As an auditor it is very much important to understand the control system of a company that mean your

clients. Because ultimately whatever the decision you will take, it will be highly influenced by the issue
of control system.

1 What is control system?

A system of internal control consists of policies and procedures designed to provide management with
reasonable assurance that the company achieves its objectives and goals. These policies and procedures
are often called controls, and collectively, they make up the entity’s internal control.

Purpose: To provide assurance to protect assets and records.

Management typically has three broad objectives in designing an effective internal control system:

1. Reliability of financial reporting:

Company should have a good control system that will generate the report in time that means it
will give real time figure as well as the system will ensure the reliability and how this thing will
ensure:--that means the system may have optional verifiability, the system may have tracking
facility, the system may have any breakdown of report so that I can cross the thing.
Example: If internal control effective financial statement reliable

2. Efficiency and effectiveness of operations:

Controls within an organization are meant to encourage (ensure) efficient and effective use of its
resource (physical, human) to optimize (ensure) the company's goals achieved.
Example: if production department is inefficient company will not achieve its goals.

3. Compliance with laws and regulations:

Whatever the rules and regulation the company may have in the country they have to comply
with that law and regulation. In addition to the legal provisions of Section 404, public, nonpublic,
and not-for-profit organizations are required to follow many laws and regulations. Some relate
to accounting only indirectly, such as environmental protection and civil rights laws. Others are
closely related to accounting, such as income tax regulations and anti-fraud legal provisions

2 What is the responsibility of management and who will responsible

for insider operation or decision. Who has the responsibility to
establish a good control systems.
Auditor need to know who is the responsible for establishing control system. Because with that
particular management auditor can bargain or make the quiries. Actually most of the cases what we
have seen The board of director they are responsible to establish the control system within the company
and mostly what we have seen that they have formulated a sub committee of board that is known as
audit committee. Because audit committee is also a sub committee of the board and board member is
there. So Audit committee will assign for the establishing a good control system within the company. It
is the most common practice.

So before establish a control system within the company audit committee will consider two things or
issues:

1. Reasonable Assurance: A company should develop internal controls that provide reasonable, but
not absolute, assurance that the financial statements are fairly stated. Internal controls are
developed by management after considering both the costs and benefits of the controls. The
concept of reasonable assurance allows for only a remote likelihood that material misstatements
will not be prevented or detected on a timely basis by internal control.
2. Inherent Limitations: I have also to consider inherent limitation. Now question is what is your
inherent limitation? Internal controls can never be completely effective, regard less of the care
followed in their design and implementation. Even if management can design an ideal system, its
effectiveness depends on the competency and depend ability of the people using it.
Design an ideal system is impossible regardless of proper design because of:

 Employees may be incompetent, unskilled, failed to understand, careless or negligent.

 Employees may be corrupt (take asset for personal use and manipulate records).
 Two or more employees may work together to misstate records (collusion).
Collusion: act of two or more employees to steal assets or misstate records.
Example: Store keeper take inventory, Book keeper misstate records
 Management might override (interfere).

Management’s Section 404 Reporting Responsibilities:

Management of all public companies to issue an internal control report that includes the following:

 A statement that management is responsible for establishing and maintaining an adequate

internal control structure and procedures for financial reporting.
 An assessment of the effectiveness of the internal control structure and procedures for
financial reporting as of the end of the company’s fiscal year
 Management must also identify the framework used to evaluate the effectiveness of internal
control.

3 Auditor Responsibilities for Testing Internal Control

It is the duty of an auditor, as an auditor I know that company defiantly have a own control
system, have own mechanism for operation, for reporting, for management and it is my duty to
check those control system. That means I need to verify, I need to check what control system
they have and what extend I can rely that system. So question is How i will check those
system?  It is not like that to test the sugar of tea. So I have to go through some mechanism
so that I can understand. It is actually I am going through that system that will help me to
understand about the company internal control system.

The first thing is that I need to gather information about the company’s control system that
means what is the system the company have, how does it work, how many people are engaging
in the system, how they ensure accounting details, how they track the information and many
other things. This question will help me to understand the control system about the company.
And from whom I can get this information? Most of the company we have seen, auditor
communicate with the audit committee or board committee. And from the answer from the
audit committee that will help me to understand the information about the company.

