable labels b. Authorized access to assets and records (such as through the use of computer access codes. prenumbered forms. The major activities that the entity uses to monitor control over financial reporting. including computer facilities a. Sources of the information used in the entity’s monitoring activities AT – Considering the Entity’s Internal Control Red Sirug Page 4 . including those related to those activities relevant to the audit b. the responsibilities of the treasury department include handling of cash and custody of securities but do not include data processing. including adequate safeguards such secured facilities over access to assets and records. General controls – controls that relate to many applications and support the effective  Controls surrounding payroll 7. Required signatures on documents for the removal or disposition of assets e. General controls apply to information processing throughout the company. 8. requiring password prior to access) c. security and inventory counts with accounting records  Reconciliations f. Examples of general controls:  Program change controls  Controls that restrict access to pr ograms or data  Controls over the implementation of new releases of packaged software applications  Controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail  Controls over data center and networ k operations Physical controls – physical controls for safeguarding assets involve security devices and limited access to programs and to restricted areas. and therefore the audit. Authorization for access to computer programs and data files (for example. Periodic counting and comparison with amounts show n on control records Examples:  Comparing the results of cash. functioning of application controls by helping to ensure the continued proper operation of information systems.b.

Purpose of Understanding of Internal Control:  Pr imary purpose: To provide a basis for planning the audit to determine the nature. Assets are properly protected b. and 3. from initial recording to presentation in the financial statements 2. but not all of an entity's objectives and related controls are relevant to the audit. the auditor shall consider and understand financial reporting controls. is capa ble of effectively preventing or detecting and correcting material misstatements  The design refers to capability of a control to prevent or detect and correct material misstatements Major emphasis in the design of effective control: a.d. The auditor need not assess all controls related to financial reporting. a. Identifying types of potential misstatements 2. and extent of further audit procedures  Secondary purpose: To provide a basis for constr uctive suggestions to management about improvements in internal control Steps in Considering Internal Control: 1. Perfor m preliminary assessment of control r isk – assessing the level of control risk (such as high. Identifying factors that affect the risks of material misstatements. The basis upon which management considers the information to be sufficiently reliable for the purpose CONSIDERING INTER NA L CONTROL Internal control is relevant to the entire entity and each of the five components of internal control may affect any of the three entity objectives.  Control risk is assess in terms of financial statement assertions. The auditor shall obtain an understanding of internal control relevant to the audit. and extent of fur ther audit procedures Specifically. or AT – Considering the Entity’s Internal Control Red Sirug Page 5 . medium or low) based on understanding of internal control (the design of controls and w hether they have been implemented)  The ultimate purpose of assessing control risk at the assertion level for each material account balance or class of transactions is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. but rather applies professional judgment in determining which controls to assess. b. a. Transactions are authorized An improperly designed control may represent a material weakness in the entity’s internal control. those controls that pertain to financial reporting objective are most relevant to the audit. such understanding is used by the auditor in: 1. Evaluate the design of relevant controls – involves determining whether those controls.  The assessment of control risk is the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting and correcting material misstatements. Maximum level: Control risk is assessed at high/maximum level if:  Controls are poorly designed. timing. Designing the nature. Incompatible duties are segregated c. implementation of a control means that the control exists and is being used by the entity Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls:  Inquir y of entity personnel (inquiry alone is not sufficient obtain audit evidence about the design and implementation of relevant controls)  Observing the application of specific controls  Inspecting documents and records  Performing a “walk-through” test – tracing a transaction through the information system relevant to financial reporting. Thus. individually or in combination with other controls. timing. Generally. The auditor shall obtain an understanding of interna l control relevant to the audit – involves performing procedures to evaluate the design of relevant controls and determine whether they have been implemented (placed in operation)  This procedure includes understanding of the five interrelated components of inter nal control to evaluate the design and determine if the control has been implemented. Deter mine whether the controls have been implemented – involves determining w hether the control is placed in operation.

