Fariñas, Eriel Lexine D.

Ibañez, Rheezel Kim S.

Study and Evaluation of Internal Control

The objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertions levels, through
understanding the entity and its environment, including the entity’s internal control, thereby
providing a basis for designing and implementing responses to the assessed risks of material
misstatement.
Basic Auditor’s Approach in the
Study and Evaluation of Internal Guiding Principles
Control
1. Obtaining an Understanding of PSA 315 (Redrafted), “Identifying and Assessing the
the Client’s internal control Risks of Material Misstatement Through Understanding
structure the Entity and Its Environment”
PSA 315 (Redrafted), “Identifying and Assessing the
2. Make a preliminary assessment
Risks of Material Misstatement Through Understanding
of control risk
the Entity and Its Environment”
PSA 315 (Redrafted), “Identifying and Assessing the
Risks of Material Misstatement Through Understanding
3. Determine the appropriate
the Entity and Its Environment”
response to the assessed risk
PSA 330 (Redrafted), “The Auditor’s Responses to
Assessed Risks”
PSA 315 (Redrafted), “Identifying and Assessing the
Risks of Material Misstatement Through Understanding
4. Reassess control risk the Entity and Its Environment”
PSA 330 (Redrafted), “The Auditor’s Responses to
Assessed Risks”
PSA 330 (Redrafted), “The Auditor’s Responses to
5. Determine the nature, extent,
Assessed Risks”
and timing of substantive tests
PSA 520 (Redrafted), “Analytical Procedures”

PSA APPLICATION ON PROCESS

The following paragraphs state that the auditor
shall obtain an understanding of entity’s
PSA 315 (Redrafted), “Identifying and
internal control relevant to the audit. Obtaining
Assessing the Risks of Material Misstatement
an understanding of control involves
Through Understanding the Entity and Its
evaluating the design of the control and
Environment”
determining whether it has been implemented.
An initial understanding of the design of the
Paragraph 12 (Ref: Para. A38-A61),
internal control is obtained by making
Paragraph 13 (Ref: Para. A62-A64)
inquiries to the appropriate individuals,
inspection of documents and records, and
observation of entity’s activities and operation.
After obtaining an understanding of the
PSA 315 (Redrafted), “Identifying and
entity’s internal control, an auditor shall
Assessing the Risks of Material Misstatement
identify and assess the risk of material
Through Understanding the Entity and Its
Environment”
Paragraph 15,
Paragraph 24 (Ref: Para. A98-A106),
Paragraph 25, 26 27, 28
PSA 315 (Redrafted), “Identifying and
Assessing the Risks of Material Misstatement
Through Understanding the Entity and Its
Environment”
PSA 330 (Redrafted), “The Auditor’s Responses
to Assessed Risks”
Paragraph 5 (Ref: Para. A1-A3),
Paragraph 6 (Ref: Para. A4-A8),
Paragraph 7(Ref: Para. A9-A19)
PSA 315 (Redrafted), “Identifying and
Assessing the Risks of Material Misstatement
Through Understanding the Entity and Its
Environment”
Paragraph 30 (Ref: Para. A123)
PSA 330 (Redrafted), “The Auditor’s Responses
to Assessed Risks”
Paragraph 14 (Ref: Para. A36)
PSA 330 (Redrafted), “The Auditor’s Responses
to Assessed Risks”
Paragraph 20-24
PSA 520 (Redrafted), “Analytical Procedures”
Paragraph 5
misstatement at the financial statement level
and the assertion level for classes of
transactions, account balances, and
disclosures. In identifying and assessing risks
of material misstatement, the auditor may
conclude that the identified risks relate more
pervasively to the financial statements as a
whole and/or potentially affect many
assertions. Thus, the auditor may conclude that
the risk of material misstatement is at high
level or less than high level.’
The auditor shall determine overall responses
to address the assessed risks of material
misstatement at the financial statement level
and design and perform further audit
procedures (test of controls and substantive
tests) to respond to the assessed risk at the
assertion level.
The auditor’s assessment of the risks of
material misstatement at the assertion level
may change during the course of the audit as
additional audit evidence is obtained. In
circumstances where the auditor obtains audit
evidence from performing further audit
procedures, or if new information is obtained,
either of which is inconsistent with the audit
evidence on which the auditor originally based
the assessment, the auditor shall revise the
assessment and modify the further planned
audit procedures accordingly.
Irrespective of the assessed risk of material
misstatement, the auditor shall design and
perform substantive procedures for each
material class of transactions, account
balances, and disclosures.
This PSA requires the auditor to perform
substantive procedures that are specifically
responsive to risks that the auditor has
determined to be significant risks.
Internal Control Defined
Under COSO (Committee on Sponsoring Organizations of the Treadway Commission):
Internal control is a process, effected by an entity‘s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories: Effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and regulations.
Evaluation
Under PSA 315:
A47. The division of internal control into the following five components, for purposes of the
PSAs, provides a useful framework for auditors to consider how different aspects of an entity‘s
internal control may affect the audit:
1. The control environment;
2. The entity‘s risk assessment process;
3. The information system, including the related business processes, relevant
to financial reporting, and communication;
4. Control activities; and
5. Monitoring of controls.
The division does not necessarily reflect how an entity designs, implements and maintains
internal control, or how it may classify any particular component. Auditors may use different
terminology or frameworks to describe the various aspects of internal control, and their effect on
the audit than those used in this PSA, provided all the components described in this PSA are
addressed.
Control Environment
Under COSO Framework:
Control Environment sets the tone of an organization, influencing the control consciousness
of its people. It is the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the integrity, ethical values and
competence of the entity‘s people management‘s philosophy and operating style; the way
management assigns authority and responsibility, and organizes and develops its people and the
attention and direction provided by the board of directors.
Under PSA 315:
Components of Internal Control—Control Environment (Ref: Para. 14)
Elements of the control environment that may be relevant when obtaining an understanding of
the control environment include the following:
 1. Communication and enforcement of integrity and ethical values
2. Commitment to Competence
3. Participation by Those Charged with Governance
4. Management’s Philosophy and Operating Style
5. Organizational Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Practices