After having the understanding about the company now I can perform a test that is practical
test.

We can go with the four things:

1. Significant account balances: I can check or verify specific accounts balance which is very much
sensitive for example receivable balance, inventory balance, payable balance.
2. Classes of transactions: I may check that classes of transaction. So what are the things I may
verified I can go with the loan facilities that how they have treated, how they have reported the
loan accounts, whether there is a any misrepresentation. I can verify the current asset that
whether they have anything which should not in current assets like this.
3. Disclosures and related financial Statement assertions: I can check the discloser and related the
financial issue that means I can check a particular related party information whether those
things are disclose in the discloser statement or whether those things are reported in the
financial statement. I can make cross check that whether those figure have properly disclose in
the discloser statement or financial statement.

So those three thing are help to assess the control risk.

4 COMPONENTS OF INTERNAL CONTROL :

ক্লায়েন্টের যেই ইন্টার্নাল কন্ত্রল সিস্তেম আছে সেগুলি ইনফ্লু য়েন্স করে ফ্যাক্টর অর্থাৎ অডিটরের জাসমিন দিবে ফ্যাক্টর গুলি
দেখেএবং আমি একজন অডিটর হিসেবে ডিসিশন নেব   ওই ফ্যাক্টর গুলি দেখে, যেমন ইন্টার্নাল কন্ট্রোল সিস্টেম ভালো
কিংবা না ইত্যাদি.
There are five component of internal control system:

1. Control environment
2. Risk assessment
3. Control activities
4. Information communication
 5. Monitoring

These are the five components I may have to consider in my internal control set up. That means
whenever as an auditor, I am going to test and I have an understanding of the control system, I must
have to look for this five factors. That means how will I judge?

1. Control environment: As an auditor I need to judge what is the practice environment within the
company they may have.
2. Risk assessment: As an auditor I need to assess the risk that is control risk and we know how we will
assess the risk.
3. Control activities: As an auditor, I have to know what are the control mechanism they have or use
and ensure the transparency and accountability.
4. Information communication: As an auditor need to know that how the system work. That means if
the some issue arises then how they solve it, how they communicate it.
5. Monitoring: Auditor need to know that what method the company follow to monitor and how they
are taking necessary action about the activities.

4.1 Control environment

An effective control system is actually influence by these five components. So how we will ensure the
control environment?

(Control environment :The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an entity about internal control
and its importance to the entity.)

All of the factor is influenced by some other thing, so we need to understand what are the things can
influence us. For example if we look at the control environment, this control environment means our
practice within the company. Its mainly the value, morality, ethical practice within the company within
the person that is the management. How these things can be influenced?

The control environment of a company can be influenced the following thing:

 Integrity and ethical values: The persons who are in the management, their integrity, their
values, their morality, their honesty actually influence the environment. (Integrity and ethical
values are the product of the entity’s ethical and behavioral standards as well as how they are
communicated and reinforced in practice.)

 Commitment to competence: Whatever the integrity they may have if you are commitment to
competence that mean you are always being competence in the industry, you will competence
in the market, in your employees, customers that means whenever you want to be a competent
one, you are always try to offer something in better.

 Board of directors or audit committee participation: If there is no participation from the board
in the control system that means they did not take it seriously. So it is the indication if you did
not find out any person of the board, or the person of board are not engaging in this process
 that mean they are do it just as a part of formality. So as an auditor need to consider this issue
that the control system is not good. ( The board of directors is essential for effective corporate
governance because it has ultimate responsibility to make sure management implements proper
internal control and financial reporting processes).

Management’s Philosophy and Operating Style:

Management through its activities provides clear signals to employees about the importance of
internal control.

a. Organizational structure: By understanding the client’s organizational structure, the auditor

can learn the management and functional elements of the business and perceive how
controls are implemented.
b. Human resource policies and practices: The most important aspect of internal control is
personnel. If employees are competent and trustworthy, other controls can be absent, and
reliable financial statements will still result. Incompetent or dishonest people can reduce the
system to a shambles

4.2 Risk Assessment:

How do you assess the risk & how do you have to introduct the risk.