 Tests of controls generally consist of one (or combination of the following evidence gathering techniques: a. the auditor shall also make the necessary revision on the overall audit strategy. The PSA requires the auditor to document the basis or the evidence to justify the assessment of control risk at less than high/maximum level. IT flowcharts – used in evaluating the inter nal control in an automated/computerized accounting environment. Results confirm effectiveness of controls – the auditor relies on the entity’s internal control and decrease substantive testing In this case. Less than high/ maximum level: Control risk is assessed at less than high/maximum level if controls are properly designed and have been implemented. Observation c. a material misstatement in an assertion. it is inefficient to obtain evidence to justify the assessment of control risk at less than high level Auditor’s response if control r isk is assessed at a high/ maximum level:  Auditor will not per form tests of controls  Auditor will primarily rely on substantive tests b. transactions and documents. Reperformance of a control by the auditor Results of tests of controls: a. b. the auditor should perform tests of operating effectiveness of relevant controls. The auditor can use these flowcharts to evaluate both the flow of the pr ogram and the internal controls related to the IT function in general. a. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system or the sequential flow of authority. tests of controls are not required audit procedure. Perfor m tests of controls if preliminary assessment of control r isk is below high/ maximum level (performed when the auditor intends to rely on the internal control)  Tests of controls are audit procedures designed to evaluate the operating effectiveness of internal controls that are likely to detect or prevent material misstatements in support of a reduced assessed level of control risk. 3. its subsequent processing. Internal control checklists – a detailed listing of ideal control measures (the auditor tickmar ks AT – Considering the Entity’s Internal Control Red Sirug Page 6 .  The greater the reliance the auditor plans to place on internal control. b. 2. T he use of standard symbols makes flowcharts easy to understand. Internal control questionnaire – consists of a list of questions on inter nal control be answered by "Yes" or "No" response. the auditor’s general approach to audit would be the reliance or combined approach (an approach that uses both tests of controls and substantive procedures). or It is inefficient to rely on internal control (inefficient to perform tests of controls) – for example. tests of controls are performed to confirm that the controls tested are w orking effectively in order to substantiate the reduced assessed level of control risk. Results do not confirm effectiveness of controls – the auditor should revise the preliminar y risk assessment of control risk from less than high to high level In addition. A negative response is designed to draw attention to a possible weakness in internal contr ol. audit plan and preliminary audit pr ogram. Written explanations are required for "No" answers. Systems flowcharts – used to evaluate internal control because it shows the origin of each document in the system. Required Documentation: 1. 3. Inspection d.  Properly designed controls have not been implemented. the more extensive the tests of those controls that need to be performed.  When to perfor m tests of controls: a. and its final disposition b. or Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent. When substantive procedures alone cannot provide sufficient appropriate evidence at the assertion level  Unlike substantive tests of details. Inquir y b. or detect and correct. Document the understanding of account ing and internal co ntrol systems  Form of documentation may var y  One form or a combination of forms of documentation may be used at the same time  Forms of documentation: 1. the auditor’s general approach to audit would be to use the substant ive approach (an appr oach w hose emphasis is on substantive procedures). timing and extent of substantive procedures. In other words. In this case. processes. When the auditor intends to rely on the operating effectiveness of relevant controls in determining the nature.

Note that flow charts are more appropriate for documenting complex control structures. Both approaches document the auditor's understanding of a process. e. however.  If the control risk is assessed at less than high level. c. Benefits may include: a. w hich may result in loss of data and/or data inaccuracies. His conclusion that control risk is at less than high level. and the way in which IT is used often affects an entity's inter nal control. (Application controls and general controls are covered further below. Many information and communication systems make extensive use of IT. The ability to pr ocess large volumes of transactions and data accurately and consistently. e. d. Improved timeliness and availability of information. Management's failure to appropriately address IT risks may negatively impact the control The use of IT may enhance an entity's risk assessment by providing more timely information. w hile written narratives are more appropriate for less complex structures. the auditor should document: a. d. IT Risks The use of IT may also create additional internal control risks. and therefore. the auditor needs to identify and test not just specific application controls but relevant general controls on whi ch the application controls depend. b. c. The basis for that assessment – results of tests of controls confirming the assessment of control risk at below high/maximum level Effect of Infor mation Technology on Internal Control: Effect on Internal Control An entity's use of information technology may affect any of the five components of internal control : a. the accuracy of the IT system is crucial. b. such as circumstances in which misstatements are difficult to define. Automated Controls a. 2. Enhanced segregation of duties thr ough effective implementation of security controls. Manual vs. Much of the information used in monitoring is provided by IT. they are subject to human error. In a manual system. In testing automated controls. and reconciliations are used. Failure to make required changes or updates to systems or programs. anticipate. 5. Decision trees or tables – a. IT Benefits IT is used by an entity to improve the efficiency and effectiveness of its internal control. Facilitation of data analysis and performance monitoring. b. even manual controls may be dependent to some extent on the effective functioning of IT. Reduction in the risk that controls will be circumvented. the effectiveness of user controls may depend upon the accuracy of information provided to the user by IT systems. The a uditor should consider the effect of such benefits as par t of assessing inter nal control. however. Manual controls may be more appropriate than automated controls in sit uations w here judgment and discretion is required. In an automated system using information technology. The auditor must evaluate the entity's use of IT to determine whether and to what extent the following risks exist: a. and they are less consistent than automated controls. Potential reliance on inaccurate systems. manual controls such as approvals. c. the controls adopted by the client) Narrative memoranda – a written version of a flowchar t. reviews. Test ing Automated Controls a. They generally employ questions with "Yes" or "No" answers. Manual controls. Unauthorized changes to data.) b. b.4. b. Decision trees – are graphic illustrations that depict the logic of an operation or process. bo th manual and automated controls may be used. environment. the auditor should document his conclusion that control risk is at a high level. which direct the user to the next relevant questions. Unauthorized access to data. and b. The use of IT may affect the way in which existing control activities are implemented. or predict. It is a description of the auditor's understanding of the system of internal control. or programs. Decision tables – are graphic illustrations tha t depict the logical relationships of a system in table form. may pose additional risks because they can be more easily ignored or overridden. Also. AT – Considering the Entity’s Internal Control Red Sirug Page 7 . systems. Document the assessed level of control r isk  If the control risk is assessed at a high level. d.