Part 4–
Internal Control whether the control, individually or in combination with other
- If evidence was obtained in the prior year’s audit
that indicates a key control was operating
effectively, the extent of tests of that control may be
reduced this year if the auditor determines that it is
still in place
- If no change in controls have occurred since the
controls were last tested: A CPA should test the
operating effectiveness of that control once every 3rd
year. Note: even if there was no change in control,
it should be tested every other year!!!
- Effective Internal Control Structure: Reduces the
need for management to review exception report on
a day to day basis.
Inherent Limitations of Internal Controls
1. Management’s usual requirement that the cost
of an internal control does not exceed the
expected benefits to be derived.
- The cost of Internal Control should not
exceed its benefits
2. Most internal controls tend to be directed at
routine transactions rather than non-routine
transactions.
3. The potential for human error due to
carelessness, distraction, mistakes of judgment
and the misunderstanding of instructions
- In the performance of most control
procedures, there are possibilities of errors
arising from mistakes in judgement.
4. The possibility of circumvention of internal
controls through the collusion of a member of
management or an employee with parties
outside or inside the entity.
5. The possibility that a person responsible for
exercising an internal control could abuse that
responsibility, for example, a member of
management overriding an internal control.
6. The possibility that procedures may become
inadequate due to changes in conditions, and
compliance with procedures may deteriorate
Benefits of Good Internal Control –
1. Reduces cost of an external audit.
2. Reduce employee fraud
3. Availability of reliable data for decision making
purposes and protection of important
documents and records.
4. Some assurance of compliance with SEC
regulations.
Strict Monitoring of BIR – supports strong Internal control.
AUDITOR’S CONSIDERATION OF INTERNAL CONTROL
Step 1 – Obtain an understanding of clients Internal
Control
Step 2 – Make a preliminary control risk assessment
Step 3 – Determine the appropriate response to the
assessed risk
Step 4 – Re-assess control risk
Step 5 - Determine the nature, extent and timing of the
substantive testing
Evaluating the Design of a control – involves considering
controls, is capable of effectively preventing or detecting and
correcting material misstatement.
Implementation of a Control – means that the control exists
and that the controls have been placed in operation.
Compensating Control –
- a control that reduces the risk that an
existing or potential control weakness will
result in a failure to meet a control
objective.
- When compensating control exists a
weakness in the system is no longer a
concern because the potential for
misstatement has been sufficiently reduced.
-
Good Control = Low Risk of Misstatement = Less ST
Bad Control = High Risk of Misstatement = More ST
Understanding of Internal Control
Required:
1. Consider factors that affect the risk of material
misstatement.
2. Ascertain whether internal control policies and
procedures have been placed in operation.
3. Identify the types of potential misstatement that
may occur.
4. Design the nature, timing and extent of audit
procedures to be performed.
Walk Through –
- Tracing transactions through the accounting
system.
- Done by tracing transactions from their
initial recording at source to their final
destination as a component of an account
balance in the FS.
- It confirms the auditor’s understanding of
how the accounting systems and control
procedure functions.
Test of Controls
- are used to test whether controls are operating
effectively.
- TOC are not necessary if the auditor plans to use
primarily the substantive approach.
- TOC are necessary if the auditor plans to assess
the level of control risk at less than high level.
- Example: 1.Examination of signature on Checks
Example Evidence of Compliance w/ Internal
Control:1. Records documenting usage of IT
programs
2. Cancelled Supporting documents
3. Signature on authorization forms.
- TOC Includes:
1. Inquiry/ Observation of IC w/c leaves no
audit trail
2. Re-performance of internal control
procedures.
3. Inspection of documentary support for
transactions evidencing authorization.
- Information Gathering Techniques:
 1. Inspection – w/ document or trail
2. Observation – w/o document or trail
3. Re-performance
- Questions answered:
a) How were the controls applied?
b) Were the necessary controls
consistently performed?
c) By whom were the controls applied?