As an auditor I need to assess the risk that is control risk and we know how we will assess the risk.

1. Identify factors that may increase risk: As an auditor I need to identify exposure that means
what are the issues or factors that influence my expected outcome. So I need to identify what
are the threats or challenges for me.
2. Estimate the significance of the risk: Whenever I identify the possible issues that may create
problem for me or that may challenges my expected outcome, so as an auditor, it is my duty to
identify what extend that particular fact has the probability. That means I need to identify the
probability of possible issue.
3. Assess the likelihood of the risk occurring: As an auditor need to understand that the possibility
or probability of that particular risk occurring.
4. Determine actions necessary to manage the risk: As an auditor, if I have a destination,
according to the destination I need take the appropriate action. So, if I see the particular risk has
the high probability to create the problem, then I have to take necessary action to prevent the
risk.

4.3 Control Activities

What the activities we have seen in the company that means how they are operated, or
introduct to the issues

1. Adequate separation of duties: As an auditor I need to identify whether the company

have adequate separation of duties. So I have to find out that whether there is a enough
segregation of duties or not.
 2. Proper authorization of transactions and activities: It is an important part that
whenever I have identified the proper segregation of duty, according to that duty I need
to ensure that whether there have proper delegation of power or not.
3. Adequate documents and records: As an auditor, I need to identify that whether there
have enough document and record system and how they accomplished their task, is it
verbal communication or they may have proper documentation for recording and
tracking the information I need to identified.
4. Physical control over assets and records: As an auditor I need to verify the issues that
whether company have physical control over the assets and records.
5. Independent checks on performance: As an auditor I need to check whether the
company is dependent on the third party or not.

Information and Communication

The purpose of an entity’s accounting information and communication system is to initiate, record,
process, and report the entity’s transactions and to maintain account - ability for the related assets.

To understand the design of the accounting information system, the auditor determines (1) the major
classes of transactions of the entity; (2) how those transactions are initiated and recorded; (3) what
accounting records exist and their nature; (4) how the system captures other events that are significant
to the financial statements, such as declines in asset values; and (5) the nature and details of the
financial reporting process followed, including procedures to enter transactions and adjustments in the
general ledger.

4.4 Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of internal control by
management to determine that controls are operating as intended and that they are modified as
appropriate for changes in conditions.

An internal audit department is essential for effective monitoring of the operating performance of
internal controls. To be effective, the internal audit function must be performed by staff independent of
both the opera ting and accounting departments and report directly to a high level of authority within
the organization, either top management or the audit committee of the board of directors.

5 Obtain and document an understanding of internal control.

We can get the basic understanding from the document about the internal control system like
HR policy, recording policy, accounting policy, pay roll policy that will give the inside about the
company control activities from the documentation. So, that is here, we can obtain and
document an understanding of internal control system. That means whatever the
understanding we have from the company documentation and some other things like five
component of control element. From that we have to understand that whatever the
understanding that has to be documented because that will help us to frame our future plans
for the clients.

5.1 Process for Understanding Internal Control and Assessing Control Risk
It has four phases that are following:

Phase 1: Obtain and document understanding of internal control design and operation: Whenever I
have a better understanding as an auditor about company’s control system. And I can understand about
the company through the five component of control system that will help me for better understanding
of the company plan and control system. And whenever I have good understanding about the company
then I can proceed for assess of control risk

Phase 2: Assess control risk: Whenever I will be able to assess the control risk for the client, accordingly
I can design, perform and evaluate the test of control. That means I may have assess that this feature is
not good for the company, or this feature may have some weak point. So I may have come up with the
idea ok that control feature of this particular ground may very good for the company like inventory
management, ware house management is very effective. So that is also my observation but I did not test
yet because whatever the idea I have developed that is based on my information, knowledge, and
observation. And based on that I have asses the risk. So that is thing that I have done but fact is that I did
not test it yet.

