Professional Documents
Culture Documents
CONTROL FRAMEWORK
Internal Control
The process designed, implemented and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an entity’s objectives.
3. Compliance objective – this objective relates to entity’s compliance with applicable laws and
regulations
2. According to functions:
a. Preventive controls – controls that deter problems before they arise
b. Detective controls – controls that discover or detect problems as they arise
c. Corrective controls – controls that remedy problems discovered with detective controls
1|Page
Considering the control environment:
The auditor shall obtain understanding of control environment and evaluate:
Whether the management, with the oversight of those charged with governance, has
created and maintained a culture of honesty and ethical behavior
Whether the strengths in the control environment provide foundation for the other
components of internal control
Whether other components of internal control are not undermined by control
environment weaknesses
d. Commitment to competence
o The entity should consider the level of competence required for each task and translate it
to requisite knowledge and skills.
2. Risk Assessment
Entity’s business objectives cannot be achieved without some risk. Business risk is the risk that the
entity’s business objectives will not be attained as a result of internal and external factors such as
technological developments, changes in customers demand and other economic changes.
2|Page
Considering the information system:
The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following areas:
The classes of transactions in the entity’s operations that are significant to the financial
statements;
The procedures, within both information technology (IT) and manual systems, by which
those transactions are initiated, recorded, processed, corrected as necessary, transferred
to the general ledger and reported in the financial statements;
The related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions; this
includes the correction of incorrect information and how information is transferred to the
general ledger.
The records may be in either manual or electronic form;
4. Control Activities
Control Activities are the policies and procedures that help ensure that management directives are
carried out. Specific control procedures that are relevant to financial statement audit would
include:
a. Performance reviews
These control activities include reviews and analyses of actual performance versus
budgets, forecast, and prior period performance; relating different sets of data to one
another together with analyses of the relationship and investigative and corrective
actions.
b. Information Processing
A variety of controls are performed to check accuracy, completeness, and authorization
of transactions, when computer processing is used in significant accounting
applications, internal control procedures can be classified into two types:
general and application control.
c. Physical controls
These activities encompass the physical security of assets, including adequate
safeguards such as secured facilities over access to assets and records; authorization
for access to computer programs and data files; and periodic counting and
comparison with amounts shown on control records.
d. Segregation of duties
Assigning different people the responsibilities of authorizing transactions, recording
transactions, and maintaining custody of assets is intended to reduce the
opportunities to allow any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties.
3|Page
5. Monitoring
Is a process of assessing the quality of internal control performance over time. It involves assessing
the design and operation of controls on a timely basis and taking necessary corrective actions.
Monitoring of controls is accomplished through ongoing monitoring activities, separate
evaluations, or a combination of the two.
o Ongoing monitoring – activities are built into the normal recurring activities of an entity
and include regular management and supervisory activities such as preparation of monthly
bank reconciliation.
o Separate evaluations – are monitoring activities that are performed on a non-routine basis,
such as functions performed by internal auditors.
An initial Understanding of the design of the entity’s internal control systems is ordinarily
obtained by:
a. Making inquiries of appropriate individuals;
b. Inspecting documents and records; and
c. Observing of entity’s activities and operations.
4|Page
the more support the auditor should obtain that the internal control is suitably designed and
operating effectively.
In this regard, the auditor may consider modifying. o The nature of substantive test from
less effective to more effective procedures o The timing of substantive test by
performing them at year end rather than at interim
o The extent of substantive test from smaller to larger sample sized.
5|Page
Computerized Information System (CIS)
Is a system composed of people and computers that processes or interprets information
Characteristics of CIS
a. Lack of visible transaction trails
b. Consistency of performance
c. Ease of access to Data and Computer Programs
d. Concentration of duties
e. Systems generated transactions
f. Vulnerability of data and program storage media
1. General Controls
General controls are those control policies and procedures that relate to the overall computer
information system. These include: a. Organizational controls o designed to define the
strategic direction and establish an organizational framework over CIS activities
c. Access controls o Every computer system should have adequate security controls to
protect equipment, files, and programs. Access to the computer should be limited
only to operators and other authorized employees.
d. Data recovery controls o Computer files can be easily lost and the loss of these files
can be disastrous to an entity. The survival of an entity affected by such disaster
depends on its ability to recover the files on a timely basis.
e. Monitoring controls o Monitoring controls are designed to ensure that CIS controls
are working effectively as planned.
2. Application Controls
Are those policies and procedures that relate to the specific use of the system. These are
designed to provide reasonable assurance that all transactions are authorized, and that they
are processed completely, accurately and in a timely manner. These include
a. Control over input o The input stage involves capturing of a mass of data. o Input
controls are designed to provide reasonable assurance that data submitted for
processing are complete, properly authorized, and accurately translated into machine
readable form.
6|Page
This is a mathematically calculated digit which is usually
Self-checking
added to a document number to detect common
Digit
transpositional errors in data submitted for processing.
Limit check or reasonable check is designed to ensure that
Limit Check data submitted for processing do not exceed a
predetermined limit or reasonable amount.
These are totals computed based on the data submitted for
Control Totals processing. Control totals ensure the completeness of data
before and after they are processed.
7|Page
Commonly used CAATs:
1. Test Data
o Primarily designed to test the effectiveness of the internal control procedures which are
incorporated in the client’s computer program.
o The objective of the test data technique is to determine whether the clients computer
programs can correctly handle valid and invalid conditions as they arise.
o A disadvantage of the test data technique is that the auditor does not have an
assurance that the program tested is the same program used by the client throughout
the accounting period
3. Parallel Simulation
o Parallel simulation requires the auditor to write a program that simulates key features or
processes of the program under review. The simulated program is then used to reprocess
transactions that were previously processed by the client’s program.
4. Snapshots
8|Page
o This technique involves taking picture of a transaction as it flows through the computer
systems. Audit software routines are embedded at different points in the processing logic to
capture the images of the transaction as it progresses through the various stages of
processing.
5. Systems Control Audit Review Files (SCARF)
The system control audit review file (SCARF) uses embedded audit modules to
continuously monitor transaction activity and collect data on transactions with special
audit significance.
9|Page