- It is most appropriate that TOC is applied to
transactions and controls for the whole period
under audit.
- Transactions –
a) the basic components of business
operations.
b) the primary subject matter of
internal accounting control.
c) the building block of Business
operations
- TOC is omitted when:
a) CR is High
b) Accounts represent few transactions
c) Accounts subject to ineffective controls
d) Subsequent events
- TOC is not omitted when:
a) Accounts represent many transactions
Reliance on the client’s Internal Control –
- The auditor should test controls and use the
results of testing as a basis for determining the
nature, extent and timing of substantive tests.
- Auditor performs tests on those controls that the
auditor plans to rely on.
Risk Assessment Procedures
a) Inquiry
b) Inspection
c) Observation
Methods of Documenting the Study of Internal Control
1. Narratives/write-up
2. FlowCharts
3. Internal Control Questionnaires
4. checklist
Levels of Risk Assessment
1. High Control Risk Assessment
2. Less than High Control Risk
Assessment
High Control Risk Assessment –
- Entity’s Internal Control System is
missing or not effective (w/
material weakness)
- Evaluating the effectiveness of
the entity’s internal control
system would not be efficient/
time consuming to test
- If the assessment of Control Risk
is High, no need to test control.
Less Than High Risk Assessment –
- Entity’s control may be effective.
- If the assessment of Control risk is Less than
High, controls must be tested to validate
the assessment.
- If CR is less than High, Document the ff:
a) Understanding of the entity’s
internal control structure
b) Conclusion that control risk is less
than high
c) Basis for the conclusion that
control risk is less than high.
Responses to Address the Risks of Material Misstatement
A. Over All - FS LEVEL:
1. Increase Professional Skepticism-
Emphasizing to the audit team the need to
maintain professional skepticism in
gathering and evaluating audit evidence.
2. Increase in more Experienced Auditors-
Assigning more experienced staff or those
with special skills or using experts.
3. Increase in Element of Surprise of Audit
Procedures - Incorporating additional
elements of unpredictability in the selection
of further audit procedures.
B. Specific – ASSERTION LEVEL:
1. If CR is High – No test of controls anymore
proceed to determining the nature, timing
and extent of substantive testing.
2. If CR is Less than High – perform TOC to
be sure of the effectiveness of controls
Re-Assess Control Risk.
SUBSTANTIVE TESTING
- After considering a client’s internal control structure,
and the auditor has concluded that it is well
designed and is functioning as intended, the auditor
will not increase the extent of predetermined
substantive tests.
- If the auditor wants to perform more effective
substantive tests, the auditor will perform tests of
details and less Analytical Procedures.
- More Effective ST = Increase Test of Details
Decrease Analytical Procedure
- Example: 1. Count and list cash on hand
2. Sending confirmation to banks
- Example Evidence: 1. Confirmation of accounts
receivable from customers.
- A. Test of Details (TOD) – (Required)
1. Substantive Test of Transaction/Test of
details of Transactions-
- tests to determine whether the accounting
transactions have been properly authorized,
correctly recorded and summarized in the journals,
and correctly posted to subsidiary ledgers and the
general ledger.
- involves testing the transactions which give
rise to the ending balance of an account.
- at Interim
- Example:
Source Doc. Entries = Completeness
Records Asset = Existence/Occurrence
OR agreed w/ Debit Completeness
entries traced to cash
1. Debit Entries to cash are
traced to OR
2. Land inspect the site
3. AR inspect sales Existence/Occurrence
invoice (internal)
4. AR confirm w/
customers (external)

2. Substantive Test of Balance/ Test of Details of
Balance –
- involves direct testing of the ending
balances of an account
- primary emphasis is on Balance sheet
accounts.
- At year end
- Example: -Beg Balance – compared to the
audited balance of the previous year.
- Confirmation of Ending Balance of CIB, AR
and AP
- Observation of inventory count
- B. Substantive Analytical Procedure – (Optional)
Includes the ff:
a) Agreeing the FS to the underlying
accounting records
b) Examining material journal entries and
other adjustments made during the course
of preparing the FS.