a. Communication and enforcement of integrity and ethical values

These are essential elements that influence the effectiveness of the design, administration and
monitoring of controls.
Integrity and ethical values are expressed through:
 Existence and implementation of code of conduct and other policies regarding acceptable
business practice, conflicts of interest, or expected standards or ethical and moral
behaviour.
 Dealings with employees, suppliers, customers, investors, creditors and insurers,
competitors and auditors.
 Pressure to meet unrealistic performance targets- particularly for short-term results- and
extent to which compensation is based on achieving those performance targets.

b. Commitment to Competence
Matters such as management‘s consideration of the competence levels for particular jobs and
how those levels translate into requisite skills and knowledge.
Commitment to competence is expressed through:
 Formal or informal job description or other means of defining tasks that comprise
particular jobs.
 Analyses of the knowledge and skills needed to perform jobs adequately.
c. Participation by Those Charged with Governance
Attributes of those charged with governance such as:
 Their independence from management.
 Their experience and stature
 The extent of their involvement and the information they receive, and the scrutiny of
activities.
 Appropriateness of their actions
Controls involving the Board of Directors or Audit Committee include:
• Independence from management
 • Frequency and timeliness with which meetings are held with chief financial and/or
accounting officers, internal auditors and external auditors.
• Sufficiency and timeliness with which information is provided to board or committee
members
• Sufficiency and timeliness with which board or audit committee is apprised or sensitive
information, investigations and improper acts of officers.
d. Management‘s Philosophy and Operating Style
Characteristics such as management‘s:
 Approach to taking and managing business risks
 Attitudes and actions toward financial reporting
 Attitudes toward information processing and accounting functions and personnel
Controls involving management’s philosophy and operating style include:
 Nature of business risks accepted, e.g., whether management often enters into particularly
high-risk ventures, or is extremely conservative in accepting risks.
 Frequency of interaction between senior management and operating management,
particularly when operating from geographically removed locations.
 Attitudes and actions toward financial reporting, including disputes over application of
accounting treatments.
e. Organizational structure
The framework within which an entity‘s activities for achieving its objectives are planned,
executed, controlled, and reviewed.
Controls involving organizational structure are expressed through:
 Appropriateness of the entity‘s organization structure, and its ability to provide the
necessary information flow to manage its activities.
 Adequacy of definition of key manager‘s responsibilities, and their understanding of
these responsibilities.
 Adequacy of knowledge and experience of key managers in light of responsibilities.
f. Assignment of authority and responsibility
Matters such as how authority and responsibility for operating activities are assigned and how
reporting relationships and authorization hierarchies are established.
g. Human resource policies and practices
Policies and practices that relate to, for example, recruitment, orientation, training, evaluation,
counseling, promotion, compensation, and remedial actions.
Risk Assessment
Under COSO Framework:
Every entity faces a variety of risks from external and internal sources that must be
assessed. A precondition risk assessment is the establishment of objectives, linked at different
levels and internally consistent. Risk Assessment is the identification and analysis of relevant
risks to achievement of the objectives, forming a basis for determining how the risks should be
managed. Because economic, industry, regulatory and operating conditions will continue to
change, mechanisms are needed to identify and deal with the special risks associated with
change.
Under PSA 315:
Components of Internal Control—The Entity’s Risk Assessment Process (Ref: Para. 15)
