F8 – Audit & Assurance

From the desk of Irfan Lakhani

Chapter – 9
Internal Control
Dec 09
Past Paper
Q 3) Control Environment

I NTERNAL C ONTROL S YSTEMS

Internal Control is the process designed and implemented by the Management to provide reasonable
assurance about achievement of entity’s objectives.

Components of Internal Control System (CRIME)

1- Evaluating Control Environment
2- Risk Assessment Process
3- Information Systems
4- Control Activities
5- Monitoring of Controls

1- Control Environment
 Means the overall attitude, awareness and actions of Management towards Controls
Indicators includes

 Human resource policies

 Communication and enforcement of integrity
 Participation by those charged with governance

2- Risk Assessment Process

 Process of
 Identifying business risks
 Estimating significance
 Actions to address those risks
Examples currency fluctuation, Technological Obsolescence)
 F8 – Audit & Assurance
From the desk of Irfan Lakhani

3- Information Systems
The auditor shall obtain an understanding of the information system, including the related
business processes,

For example, if orders are placed via a website. The appropriate approach would be to place a
test order via the website and ensure the order has been recorded in the system by viewing it on
screen.

4- Control Activities
Activities includes
 Reports and summaries
 Approvals
 Reconciliations
 Comparisons / analytical reviews
 Physical inspections
 Segregation of duties
 Software controls

5- Monitoring of Controls
 Evaluate effectiveness of controls over time
 Re-assessing design and operations of the internal controls
(Internal audit function helps in this activity)

Controls in Small Companies

 Many controls in a large entity might not be practical or appropriate in a small setup
 The owners normally manages / supervises all activities
 However, the owners can also override controls if they wish (risk)

Inherent Limitations of Internal Control Systems

 Human error
 Collusion between staff or outsiders
 Deliberate bypass of controls
 Costs might exceed benefits
 F8 – Audit & Assurance
From the desk of Irfan Lakhani

A UDITOR AND I NTERNAL C ONTROL S YSTEMS

Auditors are required to assess the adequacy of internal control systems relevant to financial
reporting, identify the type and risks of material misstatements and then design appropriate audit
procedures

Following are the steps followed by Auditors

1- Obtain understanding of the internal control systems

2- Document the internal control system (narrative notes, flow-charts, IC questionnaires, etc.)
 Internal Control Questionnaire (ICQ): Used to ask questions whether control exists in order to
document the existing system

3- Confirm their understanding by carrying walk-through tests

4- Test of Controls (see below)

5- Revision of risk assessment if evidence obtained indicates that the controls are not working as
expected

6- Communicate deficiencies to management

 Deficiencies will include description of the deficiency, potential affect and suggestions

Test of Controls (TOC)

 Test of Controls are tests performed to obtain audit evidence about the effectiveness of the
 Design of the accounting and internal control systems (i.e. are they suitably designed to
prevent or detect misstatements)
 Operations of the internal control throughout the period
 Test of Controls techniques:
 Inspection of documents (e.g. checking authorization)
 Testing software internal controls
 Observation