- Example: Trend Analysis & Ratio analysis
- Optional as Substantive test
- Required only during Planning and Completion
- Used only when CR is less than High
Dual Purpose Test –
- TOC & ST at the same time
- Tests internal control as well as transactions and
balances using the same test procedures
- Performance of TOC and TOD of transactions
simultaneously to increase efficiency.
- Example: Obtain or prepare reconciliation
statements of bank accounts as of the balance sheet
date.
DETECTION RISK
- Function of effectiveness of an auditing procedure
and its application
- Arises partly from uncertainties that exist when the
auditor does not examine 100 of the population
- Arises partly because of other uncertainties that
exists even if the auditor were to examine 100
percent of the population
- Exist dependent to the auditor of the FS.
- the auditor to Management and those charged with
Level of DR Nature of ST Timing of ST
Lower More Year End
Acceptable Effective
level of DR
Higher Less Interim
Acceptable Effective
Level of DR
Audit Risk Model – used for planning purposes in
determining how much evidence to accumulate.
AR= IR x CR x DR
i  Can be controlled by the
auditor
 Functions of the client and its environment
 Cannot be controlled by the auditor
- IR + CR are inversely related to the Acceptable level of DR
(ADR)
- DR is the dependent variable
CR
High Medium Low
High Lowest Lower Medium
IR
Medium Lower Medium Higher
Low Medium Higher Highest
Audit Risk - the risk that the practitioner expresses an
inappropriate audit opinion when the subject matter
information is materially misstated.
Inherent Risk -
- Functions of the client and its environment
- Reduced when the likelihood of defalcation is Low
such as accounts with least liquidity.
a) PPE – Least liquid
b) Cash – most liquid
c) Held for Trading Securities – 2nd most
liquid
d) Accounts Receivables – 3rd most Liquid
- consideration of Auditor when assessing IR:
a) Nature of the client’s business
b) Existence of related parties
c) Susceptibility to defalcation
d) Integrity of Management
e) Unusual pressures on Management
Control risk –
- Functions of the client and its environment
- consideration of Auditor when assessing CR:
a) Frequency and intensity of top
management review.
REPORTABLE CONDITIONS
- Are matters that come to an auditor’s attention
which should be communicated to an entity’s audit
committee because they represent significant
deficiencies in the design or operation of the internal
control structure.
- Significant deficiency in Internal Control – a
deficiency or combination of deficiencies in internal
control that, in the auditor’s professional judgement.
Is of sufficient importance to merit the attention of
those charged with governance.
- Deficiencies in Internal Control: communicated by
governance and/or Audit committee
Extent of ST
More
- All material weaknesses are reportable conditions
Extensive - Deficiency in Internal Control Exists when:
a) A control is designed, implemented or
Less operated in such a way that it is unable to
Effective
prevent or detect and correct
misstatements in the FS on a timely basis
b) A control necessary to prevent or detect
and correct misstatements in the FS on
timely basis is missing.
- The development of constructive suggestions to
clients for improvements in internal control is a
desirable by-product of an Audit Engagement.
- Restriction on the distribution of the report: should
also be included when reporting on the conditions
relating to an entity’s internal control structure.

AUDIT EVIDENCE
Sufficient Appropriate Evidence –
- Depends on the professional judgement of the
auditor.
- A given set of audit procedures may provide
audit evidence that is relevant to certain
assertions but not to others.
- The auditor often obtains evidence from
different sources or of a different nature that is
relevant to the same assertion.
- Obtaining audit evidence relating to a particular
assertion is not a substitute for obtaining audit
evidence regarding another assertion
- Reliability of Evidence:
1. Audit evidence is generally more
reliable when it exists in documentary
form as compared to evidence
consisting of oral representation from
the client.
2. Audit evidence is generally more
reliable when obtained directly by the
auditor as compared to audit evidence
obtained indirectly (second hand
knowledge) or by inference.
