Chapter 6: Consideration of Internal Control

Assessing control risk is the process of evaluating the design and operating effectiveness of an entity’s
internal control as to how it prevents or detect material misstatements in the financial statements. The
conclusion reached as a result of assessing control risk is referred to as assessed level of control risk.

Nature of Internal Control

PSA 315 defines internal control as the process designed and effected by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable regulations.

Four essential concepts:

1. Internal control is a process
2. Internal control is effected by those charge with governance, management and other
personnel
3. Internal control can be expected to provide reasonable assurance of achieving the entity’s
objectives
4. Internal control is designed to help the achieve the entity’s objectives
 Operational objective
 Compliance objective
 Financial reporting objective

- The objective of that is most relevant is financial reporting objective

- Operational and Compliance objective may be relevant to the audit only if they relate to
data the auditor evaluates to determine the reliability of some financial statement
assertions.

Components of Internal Control

 Control environment
 Risk assessment
 Information and communication systems
 Control activities
 Monitoring

Control environment

Attitudes, awareness and actions of management and those charged with governance concerning
the entity’s internal control and its importance to the entity. Sets the tone of an organization, influencing
the control consciousness of its people.

Factors related to control environment include:

  Integrity and ethical values
 Management philosophy and operating style
 Active participation of those charged with governance
 Commitment to competence
 Personnel policies and procedures
 Assignment of responsibility and authority/ organizational hierarchy

Risk assessment

Business risk is the risk that the entity’s business objectives will not be attained as a result of
internal and external factors. Management should adopt policies that are designed to identify and analyze
the risks affecting the entity’s business and to take appropriate action to manage the risks.

Information and communication systems

Effective internal control must provide timely information and communication. The information
system relevant to financial reporting objective, which includes financial reporting system, consists of the
procedures and record established to initiate, record, process and report entity transactions (as well as
events and conditions) to maintain accountability for related assets and liabilities.

Control activities

Policies and procedures that help ensure that management directives and carried out. Specific
control procedures that are relevant to financial statements audit include:
 Performance reviews
 Information processing
 Physical control
 Segregation of duties – recoding, custody and authorizing.

Monitoring

Monitoring is a process of assessing the quality of internal control performance overtime. It is

done to ensure that controls continue to operate effectively.
Monitoring controls is accomplished through ongoing monitoring activities, separate evaluations
or combination of two.
 Ongoing monitoring activities are built into the normal recurring activities of an entity and
include regular management and supervisory activities such as preparation of monthly bank
reconciliation.
 Separate evaluations are monitoring activities that are performed on a non-routine basis. Such
as functions performed by internal auditors.

Consideration of Internal Control

Auditors are not responsible for establishing and maintain an entity’s accounting and internal control
systems, that is the responsibility of the entity’s management. Nevertheless, auditors should give
adequate consideration to these control because the condition of the entity’s internal control systems can
have a significant impact on the audit.

Consideration of the entity’s internal control systems involves the following steps:

1. Obtaining understanding of the internal control

2. Documenting the understanding of accounting and internal control systems
3. Assessing the level of control risk
4. Performing test of controls
5. Documenting the assessed level of control risk

Understanding the Internal Control

The auditor should obtain sufficient understanding of the components of the entity’s internal
control relevant to the audit.
 Evaluating the design of a control; and
 Determining whether it has been implemented

The auditor is not required to obtain knowledge about the operating effectiveness of the
internal control when obtaining an understanding of the entity’s internal control systems. At this stage,
the concern is about the design of relevant control policies and procedures whether such controls are
actually being applied.

Documenting the auditor’s understanding of the internal controls

The auditor is required to document his understanding of accounting and internal control
systems. He may use narratives, flowcharts and questionnaires providing management responses.

Assessment of control risk

If the entity’s internal control is not effective, the auditor may simply assess high level of
control risk. Thus, no test of controls need to be performed and the auditor will rely primarily on
substantive tests.
On the other hand, if the control appears to be reliable, the auditor should determine whether it is
efficient to obtain the evidence to justify an assessment of control risk at a lower level. Proceed with
performing test of controls.

Performing test of controls

The auditor will only test the operating effectiveness of controls that are likely to detect or
prevent material misstatements. The audior will only test those controls that he plans to rely upon.
The greater the reliance the auditor plans to place on internal control, the more extensive the test
of controls that need to be performed.
 Evidence gathering techniques
 Inquiry
 Observation
 Inspection
 Reperformance

Documenting the assessed level of control risk

If the control risk is assessed high level, the auditor should document his conclusion that control
risk is at a high level. If control risk is assessed at less than high level, the auditor should document his
conclusion that control risk is less than high level and the basis for the assessment.

Communication of Significant Deficiencies in Internal Controls

As a result of auditor’s consideration of the accounting and internal control systems, the auditor
may become aware of significant deficiencies in the entity’s internal control systems. In this regard, the
auditor is required to report to the appropriate level of management and those charged with governance,
any significant deficiencies in the internal control systems, which have come to the auditor’s attention.
This communication should be in writing.
Auditors are not required to search for and/or identify internal control deficiencies. The
auditors must, however, communicate significant deficiencies in internal control of the client.
Internal control deficiencies, together with other matter of concern, are ordinarily communicated
to the client in a formal report called management letter.