CONSIDERATION OF INTERNAL CONTROLS

Module 1 (Part 2)

INTERNAL CONTROLS (DEFINED)

 PSA 315 DEFINES INTERNAL CONTROL AS THE PROCESS DESIGNED AND EFFECTED BY THOSE
CHARGED WITH GOVERNANCE, MANAGEMENT, AND OTHER PERSONNEL TO PROVIDE
REASONABLE ASSURANCE ABOUT THE ACHIEVEMENT OF THE ENTITY’S OBJECTIVES WITH
REGARD TO RELIABILITY OF FINANCIAL REPORTING, EFFECTIVENESS AND EFFICIENCY OF
OPERATIONS AND COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS.
 REASONABLE ASSURANCE MEANS A HIGH BUT NOT ABSOLUTE LEVEL OF ASSURANCE.
 CATEGORIES OF COMPANY OBJECTIVES:
 RELIABILITY OF FINANCIAL REPORTING
 EFFECTIVENESS AND EFFICIENCY OF OPERATIONS
 COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS
 INTERNAL CONTROL SYSTEM MEANS ALL POLICIES AND PROCEDURES ADOPTED BY THE
MANAGEMENT TO ASSIST IN ACHIEVING MANAGEMENT’S OBJECTIVE OF ENSURING, AS FAR
AS PRACTICABLE, THE ORDERLY AND EFFICIENT CONDUCT OF ITS BUSINESS, INCLUDING
ADHERENCE TO MANAGEMENT POLICIES, THE SAFEGUARDING OF ASSETS, THE
PREVENTION AND DETECTION OF FRAUD AND ERROR, THE ACCURACY OF COMPLETENESS
OF THE ACCOUNTING RECORDS, AND THE TIMELY PREPARATION OF RELIABLE FINANCIAL
INFORMATION.
 INTERNAL CONTROL STRUCTURE VARY SIGNIFICANTLY FROM ONE COMPANY TO THE NEXT.
FACTORS THAT COULD BE THE CAUSE OF DIFFERENTIATIONS:
 SIZE OF THE BUSINESS
 NATURE OF OPERATIONS
 GEOGRAPHICAL DISPERSION OF ITS ACTIVITIES
 OBJECTIVES OF THE ORGANIZATION

INTERNAL CONTROLS (COMPONENTS)

1. THE CONTROL ENVIRONMENT
2. THE ENTITY’S RISK ASSESSMENT PROCEDURES
3. THE INFORMATION SYSTEM, INCLUDING THE RELATED BUSINESS PROCESSES, RELEVANT TO
FINANCIAL REPORTING, AND COMMUNICATION
4. CONTROL ACTIVITIES
5. MONITORING OF CONTROLS

CONTROL ENVIRONMENT
 THE CONTROL ENVIRONMENT MEANS THE OVERALL ATTITUDE, AWARENESS AND ACTIONS
OF DIRECTORS AND MANAGEMENT REGARDING THE INTERNAL CONTROL SYSTEM AND ITS
IMPORTANCE IN ENTITY
 STRONG CONTROL ENVIRONMENT = EFFECTIVE INTERNAL CONTROL SYSTEM
 THE ENVIRONMENT IN WHICH INTERNAL CONTROL OPERATES HAS AN IMPACT ON THE
EFFECTIVENESS OF THE SPECIFIC CONTROL PROCEDURES

CONTROL ENVIRONMENT (FACTORS)