3. Audit evidence is generally more
reliable when it is obtained from
independent sources outside the entity
as compared to audit evidence
obtained from within the entity.
4. Audit evidence that is generated
internally under conditions of good
internal control meet the required
appropriateness of evidence
mentioned in PSA 500
ASSERTIONS
1. Existence/Occurrence
2. Rights and Obligations
3. Completeness
4. Valuation & Allocation
Examples:
- Valuation & Allocation – Assets, liabilities and equity
interests are included in the FS at appropriate
amounts and any resulting valuation or allocation
adjustments are appropriately recorded.
- Existence/Occurrence– Assets, liabilities and equity
interests exist.
- Completeness – All assets, liabilities and equity
interests that should have been recorded have been
recorded.
- Right and Obligation- The entity hold or controls the
rights to assets, and liabilities are the obligation of
the entity.
ASSERTIONS ABOUT CLASSES OF TRANSACTIONS
1. Cut – Off
2. Completeness
3. Accuracy
4. Classification
Examples:
- Cut – Off – Transaction and events have been
recorded in the correct accounting period
- Completeness – All transactions and events that
should have been recorded have been recorded.
- Accuracy – Amounts and other data relating to
recorded transactions and events have been
recorded appropriately.
- Classification – Transactions and events have been
recorded in the proper accounts.
- Occurrence – Transaction and events that have been
recorded have occurred and pertain to the entity.
ASSERTIONS ABOUT PRESENTATION AND DISCLOSURE
1. Completeness
2. Occurrence & Rights and obligation
3. Classification & understandability
4. Accuracy & Valuation and Allocation
Examples:
- Completeness – All disclosures that should have
been included in the FS have been included.
- Occurrence & Rights and obligation – Disclosed
events, transactions and other matters have
occurred and pertain to the entity.
- Classification & understandability – Financial
information is appropriately presented and
described, and disclosures are clearly expressed.
- Accuracy & Valuation and Allocation – Financial and
other information are disclosed fairly and at
appropriate amounts.
Inquiry –
- an audit procedure that is used extensively
throughout the audit but does not for itself, provide
sufficient appropriate evidence.
- Is useful in most part of the audit
- Is rarely sufficient by itself
- Requires gathering of corroborative evidence
Observation – is limited to what the auditor sees.
Inspection –
- involves physical examination of tangible assets
- Inspection is a sufficient form of evidence when
the auditor wants to determine the ff:
a) Existence of assets
b) Quantity and description of assets
c) Condition or quality of assets
Confirmation –
- is the process of obtaining a representation of
information or of an existing condition directly from
a third party.
- Used to verify bank balances and Accounts
Receivables
- The most relevant form of evidence with regard to
assertions about accounts receivable when the
auditor has concerns about the receivables
existence.
- Confirmation Request Letter –
- Signed by the appropriate level of management
- Always sent under the control of the auditor
Negative Confirmation Request –
a) used when a large number of small
balances is involved.
b) used when few errors are is expected
c) auditor has no reason to believe that
respondents will disregard negative
confirmation request
 d) used when the assessed level of inherent
and control risk are low
e) customer will answer only if there is
difference
Positive Confirmation Request –
a) customer will answer whether there is
difference or not.
b) Where no response was received, the
auditor should contact the recipient to
elicit a response, and perform alternative
procedures as necessary.
Recalculation – a procedure that aids auditor in obtaining
evidence regarding the mathematical accuracy of accounting
records and other information.
Re-performance – refers to an auditor’s independent
execution of procedures or controls that were originally
performed as part of the entity’s internal control.
Analytical Procedures – involves the evaluation of financial
information through a study of plausible relationships among
both financial and non-financial data.
Initial Audit – first time to audit a client
- For initial audit engagement, the auditor should
obtain evidence that:
a) The opening balances do not contain
misstatements that materially affect the
current period’s FS
b) The prior period’s closing balances have
been correctly brought forward to the
current period or have been restated to the
correct amount, if necessary.
c) Appropriate accounting policies are
consistently applied or changes in
accounting policies have been properly
accounted for and adequately disclosed.