Phase 3: Design, perform, and evaluate tests of controls: After assessing the risk, for example, I
consider that there is no control risk in a particular ground and I have identified another ground that
there has a high risk. So in both cases I may have test it. And I need check the system. That is called
design, perform, evaluate test of control. And this test process give me the fact that what I have
assumed, whether my assumption is right or wrong.

Phase 4: Decide planned detection risk and substantive tests: After doing the test of control we have to
decide planned detection risk and substantive test. Planned detection risk means whenever as an
auditor I failed to detect, so whenever I have understand that what is the possibility to have a fail case
or failure issue about the detection then accordingly I will decide what extend I have to check. And
substantive test means what will be the extend of the test following the test of control. It may be a
higher number depend on test of control.

6 New ways:
Phase 1: Obtain and document understanding of internal control design and
operation: Auditing standards require auditors to obtain an understanding of internal control
for every audit.

Procedures to obtain an understanding:

 Design of internal controls

  Whether placed in operation
 Uses this information as a basis for the integrated audit

Methods Used: Three methods commonly used by auditors to obtain and document their
understanding of the design of internal control:

1. Narrative: is a written description of a client's internal controls.

2. Flowchart: is a diagram of the client's documents and their sequential flow in the
organization.
3. Internal control questionnaire: asks a series of questions about the controls in each audit
area as a means of uncovering aspects of internal control that may be in adequate to client
staff.
Phase 2: Assess control risk: Assess whether the financial statements are auditable. Determine
assessed control risk supported by the understanding obtained assuming the controls are being
followed. And Use a control risk matrix to assess control risk.

Control Risk Matrix: Many auditors use the control risk matrix to assist in the control risk
assessment process. The purpose of the risk matrix is to provide a convenient way to organize
assessing control risk for each audit objective.

 Identify audit objectives

 Identify existing controls
 Associate controls with related audit objectives
 Identify and evaluate control deficiencies, significant deficiencies, and material
weaknesses.
 A control deficiency exists if the design or operation of controls does not permit
company personnel to prevent or detect misstatements on a timely basis.
 A significant deficiency exists if one or more control deficiencies exist that is
less severe than a material weakness, but important enough to merit attention
by those responsible for oversight.
 A material weakness exists if a significant deficiency by itself or in combination
with other significant deficiencies, results in a reasonable possibility that
internal control will not prevent or detect material financial statement
misstatements on a timely basis

Communications to Those Charged with Governance:

 Auditor must communicate in writing significant deficiencies and material

weaknesses to the audit committee.
Phase 3: Design, perform, and evaluate tests of controls: The procedures to test
effectiveness of controls in support of a reduced assessed control risk are called tests of controls.

Procedures for tests of controls:

 Make inquiries of client personnel: If I want a test of control, the first thing I have do
inquiry of client personal that is employee. So why do you want make the client inquiry
to the personal because you may looking for a certain information or documentation for
transaction. So I have to ask to the company’s personnel for it and I made the inquiry to
them.
 Examine documents, records and reports: After the inquiry company will give some
information which they have that what I am looking for. And whatever the document I
have, I may have to go through with that like go through with the ledger, record keeping
books, and other things.
 Observe control−related activities: After examine the document, I have an
understanding about what is the process. Understanding about the control activities
which the company they have.
 Re-perform client procedures: Do the things again, and after doing the again, if I have
the similar result then I can say its ok otherwise there is some issues.

With the help of test of control, I also need to have extend of procedures that means
whatever the procedure I have in my assessment, I can also take some information from the
third party as a consideration.

 Reliance on evidence from prior year’s audit: Auditing standards require tests of the
controls’ effectiveness at least every third year. If controls have changed since it was last
tested, they should test it in the current year.

 Testing of controls related to significant risks: Significant risks are those risks that the
auditor believes require special audit consideration.

 Testing less than the entire audit period: PCAOB standard 5 requires the auditor to perform
tests of controls that are adequate to determine whether controls are operating effectively
at year-end.

Phase 4: Decide planned detection risk and substantive tests: The auditor uses the
results of the control risk assessment process and tests of controls to determine the planned
detection risk and related substantive tests. The auditor links the control risk assessments to
the balance-related audit objectives.