Auditing Theory
Chapter 11
Consideration of Internal Control in a
Financial Statement Audit
Applicable PSA
PSA 315 “Identifying and Assessing Risks of Material
Misstatements through Understanding the Entity and
Its Environment”
 Accounting and internal control system
 Audit risk on components: I C D
Widely-accepted concept: internal control is important
in generating reliable financial info
If audit deems IC as effective, he may decrease amount
of audit evidence to be accumulated.
Inadequate IC may preclude conduct of effective audit.
Nature of Internal Control
As an entity grows and more people are employed,
mechanisms need to be introduced to keep their
performance in check
Smaller entities have weaker internal control that can
be compensated through active participation of owner
in operations
Internal control
 Process – a means, not an end
 Designed and effected by:
 Management – establishment of control
environment & maintenance of P&P
 TCWG – ensure integrity through
oversight
 Other personnel – perform respective
functions
 Provides REASONABLE assurance – due to
limitations:
 Costs should not exceed benefits
 Directed at routine transactions
 Human error
 Circumvention through collusion
 Management overriding IC
 Inadequacy of procedures due to
changes; deterioration of compliance
 About achieving objectives:
 Reliable financial reporting (most
relevant objective to auditor as he is
only concerned with those relevant to
FS assertions)
 Operational effectiveness and efficiency
 Compliance with applicable laws and
regulations
Determinants of achievement of objectives
Reliable FR Compliance Operations E&E
Internal/ within entity’s control Management’s
decisions,
competitor’s actions,
other external factors
Internal control system
 ALL policies and procedures (internal controls)
adopted by management to assist in achieving
objectives:
 Orderly and efficient conduct of
business
 Adherence to management policies
 Safeguarding of assets
 Prevention and detection of F&E
 Accuracy and completeness of
accounting records
 Timely preparation of FS
Internal control structures VARY depending on:
 Size of the business
 Nature of operations
 Objectives of organization
Elements of internal control E R I C M
A. Control Environment
 Overall attitude, awareness, actions of directors
and management re: IC system and its
importance to the entity
 Culture
 The foundation for effective IC
Factors reflected in control env.:
 Function of BOD and its committees
 Communication of INTEGRITY and
ETHICAL values (policy statements, code
of conduct, management’s example)
 Commitment to COMPETENCE
 Participation by TCGW – entity must
have an AUDIT COMMITTEE; control
consciousness; must be involved in
scrutiny, interaction with I/E auditors,
whistleblowers, review of internal
control
 Management’s philosophy and operating style –
conservatism, aggression, attitude towards:
 Business risk
 Financial reporting
 Meeting budget, profit, goals
  Organizational structure and assignment of
authority – overall framework for planning,
directing, and controlling operations
 Management’s control system:
 Internal audit f(x)
 Personnel P&P
 Segregation of duties
 Human Resources Policies and Procedures –
selection of honest and competent personnel
does not ensure that errors/irregularities will
not occur; people are the most important
element of IC
B. Entity’s Risk Assessment Process
Business risk – risk that business objectives will not be
attained as a result of I/E factors s.a technological
developments, changes in customers demand and other
economic changes; management should adapt P&P to
mitigate such risk; for audit, only those relating to prep
of reliable FS are relevant
C. Information and Communications System
- Timely info must be provided by effective IC
- Communication: providing an understanding of
roles on internal control for reliable FRF;
electronic, oral, through management’s actions
D. Control Activities P I P S
- P&P that help ensure that management
directives are carried out
- Performance reviews: analyses of relationships
between data; e.g. actual performance vs
budget, prior-period performance
- Information processing: checks accuracy,
completeness,authorization of transactions;
computer: general and application controls
- Physical controls: physical security of assets,
adequate safeguards, authorization for access,
periodic counting
- Segregation of duties: difficult to perpetrate
fraud
E. Monitoring
- Assessing quality of internal control
- Ongoing monitoring: built-in; for recurring
activities; e.g. bank reconciliation
- Separate evaluations: non-routine monitoring;
e.g. functions performed by internal auditor
Objective of studying internal control
1. Plan the audit
2. Assess control risk
a. Consider the design of controls
b. Whether they have been implemented
c. Effectiveness, if in use – perform tests
to determine if they are applied (NOT
required in obtaining understanding of
IC to plan an audit)
Design – controls that HAVE BEEN established
Effectiveness – refers to HOW controls FUNCTIONS
To assess RISK below max 100%
 Identify specific controls that are likely to
prevent/ detect misstatement
Consideration of Internal Control
ODAPD
1. Obtain understanding of IC:
a. Evaluate design – consider capability of
preventing, detecting, correcting MM;
For initial understanding:
 Inquiries
 Inspection of documents
 Observation of processes
b. Implementation – control exists and
have been placed in operation;
accomplished through a walkthrough
(tracing a transaction through the entire
accounting system; confirms auditor’s
understanding of functions; both
inspection and observation)
Use of understanding:
 Identification of potential
misstatements
 Considering factors that affect RMM
 Design NTE of audit procedures
2. Documenting understanding of accounting and
internal control
Commonly used forms:
 Narrative description – memorandum
for simple IC
 Flowchart – diagrammatic
representation of IC system
  Internal control questionnaire providing
management’s responses to questions
about IC
3. Assessment of Control Risk
4. Perform Tests of Controls – must be performed
irrespective of how effective controls appear;
obtain evidence about effectiveness of:
a. Design of accounting and IC
b. Operation of IC
*Auditor only tests controls he plans to rely
upon
*greater reliance on IC = more extensive TC
Nature of tests of control
(1) Inquiry – searching info about effectiveness
from persons inside or outside
(2) Observation – looking at process performed
by OTHERS
(3) Inspection – examination of documents to
provide evidence of reliability
(4) Reperformance – repeating activity
performed by client to determine whether
correct results were obtained
5. Documenting assessed level of CR
Control risk Conclusion
High level CR is at a high level
Less than high level CR is at less than high level
+ basis for that assessment
(tests of controls)
*auditor cannot assess CR
at less than high level w/o
ToC
Communication of internal control weaknesses
- Report to appropriate level of management
- Communication ordinarily in writing:
management letter
- Done at earliest opportunity
*Auditors are NOT REQUIRED to search for internal
control weaknesses, but must communicate ones that
come to his attention

*some procedures overlap = obtaining understanding

and assessing CR are often done simultaneously

Timing of tests of control

 Usually during interim period
 Obtain further evidence for remaining
period
 Factors: results of interim tests, length
of remaining period, whether changes
have occurred

Extent of tests of control

 Sample size/ number of items should be
determined

Using the results of tests of control

 Evaluation reached: assessed level of
control risk
 Use CR with IR to determine detection
risk
 CR and IR are inversely related to DR

Operating effectiveness vs. implementation

Effectiveness Implementation
Auditor obtains evidence Auditor determines
that controls operate existence of relevant
effectively controls
REPORTABLE CONDITIONS
- Matters coming to the auditor’s attention that
he believes should be reported to the AUDIT
COMMITTEE
- Represent deficiencies in design and
implementation of IC

1. Sole purpose of audit was to report on FS and

not to provide assurance that internal controls
are effective
2. Definition of reportable conditions
3. Restriction of distribution ( info solely for audit
committee, management, others within the
organization

If RC is of such magnitude as to be a material weakness,

report can separate out as a material weakness