A75. The entity‘s risk assessment process forms the basis for how management determines the
risks to be managed. If that process is appropriate to the circumstances, including the nature, size
and complexity of the entity, it assists the auditor in identifying risks of material misstatement.
Whether the entity‘s risk assessment process is appropriate to the circumstances is a matter of
judgment.
Information System and Communication
Under COSO Framework:
Information must be identified, captured and communicated in a form and timeframe
that enable people to carry out their responsibilities. Information systems produce reports,
containing operational, financial and compliance-related information, that make it possible to run
and control the business. They are not only with internally generated data, but also information
about external events, activities and conditions necessary to be informed in business decision-
making and external reporting.
Under PSA 315:
Components of Internal Control:
The Information System, Including the Related Business Processes, Relevant to Financial
Reporting, and Communication
The Information System, Including Related Business Processes, Relevant to Financial Reporting
(Ref: Para. 18)
A77. The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records designed and established to:
 Initiate, record, process, and report entity transactions (as well as events and conditions)
and to maintain accountability for the related assets, liabilities, and equity;
  Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis;
 Process and account for system overrides or bypasses to controls;
 Transfer information from transaction processing systems to the general ledger;
 Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and
 Ensure information required to be disclosed by the applicable financial reporting
framework is accumulated, recorded, processed, summarized and appropriately reported
in the financial statements.
Control Activities
Under COSO Framework:
Control activities are the policies and procedures help ensure management directives
are carried out and that necessary actions are taken to address risks to achievement of entity‘s
objectives. Control activities occur throughout the organization, at all levels and in all functions.
They include a range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets and segregation of duties.
Under PSA 315:
Components of Internal Control—Control Activities (Ref: Para. 20)
A84. Control activities are the policies and procedures that help ensure that management
directives are carried out. Control activities, whether within IT or manual systems, have various
objectives and are applied at various organizational and functional levels. Examples of specific
control activities include those relating to the following:
 Authorization.
 Performance reviews.
 Information processing
 Physical controls
 Segregation of duties
Monitoring Controls
Under COSO Framework:
Monitoring Activities
Internal control systems need to be monitored- a process that assesses the quality of the
system‘s performance over time. This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of
operations. It includes regular management and supervisory activities, and other actions
personnel take in performing the duties.
Under PSA 315
Components of Internal Control—Monitoring of Controls (Ref: Para. 22)
A94. Monitoring of controls is a process to assess the effectiveness of internal control
performance over time. It involves assessing the effectiveness of controls on a timely basis and
taking necessary corrective actions. Management accomplishes monitoring of controls through
ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring
activities are often built into the normal recurring activities of an entity and include regular
management and supervisory activities.
A95. In many entities, internal auditors or personnel performing similar functions contribute to
the monitoring of an entity‘s activities. PSA 610, ―Considering the Work of Internal Audit‖
establishes requirements and provides guidance on the auditor‘s consideration of the work of
internal auditing. Management‘s monitoring activities may also include using information from
communications from external parties such as customer complaints and regulator comments that
may indicate problems or highlight areas in need of improvement.