Professional Documents
Culture Documents
Assessing control risk is the process of evaluating the design and operating effectiveness of an entity’s
internal control as to how it prevents or detect material misstatements in the financial statements. The
conclusion reached as a result of assessing control risk is referred to as assessed level of control risk.
PSA 315 defines internal control as the process designed and effected by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable regulations.
Control environment
Risk assessment
Information and communication systems
Control activities
Monitoring
Control environment
Attitudes, awareness and actions of management and those charged with governance concerning
the entity’s internal control and its importance to the entity. Sets the tone of an organization, influencing
the control consciousness of its people.
Risk assessment
Business risk is the risk that the entity’s business objectives will not be attained as a result of
internal and external factors. Management should adopt policies that are designed to identify and analyze
the risks affecting the entity’s business and to take appropriate action to manage the risks.
Effective internal control must provide timely information and communication. The information
system relevant to financial reporting objective, which includes financial reporting system, consists of the
procedures and record established to initiate, record, process and report entity transactions (as well as
events and conditions) to maintain accountability for related assets and liabilities.
Control activities
Policies and procedures that help ensure that management directives and carried out. Specific
control procedures that are relevant to financial statements audit include:
Performance reviews
Information processing
Physical control
Segregation of duties – recoding, custody and authorizing.
Monitoring
Consideration of the entity’s internal control systems involves the following steps:
The auditor should obtain sufficient understanding of the components of the entity’s internal
control relevant to the audit.
Evaluating the design of a control; and
Determining whether it has been implemented
The auditor is not required to obtain knowledge about the operating effectiveness of the
internal control when obtaining an understanding of the entity’s internal control systems. At this stage,
the concern is about the design of relevant control policies and procedures whether such controls are
actually being applied.
The auditor is required to document his understanding of accounting and internal control
systems. He may use narratives, flowcharts and questionnaires providing management responses.
If the entity’s internal control is not effective, the auditor may simply assess high level of
control risk. Thus, no test of controls need to be performed and the auditor will rely primarily on
substantive tests.
On the other hand, if the control appears to be reliable, the auditor should determine whether it is
efficient to obtain the evidence to justify an assessment of control risk at a lower level. Proceed with
performing test of controls.
The auditor will only test the operating effectiveness of controls that are likely to detect or
prevent material misstatements. The audior will only test those controls that he plans to rely upon.
The greater the reliance the auditor plans to place on internal control, the more extensive the test
of controls that need to be performed.
Evidence gathering techniques
Inquiry
Observation
Inspection
Reperformance
If the control risk is assessed high level, the auditor should document his conclusion that control
risk is at a high level. If control risk is assessed at less than high level, the auditor should document his
conclusion that control risk is less than high level and the basis for the assessment.
As a result of auditor’s consideration of the accounting and internal control systems, the auditor
may become aware of significant deficiencies in the entity’s internal control systems. In this regard, the
auditor is required to report to the appropriate level of management and those charged with governance,
any significant deficiencies in the internal control systems, which have come to the auditor’s attention.
This communication should be in writing.
Auditors are not required to search for and/or identify internal control deficiencies. The
auditors must, however, communicate significant deficiencies in internal control of the client.
Internal control deficiencies, together with other matter of concern, are ordinarily communicated
to the client in a formal report called management letter.