INTERNAL CONTROL

1. Define internal control.

 According to PSA 3105, internal control is the process designed and effected
by those charged with governance, management and other personnel to
provide reasonable assurance about the achievement of an entity’s objective
with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.

2. Internal control provides reasonable assurance. Explain.

 Internal control can only provide reasonable assurance (not absolute

assurance) that the entity’s objectives will be achieved. This is because
there are inherent limitations that may affect the internal control’s
effectiveness.

3. What are the objectives of a system of internal control?

 Promote operational efficiency

 To safeguard the assets
 To enforce prescribed managerial policies
 To check the accuracy and reliability of accounting data

4. Enumerate, and explain briefly, the components of an internal control.

There are five interrelated components of the entity’s internal control, namely:

a) Control Environment - It is the foundation for effective internal control,

providing discipline and structure. Also, it includes governance and
management functions and sets tone of an organization, influencing the
control consciousness of its people.
b) Risk Assessment - The auditor shall obtain an understanding of whether
the entity has a process for: (1) Identifying business risks relevant to
financial reporting objectives; (2) Estimating the significance of the
risks; (3) Assessing the likelihood of their occurrence; (4) Deciding
about actions to address those risks.
c) Information and communication systems - Effective internal control
must provide timely information and communication.
d) Control Activities - Control activities are the policies and procedures that
help ensure that management directives are carried out.
e) Monitoring of Controls - It is accomplished through ongoing monitoring
activities, separate evaluations, or a combination of the two.

5. What is the control environment? What are the elements that comprise
the control environment?
 The control environment includes the attitudes, awareness, and actions of
management and those charged with governance concerning the entity’s
internal control and its importance in the entity.

Elements reflected in the control environment include:

a) Integrity and ethical values

b) Management philosophy and operating style
c) Active participation of those charged with governance
d) Commitment to competence
e) Personnel policies and procedures
f) Assignment of responsibility and authority
g) Organizational structure

6. What is meant by risk assessment process?

 Entity’s business objectives cannot be achieved without some risks.

Management should adopt policies and procedures that are designed to
identify and analyze the risks affecting the entity’s business and to take the
appropriate action to manage these risks. For audit purposes, the auditor is
concerned only with those risks that are relevant to the preparation of
reliable financial statements. The auditor shall obtain an understanding of
whether the entity has a process for: (1) Identifying business risks relevant
to financial reporting objectives; (2) Estimating the significance of the risks;
(3) Assessing the likelihood of their occurrence; (4) Deciding about actions
to address those risks.

7. What is an information system?

 The information system relevant to financial reporting objectives, which

includes the financial reporting system, consists of the procedures and
records established to initiate, record, process, and report entity
transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities, and equity.

8. What are control activities?

 Control activities are the policies and procedures to help ensure that
management directives are carried out.

9. Give the different types of control activities.

Specific control activities that are relevant to financial statement audit would
include:

 Performance Reviews
 Information Processing
 Physical Controls
 Segregation of Duties
  Authorization

10. Why is it necessary to monitor controls?

 Monitoring is necessary to be done to ensure that controls continue to

operate effectively.

11. What are the inherent limitations of internal controls?

There are inherent limitations that may affect the internal control’s effectiveness.
These inherent limitations include:

 Management’s usual requirement that the cost of an internal control

should not exceed the expected benefits to be derived.
 Most internal controls tend to be directed at routine transactions rather
than non-routine transactions.
 The potential for human error due to carelessness, distraction, mistakes
of judgment and the misunderstanding of instructions.
 The possibility of circumvention of internal controls through the
collusion among employees.
 The possibility of management overriding the internal control.
 The possibility that procedures may become inadequate due to changes
in conditions, and compliance with procedures may deteriorate.

12. Enumerate, in chronological order, the steps followed in the study and
evaluation of internal controls. Explain each step briefly.

Steps in the study and evaluation of internal controls.

1. Obtain understanding of the internal control.

 Involves evaluating the design of a control and determining whether it

has been implemented.

2. Document the understanding of accounting and internal control systems.

 This documentation need not be in particular form. The extent of

documentation may vary depending on the size and complexity of the
entity and nature of the entity’s internal control systems.

3. Assessment of Control Risk

 It is making a preliminary assessment of control risk, at the assertion

level, for each material account balance or transactions. The auditor’s
preliminary assessment of control risk may be at a high level or less
than high level.

4. Performing tests of controls

  Test of controls are performed to obtain evidence about the
effectiveness of the design of the accounting and internal control
systems or operation of the internal controls throughout the period.

5. Documenting the assessed level of control risk

 If the control risk is assessed at a high level, the auditor should

document his conclusion that control risk is at a high level.
 If the control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high and the
basis for that assessment.

13. What is a transaction walkthrough?

 This is a one or two transactions through the entire accounting systems that
are being traced from their initial recording at source to their final
destination as a component of an account balance in the financial statements.

14. What are the different ways by which an understanding of controls is

documented?

Some commonly used ways of documentation include:

 Narrative description of the entity’s internal control;

 Flowchart that diagrams the flow of transactions and documents;
 Internal control questionnaire providing management’s responses to
questions about internal control.

15. When is the control risk assessment High? Less than high?

 When the auditor’s knowledge of the entity’s internal control indicates that
internal controls related to a particular assertion are not effective, the
auditor may simply assess control risk at a high level. On the other hand, if
the auditor concludes that it is more efficient to rely on the entity’s internal
control systems, the auditor would plan to assess control risk at less than
high level.

16. How does a high control risk assessment affect the planned audit
approach?

 There would be no test of controls need to be performed if the control risk is

at high level and the auditor will rely primarily on substantive tests.

17. Give examples of responses to the assessed risk of material

misstatement.

 Emphasizing to the audit team the need to professional skepticism.

 Assigning more experienced staff or those with special skills or using
experts.
  Providing more supervision.
 Incorporating additional elements of unpredictably in the selection of
further audit procedures to be performed.
 Making general changes to the nature, timing, or extent of audit
procedures.

18. What is the relationship of a less than high control risk assessment to
the nature, extent, and timing of substantive tests?

The lower the assessment of control risk, the more support the auditor should
obtain that the internal control is suitably designed and operating effectively.
Thus, the greater the reliance the auditor plans to place on internal control, the
more extensive the tests of those controls need to be performed.

19. May substantive tests be eliminated?

No because substantive tests enable the auditor to obtain corroborative evidence

about a particular account.

20. How are audit matters related to internal control communicated to

management and to those charged with governance?

This communication would ordinarily be in writing and should be done at the

earliest opportunity so that appropriate actions may be taken as soon as
possible. These internal control weaknesses together with other matters of
concern are documented in a formal management letter.