FRAUD & ERROR
Intention – the distinguishing factor between fraud and error
Error –
- The unintentional misstatement in the FS, including
the omission of an amount or disclosure
- Auditor’s responsibility regarding detection of
material errors and irregularities:
-Extended auditing procedures are required to
detect material errors and irregularities if the
auditor’s examination indicates that they may exist.
- Examples:
a) Misinterpretation by management of facts that
existed when the FS were prepared.
b) Mathematical or clerical mistakes in the
underlying records and accounting data.
c) Incorrect accounting estimates arising from
oversight or misstatement
d) Mistake in the application accounting policies.
Fraud - the act of any of the ff:
a) Management and Employees
b) Those Charged with Governance
c) Third Party
- Intentional act by one or more individuals involving
the use of deception to obtain unjust or illegal
advantage.
- Although fraud is a broad legal concept, the auditor
is concerned with fraudulent acts that cause a
material misstatement in the FS
- Misstatement may not be the objective of some
frauds
- The auditor do not make legal determination of
whether fraud has actually occurred.
2 Types of Fraud
a) Fraudulent Financial Reporting
b) Misappropriation of assets or Employee
fraud
- Court of Law – determines/declare if there is actual
fraud.
- Audit procedures that are effective for detecting an
unintentional misstatement may be ineffective for
an intentional misstatement that is concealed
through collusion.
- Collusion – 2 incompatible functions joined
to do fraud.
- Professional Skepticism – Is necessary for the
auditor to identify and properly evaluate:
a) Matters that increase the risk of a material
misstatement in the FS resulting from fraud
or error.
b) Circumstances that makes the auditor
suspect that the FS are materially misstated
c) Evidence obtained that brings into question
the reliability of management
representations.
- When the application of planned audit procedure
indicates the possible existence of fraud and error,
the auditor should consider the potential effect on
the FS.
- When an identified misstatement may be indicative
of fraud, the auditor considers the implication of the
misstatement in relation to other aspects of the
audit, particularly the reliability of management
representations
- According to PSA 240 - in planning the audit, the
auditor should discuss with other members of the
audit team the susceptibility of the entity to material
misstatements in the FS resulting from fraud or
error, Planning discussions would involve the ff:
a) Where errors may be more likely to occur
b) How fraud might be perpetrated
c) Decisions made on which members of the
team will conduct certain inquiries or audit
procedures
- When Planning the Audit: the auditor should make
inquiries of management in order to:
a) Obtain an understanding of management’s
assessment of the risk that the FS may be
materially misstated as a result of fraud.
b) Obtain an understanding of the accounting
and internal control systems management
has put in place to address fraud risks and
to prevent and detect error.
c) Determine whether management is aware
of any known fraud that has affected the
entity or suspected fraud that the entity is
investigating.
d) Determine whether management has
discovered any material errors.
- Documentation: the auditor should document the ff:
a) Fraud risk Factors identified as being
present during the auditor’s assessment
process
b) The auditor’s response to any such factors
identified.
c) Fraud risk factors identified during the
performance of the audit that cause the
auditor to believe that additional audit
 procedures are necessary and the
auditor’s response to them.
- Communication of a misstatement resulting from
fraud or a suspected fraud or error to the
appropriate level of management on a timely basis is
important because it enables management to take
action as necessary.
- If an auditor has suspicion of occurrence of fraud,
the auditor should:
a) Consider the implication of fraud in
relation to other aspects of the audit,
particularly the reliability of
management’s representation
b) The auditor should communicate to
management about fraud that brings
material potential effect on FS (note:
even suspected fraud is reported)
c) Unless circumstances clearly indicate
that fraud is an isolated occurrence,
the auditor adjust the nature, timing
and extent of substantive procedure.
d) If the auditor believes the indicated
fraud could have a material effect on
the FS, he should perform
appropriate modified procedures.