1. COMMUNICATION AND ENFORCEMENT OF INTEGRITY AND ETHICAL
VALUES
 AN ENTITY’S ETHICAL AND BEHAVIORAL STANDARDS AND THE MANNER IN WHICH IT
COMMUNICATES AND REINFORCES THEM DETERMINE THE ENTITY’S INTEGRITY AND
ETHICAL BEHAVIOR
 IT INCLUDE MANAGEMENT’S ACTION TO REMOVE OR REDUCE INCENTIVES AND
TEMPTATIONS THAT MIGHT PROMPT PERSONNEL TO ENGAGE IN DISHONEST, ILLEGAL, OR
UNETHICAL ACTS
2. COMMITMENT TO COMPETENCE
 COMPETENCE IS THE KNOWLEDGE AND SKILLS NECESSARY TO ACCOMPLISH TASKS
 MANAGEMENT SHOULD HIRE EMPLOYEES COMPETENT TO PERFORM A SPECIFIC TASK TO
ACHIEVE ITS OBJECTIVES
3. PARTICIPATION BY THOSE CHARGED WITH GOVERNANCE
 THOSE CHARGED WITH GOVERNANCE—THE PERSON(S) OR ORGANIZATION(S) (FOR
EXAMPLE, A CORPORATE TRUSTEE) WITH RESPONSIBILITY FOR OVERSEEING THE STRATEGIC
DIRECTION OF THE ENTITY AND OBLIGATIONS RELATED TO THE ACCOUNTABILITY OF THE
ENTITY. THIS INCLUDES OVERSEEING THE FINANCIAL REPORTING PROCESS.
 AN ENTITY’S CONTROL CONSCIOUSNESS IS INFLUENCED SIGNIFICANTLY BY THOSE CHARGED
WITH GOVERNANCE
4. MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
 THIS REFERS TO MANAGEMENT’S ATTITUDE TOWARDS (A) BUSINESS RISK, (B) FINANCIAL
REPORTING, (C) MEETING BUDGET, PROFIT AND OTHER ESTABLISHED GOALS WHICH ALL
HAVE IMPACT ON THE RELIABILITY OF THE FINANCIAL STATEMENTS
5. ORGANIZATIONAL STRUCTURE
 THE RESPONSIBILITIES AND AUTHORITIES OF VARIOUS PERSONNEL SHOULD BE DESIGNED
TO:
 ASSIST THE ENTITY IN MEETING ITS GOALS AND OBJECTIVES
 ENSURE THAT TRANSACTIONS ARE PROCESSED, RECORDED, SUMMARIZED, AND
REPORTED IN AN ACCURATE AND TIMELY MANNER
6. ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
 PERSONNEL SHOULD HAVE A CLEAR UNDERSTANDING OF THEIR RESPONSIBILITIES AND THE
RULES AND REGULATIONS THAT GOVERN THEIR ACTIONS
 JOB DESCRIPTIONS, COMPUTER SYSTEM DOCUMENTATIONS
7. HUMAN RESOURCES POLICIES AND PROCEDURES
 PERSONNEL POLICIES SHOULD BE ADOPTED BY THE CLIENT TO REASONABLY ENSURE THAT
ONLY CAPABLE AND HONEST PERSONS ARE HIRED AND RETAINED
 ADEQUATE PERSONNEL POLICIES CAN ENHANCE THE LIKELIHOOD THAT THE CLIENT’S
POLICIES AND PROCEDURES WILL BE FOLLOWED

RISK ASSESSMENT PROCESS

 RISK ASSESSMENT IS THE IDENTIFICATION, ANALYSIS, AN MANAGEMENT OF RISKS
PERTAINING TO THE PREPARATION OF THE FINANCIAL STATEMENTS.
 RISKS RELEVANT TO FINANCIAL REPORTING INCLUDE EXTERNAL AN INTERNAL EVENTS AND
CIRCUMSTANCES THAT COULD ADVERSELY AFFECT AND ENTITY’S ABILITY TO INITIATE,
RECORD, PROCESS, AND REPORT FINANCIAL DATA CONSISTENT WITH THE ASSERTIONS OF
MANAGEMENT IN THE FINANCIAL STATEMENTS.
 THE FOLLOWING ARE THE COMMON CAUSES WHERE RISK ARISES:
 CHANGES IN OPERATING ENVIRONMENT
 NEW PERSONNEL
 NEW OR REVAMPED INFORMATION SYSTEMS
 RAPID GROWTH
 NEW TECHNOLOGY
 NEW BUSINESS MODELS, PRODUCTS, OR ACTIVITIES
 CORPORATE RESTRUCTURING
 EXPANDED FOREIGN OPERATIONS
 NEW ACCOUNTING PRONOUNCEMENTS

