Professional Documents
Culture Documents
clients. Because ultimately whatever the decision you will take, it will be highly influenced by the issue
of control system.
Management typically has three broad objectives in designing an effective internal control system:
So before establish a control system within the company audit committee will consider two things or
issues:
1. Reasonable Assurance: A company should develop internal controls that provide reasonable, but
not absolute, assurance that the financial statements are fairly stated. Internal controls are
developed by management after considering both the costs and benefits of the controls. The
concept of reasonable assurance allows for only a remote likelihood that material misstatements
will not be prevented or detected on a timely basis by internal control.
2. Inherent Limitations: I have also to consider inherent limitation. Now question is what is your
inherent limitation? Internal controls can never be completely effective, regard less of the care
followed in their design and implementation. Even if management can design an ideal system, its
effectiveness depends on the competency and depend ability of the people using it.
Design an ideal system is impossible regardless of proper design because of:
Management of all public companies to issue an internal control report that includes the following:
The first thing is that I need to gather information about the company’s control system that
means what is the system the company have, how does it work, how many people are engaging
in the system, how they ensure accounting details, how they track the information and many
other things. This question will help me to understand the control system about the company.
And from whom I can get this information? Most of the company we have seen, auditor
communicate with the audit committee or board committee. And from the answer from the
audit committee that will help me to understand the information about the company.
After having the understanding about the company now I can perform a test that is practical
test.
1. Significant account balances: I can check or verify specific accounts balance which is very much
sensitive for example receivable balance, inventory balance, payable balance.
2. Classes of transactions: I may check that classes of transaction. So what are the things I may
verified I can go with the loan facilities that how they have treated, how they have reported the
loan accounts, whether there is a any misrepresentation. I can verify the current asset that
whether they have anything which should not in current assets like this.
3. Disclosures and related financial Statement assertions: I can check the discloser and related the
financial issue that means I can check a particular related party information whether those
things are disclose in the discloser statement or whether those things are reported in the
financial statement. I can make cross check that whether those figure have properly disclose in
the discloser statement or financial statement.
ক্লায়েন্টের যেই ইন্টার্নাল কন্ত্রল সিস্তেম আছে সেগুলি ইনফ্লু য়েন্স করে ফ্যাক্টর অর্থাৎ অডিটরের জাসমিন দিবে ফ্যাক্টর গুলি
দেখেএবং আমি একজন অডিটর হিসেবে ডিসিশন নেব ওই ফ্যাক্টর গুলি দেখে, যেমন ইন্টার্নাল কন্ট্রোল সিস্টেম ভালো
কিংবা না ইত্যাদি.
There are five component of internal control system:
1. Control environment
2. Risk assessment
3. Control activities
4. Information communication
5. Monitoring
These are the five components I may have to consider in my internal control set up. That means
whenever as an auditor, I am going to test and I have an understanding of the control system, I must
have to look for this five factors. That means how will I judge?
1. Control environment: As an auditor I need to judge what is the practice environment within the
company they may have.
2. Risk assessment: As an auditor I need to assess the risk that is control risk and we know how we will
assess the risk.
3. Control activities: As an auditor, I have to know what are the control mechanism they have or use
and ensure the transparency and accountability.
4. Information communication: As an auditor need to know that how the system work. That means if
the some issue arises then how they solve it, how they communicate it.
5. Monitoring: Auditor need to know that what method the company follow to monitor and how they
are taking necessary action about the activities.
(Control environment :The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an entity about internal control
and its importance to the entity.)
All of the factor is influenced by some other thing, so we need to understand what are the things can
influence us. For example if we look at the control environment, this control environment means our
practice within the company. Its mainly the value, morality, ethical practice within the company within
the person that is the management. How these things can be influenced?
Integrity and ethical values: The persons who are in the management, their integrity, their
values, their morality, their honesty actually influence the environment. (Integrity and ethical
values are the product of the entity’s ethical and behavioral standards as well as how they are
communicated and reinforced in practice.)
Commitment to competence: Whatever the integrity they may have if you are commitment to
competence that mean you are always being competence in the industry, you will competence
in the market, in your employees, customers that means whenever you want to be a competent
one, you are always try to offer something in better.
Board of directors or audit committee participation: If there is no participation from the board
in the control system that means they did not take it seriously. So it is the indication if you did
not find out any person of the board, or the person of board are not engaging in this process
that mean they are do it just as a part of formality. So as an auditor need to consider this issue
that the control system is not good. ( The board of directors is essential for effective corporate
governance because it has ultimate responsibility to make sure management implements proper
internal control and financial reporting processes).
Management through its activities provides clear signals to employees about the importance of
internal control.
As an auditor I need to assess the risk that is control risk and we know how we will assess the risk.
1. Identify factors that may increase risk: As an auditor I need to identify exposure that means
what are the issues or factors that influence my expected outcome. So I need to identify what
are the threats or challenges for me.