- Circumstances that brings into question the
auditor’s ability to continue performing the audit:
a) The entity does not take the remedial
action regarding fraud that the auditor
considers necessary in the circumstances
b) The auditor’s consideration of the risk of
material misstatement resulting from
fraud and the results of audit tests
indicate a significant risk of material and
pervasive fraud.
c) The auditor has significant concern about
the competence or integrity of
management or those charged with
governance.
Fraud Risk factors –
- Indicate the possible presence of fraud and they
often have been present in circumstances where
frauds have occurred.
- Fraud risk Factors cannot easily be ranked in order of
importance or combined into effective predictive
models.
- The auditor exercises professional judgement when
considering fraud risk factors individually or in
combination and whether there are specific controls
that mitigate the risk.
- The size, complexity and ownership characteristics of
the entity have a significant influence on the
consideration of relevant fraud risk factors.
Matters to consider when communicating the affairs of a
client to a proposed successor auditor
1. Whether client’s permission has been obtained
2. Relevant professional and legal responsibilities
applicable in the Philippines
Non- Compliance –
- Refers to the acts of omission or commission by the
entity being audited which are contrary to prevailing
laws and regulation.
- Auditor’s responsibility of evaluating non-
compliance by the entity:
a) An audit cannot be expected to detect non-
compliance with all laws and regulations.
b) Non-compliance includes personal
misconduct of entity management or
employees that are related to the entity’s
business activities.
c) Detection of non-compliance, regardless of
materiality, requires consideration of the
implications for the integrity of
management or employees.
- Illegal Acts:
- An auditor’s responsibility to detect illegal acts that
have a direct and material effect on the FS is the
same as an auditor’s responsibility for errors and
fraud.
- Expected of the auditor in determining non-
compliance by an entity:
a) Whether an act constitutes non-
compliance is a legal determination that is
ordinarily outside the auditor’s professional
competence.
b) The auditor’s training, experience and
understanding of the entity and its industry
can provide a basis for recognition that
some acts coming to the auditor’s attention
may constitute non-compliance with laws
and regulation
c) The determination as to whether a
particular act constitute or is likely to
constitute noncompliance is generally
based on the understanding of the auditor
but ultimately can only be determined by a
court of law.
d) In order to plan the audit, the auditor
should obtain a general understanding of
the legal and regulatory framework
applicable to the entity and the industry
and how the entity is complying with the
framework.
- An FS audit can provide reasonable assurance that
direct and indirect effect illegal acts that are
material to FS will be detected.
- Auditor’s audit cannot reasonably be expected to
bring all illegal acts by the client to the auditor’s
attention because illegal acts by the client often
relates to operating aspects rather accounting
aspects.
- When an auditor becomes aware of information
concerning a possible non-compliance, the
auditor should:
a) Obtain an understanding of the nature
of the act and the circumstances in
which it has occurred, and evaluate the
possible effect on the FS.
- Documenting Non-Compliance: the auditor should
document the finding and discuss them with the ff:
a) Client Management – (priority)
b) Client’s Legal Counsel
c) Auditor’s own lawyer
- An auditor who finds that the client has committed
an illegal act:
1. Withdraw (if you can) / Disclaim (if you
cannot withdraw)
- when there is doubt on client’s integrity.
- client refuses to accept the auditor’s
report as modified for illegal act.
2. Qualified / Disclaimer - (QD)
-Auditor is precluded from obtaining
sufficient competent evidence about the illegal act.
 -Auditor cannot reasonably estimate the
effect of the illegal act on the FS
- If illegal act cannot be quantified
3. Qualified / Adverse - (QA)
-Illegal act has an effect on the FS that is
both material and direct.
- If illegal act is material (can be quantified)
- Consider seeking legal advice on orderly
withdrawal - If the auditor suspects that the
members of senior management, including
members of the board are involved in non-
compliance to laws and regulations, and he believes
his report may not be acted upon.( Disclaim if
cannot withdraw)