INFORMATION SYSTEM
 AN INFORMATION SYSTEM CONSISTS OF INFRASTRUCTURE (PHYSICAL AND HARDWARE
COMPONENTS), SOFTWARE, PEOPLE, PROCEDURE, AND DATA
 BUSINESSES WITH MANUAL PROCESSES HAVE NO INFORMATION SYSTEM
 AN ENTITY’S CONTROL STRUCTURE MUST PROVIDE FOR THE IDENTIFICATION, CAPTURE
AND EXCHANGE OF INFORMATION BOTH WITHIN THE CHAPTER AND WITH EXTERNAL
PARTIES. INFORMATION COMMUNICATED SHOULD BE TIMELY AND ACCURATE.
 INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING OBJECTIVES FOCUSES ON
PROPER INITIATION, RECORDING, AND REPORTING OF TRANSACTIONS
 RELATED BUSINESS PROCESSES – ARE THE ACTIVITIES DESIGNED TO (1) DEVELOP, PRODUCE
AND SELL AN ENTITY’S PRODUCTS, (2) ENSURE COMPLIANCE WITH LAWS AND
REGULATIONS, AND (3) RECORD INFORMATION
 INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING OBJECTIVES FOCUSES ON
PROPER INITIATION, RECORDING, AND REPORTING OF TRANSACTIONS
 RELATED BUSINESS PROCESSES – ARE THE ACTIVITIES DESIGNED TO (1) DEVELOP, PRODUCE
AND SELL AN ENTITY’S PRODUCTS, (2) ENSURE COMPLIANCE WITH LAWS AND
REGULATIONS, AND (3) RECORD INFORMATION
 COMMUNICATION INVOLVES PROVIDING AN UNDERSTANDING OF INDIVIDUAL ROLES AND
RESPONSIBILITIES PERTAINING TO INTERNAL CONTROL OVER FINANCIAL REPORTING
 COMMUNICATION CAN TAKE SUCH FORMS AS POLICY MANUALS, ACCOUNTING AND
FINANCIAL REPORTING MANUALS, AND MEMORANDA

CONTROL ACTIVITIES
 CONTROL ACTIVITIES HELP ENSURE RISK RESPONSES ARE EFFECTIVELY CARRIED OUT AND
INCLUDE POLICIES AND PROCEDURES, APPROVALS, AUTHORIZATIONS, VERIFICATIONS,
RECONCILIATIONS, SECURITY OVER ASSETS, AND SEGREGATION OF DUTIES. THESE
ACTIVITIES OCCUR ACROSS AN ENTITY, AT ALL LEVELS AND IN ALL FUNCTIONS, AND ARE
DESIGNED TO HELP PREVENT OR REDUCE THE RISK THAT ENTITY OBJECTIVES WILL NOT BE
ACHIEVED.
 THESE ARE THE POLICIES AND PROCEDURES THAT HELP ENSURE THAT MANAGEMENT
DIRECTIVES ARE CARRIED OUT
 THE MAJOR CATEGORIES OF CONTROL PROCEDURES ARE:
 PERFORMANCE REVIEW
 INFORMATION PROCESSING CONTROLS
 PHYSICAL CONTROLS
 IN PERFORMANCE REVIEW MANAGEMENT USES ACCOUNTING AND OPERATING DATA TO
ASSESS PERFORMANCE, AND IT THEN TAKES CORRECTIVE ACTIONS.
 PERFORMANCE REVIEWS MAY BE USED BY MANAGERS FOR THE SOLE PURPOSE OF MAKING
OPERATING DECISIONS
 FOR EXAMPLE THE USE OF STANDARDS, BUDGETS, FORECASTS, PRIOR PERIOD
PERFORMANCE
 INFORMATION PROCESSING CONTROLS ARE POLICIES AND PROCEDURES DESIGNED TO
REQUIRE AUTHORIZATION OF TRANSACTIONS AND TO ENSURE THE ACCURACY AND
COMPLETENESS OF TRANSACTION PROCESSING
 CONTROL ACTIVITIES MAY BE CLASSIFIED INTO GENERAL AND APPLICATION CONTROLS.
 PROPER SEGREGATION OF TRANSACTIONS AND ACTIVITIES, SEGREGATION OF DUTIES,
ADEQUATE DOCUMENTS AND RECORDS, ACCESS TO ASSETS, AND INDEPENDENT CHECKS
ON PERFORMANCE
 THE EXTENT TO WHICH PHYSICAL CONTROLS INTENDED TO PREVENT THE THEFT OF ASSETS
ARE RELEVANT TO THE RELIABILITY OF FINANCIAL STATEMENT PREPARATIONS, AND
THEREFORE THE AUDIT, DEPENDS ON CIRCUMSTANCES SUCH AS WHEN ASSETS ARE HIGHLY
SUSCEPTIBLE TO MISAPPROPRIATION

MONITORNG OF CONTROLS
 MONITORING INVOLVES ASSESSING THE DESIGN AND OPERATION OF CONTROLS ON A
TIMELY BASIS AND TAKING CORRECTIVE ACTION AS NECESSARY
 MONITORING IS EFFECTIVE WHEN IT LEADS TO THE IDENTIFICATION AND CORRECTION OF
CONTROL WEAKNESSES BEFORE THEY MATERIALLY AFFECCT THE ACHIEVEMENT OF THE
CHAPTER’S OBJECTIVES