2. Estimate the significance of the risk: Whenever I identify the possible issues that may create
problem for me or that may challenges my expected outcome, so as an auditor, it is my duty to
identify what extend that particular fact has the probability. That means I need to identify the
probability of possible issue.
3. Assess the likelihood of the risk occurring: As an auditor need to understand that the possibility
or probability of that particular risk occurring.
4. Determine actions necessary to manage the risk: As an auditor, if I have a destination,
according to the destination I need take the appropriate action. So, if I see the particular risk has
the high probability to create the problem, then I have to take necessary action to prevent the
risk.
To understand the design of the accounting information system, the auditor determines (1) the major
classes of transactions of the entity; (2) how those transactions are initiated and recorded; (3) what
accounting records exist and their nature; (4) how the system captures other events that are significant
to the financial statements, such as declines in asset values; and (5) the nature and details of the
financial reporting process followed, including procedures to enter transactions and adjustments in the
general ledger.
4.4 Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of internal control by
management to determine that controls are operating as intended and that they are modified as
appropriate for changes in conditions.
An internal audit department is essential for effective monitoring of the operating performance of
internal controls. To be effective, the internal audit function must be performed by staff independent of
both the opera ting and accounting departments and report directly to a high level of authority within
the organization, either top management or the audit committee of the board of directors.
5.1 Process for Understanding Internal Control and Assessing Control Risk
It has four phases that are following:
Phase 1: Obtain and document understanding of internal control design and operation: Whenever I
have a better understanding as an auditor about company’s control system. And I can understand about
the company through the five component of control system that will help me for better understanding
of the company plan and control system. And whenever I have good understanding about the company
then I can proceed for assess of control risk
Phase 2: Assess control risk: Whenever I will be able to assess the control risk for the client, accordingly
I can design, perform and evaluate the test of control. That means I may have assess that this feature is
not good for the company, or this feature may have some weak point. So I may have come up with the
idea ok that control feature of this particular ground may very good for the company like inventory
management, ware house management is very effective. So that is also my observation but I did not test
yet because whatever the idea I have developed that is based on my information, knowledge, and
observation. And based on that I have asses the risk. So that is thing that I have done but fact is that I did
not test it yet.
Phase 3: Design, perform, and evaluate tests of controls: After assessing the risk, for example, I
consider that there is no control risk in a particular ground and I have identified another ground that
there has a high risk. So in both cases I may have test it. And I need check the system. That is called
design, perform, evaluate test of control. And this test process give me the fact that what I have
assumed, whether my assumption is right or wrong.
Phase 4: Decide planned detection risk and substantive tests: After doing the test of control we have to
decide planned detection risk and substantive test. Planned detection risk means whenever as an
auditor I failed to detect, so whenever I have understand that what is the possibility to have a fail case
or failure issue about the detection then accordingly I will decide what extend I have to check. And
substantive test means what will be the extend of the test following the test of control. It may be a
higher number depend on test of control.
6 New ways:
Phase 1: Obtain and document understanding of internal control design and
operation: Auditing standards require auditors to obtain an understanding of internal control
for every audit.
Methods Used: Three methods commonly used by auditors to obtain and document their
understanding of the design of internal control:
Control Risk Matrix: Many auditors use the control risk matrix to assist in the control risk
assessment process. The purpose of the risk matrix is to provide a convenient way to organize
assessing control risk for each audit objective.
Make inquiries of client personnel: If I want a test of control, the first thing I have do
inquiry of client personal that is employee. So why do you want make the client inquiry
to the personal because you may looking for a certain information or documentation for
transaction. So I have to ask to the company’s personnel for it and I made the inquiry to
them.
Examine documents, records and reports: After the inquiry company will give some
information which they have that what I am looking for. And whatever the document I
have, I may have to go through with that like go through with the ledger, record keeping
books, and other things.
Observe control−related activities: After examine the document, I have an
understanding about what is the process. Understanding about the control activities
which the company they have.
Re-perform client procedures: Do the things again, and after doing the again, if I have
the similar result then I can say its ok otherwise there is some issues.
With the help of test of control, I also need to have extend of procedures that means
whatever the procedure I have in my assessment, I can also take some information from the
third party as a consideration.
Reliance on evidence from prior year’s audit: Auditing standards require tests of the
controls’ effectiveness at least every third year. If controls have changed since it was last
tested, they should test it in the current year.
Testing of controls related to significant risks: Significant risks are those risks that the
auditor believes require special audit consideration.
Testing less than the entire audit period: PCAOB standard 5 requires the auditor to perform
tests of controls that are adequate to determine whether controls are operating effectively
at year-end.
Phase 4: Decide planned detection risk and substantive tests: The auditor uses the
results of the control risk assessment process and tests of controls to determine the planned
detection risk and related substantive tests. The auditor links the control risk assessments to
the balance-related audit objectives.