OBJECTIVE OF THE STUDY OF INTERNAL CONTROL

 THE AUDITOR SHOULD OBTAIN AN UNDERSTANDING OF THE ACCOUNTING AND INTERNAL
CONTROL SYSTEMS SUFFICIENT TO PLAN THE AUDIT AND DEVELOP AN EFFECTIVE AUDIT
APPROACH
 THE AUDITOR’S UNDERSTANDING OF THEIR CLIENT’S INTERNAL CONTROL PROVIDES A
BASIS TO (1) PLAN THE AUDIT’ AND (2) ASSESS CONTROL RISK
 TO UNDERSTAND THE DESIGN OF THE ACCOUNTING INFORMATION SYSTEM, THE AUDITOR
DETERMINES:
 THE MAJOR CLASSES OF TRANSACTIONS
 HOW THOSE TRANSACTIONS ARE INITIATED
 WHAT ACCOUNTING RECORDS EXISTS AND THEIR NATURE
 HOW TRANSACTIONS ARE PROCESSED
 AUDITORS OFTEN USE FLOWCHARTING TO PROVIDE FOR THE NARRATIVE DESCRIPTION OF
THIS UNDERSTANDING
 AUDITS MAY ALSO PERFORM “WALK-THROUGH”
 AUDITOR’S UNDERSTANDING OF ACCOUNTING AND INTERNAL CONTROL SYSTEM IS
SUPPLEMENTED BY:
 INQUIRIES OF APPROPRIATE MANAGEMENT, SUPERVISORY AND OTHER PERSONNEL AT
VARIOUS ORGANIZATIONAL LEVELS
 INSPECTION OF DOCUMENTS AND RECORDS
 OBSERVATION OF THE ENTITY’S ACTIVITIES AND OPERATIONS

DOCUMENTATION OF UNDERSTANDING
 THE AUDITOR SHOULD DOCUMENT THE UNDERSTANDING OF THE ENTITY’S INTERNAL
CONTROL STRUCTURE ELEMENTS OBTAINED TO PLAN THE AUDIT
 THE MORE COMPLEX THE INTERNAL CONTROL STRUCTURE AND THE MORE EXTENSIVE THE
PROCEDURES PERFORMED, THE MORE EXTENSIVE THE AUDITOR'S DOCUMENTATION
SHOULD BE
1. INTERNAL ACCOUNTING CONTROL QUESTIONNAIRES CONTAINS A SERIES OF QUESTIONS
DESIGNED TO DETECT CONTROL WEAKNESSES
a) MOSTLY ANSWERABLE BY “YES” OR “NO”
i. “YES” GENERALLY INDICATED SATISFACTORY DEGREE OF INTERNAL ACCOUNTING
CONTROLS
ii. “NO: INDICATED A POSSIBLE WEAKNESS IN CONTROL OR AT LEAST INDICATES
FURTHER INVESTIGATION IS NEEDED
2. FLOWCHART IS SYMBOLICDIAGRAM OF A SPECIFIC PART OF AN INTERNAL ACCOUNTING
CONTROL SYSTEM INDICATING THE SEQUENTIAL FLOW OF DATA AND/OR AUTHORITY
a) IT PROVIDES A PICTORUAL OVERVIEW OF A CLIENT’S INTERNAL CONTROL ACTIVITIES
b) TECHNIQUES OFTEN USED BY AUDITORS: (1) STANDARDAIZED SYMBOLS. (2)
FLOWLINES, (3) DOCUMENTS, (4) PROCESSING, AND (5) ANNOTATIONS
3. NARRATIVE DESCRIPTION IS A WRITTEN DESCRIPTION OF A PARTICULAR PHASE OR PHRASES
OR A CONTROL SYSTEM
a) IF THE STSTEMS ARE EXTENSIVE AND/OR COMPLEX, SEPARATE NARRATIVES MAY BE
PREPARED FOR SMALLER GROUPS OF CONTROLS WHICH RELATE TO SPECIFIC CLASSES
OF TRANSACTIONS OR ACCOUNTS
4. INTERNAL CONTROL CHECKLIST CONTRAINS A DETAILED ENUMERATION OF THE METHODS
AND PRACTICES WHICH CHARACTERIZED GOOD INTERNAL CONTROL OR OF ITEM TO BE
CONSIDERED IN REVIEWING INTERNAL CONTROL
a) PROVIDES ONLY A GUIDE TO REVIEW THE INTERNAL CONTROL, NOT A RECOD OF
AUDIT FINDINGS