MODULE 4:

CONTROL FRAMEWORK
Internal Control
 The process designed, implemented and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an entity’s objectives.

Essential Concepts of Internal Control: Internal control is (a):

1. Internal Control is a process
2. Internal Control is effected by those charged with governance, management and other personnel
3. Provides reasonable assurance about the achievement of an entity’s objectives –
internal control is be designed to prevent, or detect and correct problems to help in
achieving entity’s objectives
 Inherent limitations of internal control system: Even a well designed and effective internal control
system cannot eliminate material misstatements, whether due to fraud or error.
4. Internal control is designed to help achieve the entity's objectives
 Objectives represent what an entity strives to achieve.
 Categories of entity's objectives:

1. Financial reporting objective – this objective relates to reliability of financial reporting

2. Operational objective – this objective is intended to enhance effectiveness and efficiency of

operations

3. Compliance objective – this objective relates to entity’s compliance with applicable laws and
regulations

Benefits of Strong Internal Control:

o Reliability of financial information for decision-making purposes
o Enhances the effectiveness and efficiency of operations
o Assurance of compliance with applicable laws and regulations
o Protection of assets and important documents and records
o Reduced cost of an external audit – because the auditor may rely on the
effectiveness of internal control

Classification of Internal Control:

1. According to objectives:
a. Financial reporting controls – controls to achieve reliability of financial reporting objective
b. Operational effectiveness controls – controls to achieve operational effectiveness objective
c. Compliance controls – controls to achieve compliance objective

2. According to functions:
a. Preventive controls – controls that deter problems before they arise
b. Detective controls – controls that discover or detect problems as they arise
c. Corrective controls – controls that remedy problems discovered with detective controls

Components of Internal Control

 Internal control policies and procedures vary significantly from one entity to another, there are essential
components of internal control that must be established to provide reasonable assurance that the entity’s
objectives will be achieved.

Components of Internal Control 1. Control Environment

 The control environment includes the attitudes, awareness, and actions of the management and
those charged with governance concerning the entity’s internal control and its importance in the
entity. The control environment also includes the governance and management functions and
sets the tone of an organization, influencing the control consciousness of its people.

1|Page
 Considering the control environment:
The auditor shall obtain understanding of control environment and evaluate:
 Whether the management, with the oversight of those charged with governance, has
created and maintained a culture of honesty and ethical behavior
 Whether the strengths in the control environment provide foundation for the other
components of internal control
 Whether other components of internal control are not undermined by control
environment weaknesses

Factors reflected in the control environment include:

a. Integrity and ethical values
o Management should establish ethical standards that discourage employees from
engaging in dishonest, unethical, or illegal acts that could materially affect the financial
statements.

b. Management philosophy and operating style

o The auditor should assess the management attitudes towards financial reporting and their
emphasis on meeting projected profit goals because these will significantly influence the risk
of material misstatements in the financial statements.

c. Active participation of those charged with governance

o The entity must have an audit committee which will be responsible for overseeing the
financial reporting policies and practices of the entity.

d. Commitment to competence
o The entity should consider the level of competence required for each task and translate it
to requisite knowledge and skills.

e. Personnel or Human Resource policies and procedures

o The entity must implement appropriate policies for hiring, training, evaluating, promoting,
and compensating entity’s personnel because the competence of the entity’s employees will
bear directly on the effectiveness of the entity’s internal control.

f. Assignment of authority and responsibility / organizational structure

o Organizational Structure provides a framework for planning, directing, and controlling the
entity’s operations.

2. Risk Assessment
 Entity’s business objectives cannot be achieved without some risk. Business risk is the risk that the
entity’s business objectives will not be attained as a result of internal and external factors such as
technological developments, changes in customers demand and other economic changes.

Considering the entity’s risk assessment process:

The auditor shall obtain understanding of whether the entity has a process for:
 Identifying business risks relevant to financial reporting objectives
 Estimating the significance of the risks
 Assessing the likelihood of their occurrence
 Deciding about actions to address those risks

3. Information and Communications Systems

 Effective internal control must provide timely information and communication. The information
system relevant to financial reporting objectives, which includes the financial reporting system,
consists of the procedures and records established to initiative, record, process and report entity
transactions (as well as events and conditions) and to maintain accountability for the related
assets, liabilities, and equity.
 Communication involves providing an understanding of individual roles and responsibilities
pertaining to internal control over financial reporting.

2|Page
 Considering the information system:
The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following areas:
 The classes of transactions in the entity’s operations that are significant to the financial
statements;
 The procedures, within both information technology (IT) and manual systems, by which
those transactions are initiated, recorded, processed, corrected as necessary, transferred
to the general ledger and reported in the financial statements;
 The related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions; this
includes the correction of incorrect information and how information is transferred to the
general ledger.
 The records may be in either manual or electronic form;

An information system encompasses methods and records that:

 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
 Measure the value of transaction in a manner that permits recording their proper
monetary value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
 Present properly the transactions and related disclosures in the final statements.

4. Control Activities
 Control Activities are the policies and procedures that help ensure that management directives are
carried out. Specific control procedures that are relevant to financial statement audit would
include:

a. Performance reviews
 These control activities include reviews and analyses of actual performance versus
budgets, forecast, and prior period performance; relating different sets of data to one
another together with analyses of the relationship and investigative and corrective
actions.

b. Information Processing
 A variety of controls are performed to check accuracy, completeness, and authorization
of transactions, when computer processing is used in significant accounting
applications, internal control procedures can be classified into two types:
general and application control.

c. Physical controls
 These activities encompass the physical security of assets, including adequate
safeguards such as secured facilities over access to assets and records; authorization
for access to computer programs and data files; and periodic counting and
comparison with amounts shown on control records.

d. Segregation of duties
 Assigning different people the responsibilities of authorizing transactions, recording
transactions, and maintaining custody of assets is intended to reduce the
opportunities to allow any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties.

3|Page
 5. Monitoring
 Is a process of assessing the quality of internal control performance over time. It involves assessing
the design and operation of controls on a timely basis and taking necessary corrective actions.
 Monitoring of controls is accomplished through ongoing monitoring activities, separate
evaluations, or a combination of the two.
o Ongoing monitoring – activities are built into the normal recurring activities of an entity
and include regular management and supervisory activities such as preparation of monthly
bank reconciliation.
o Separate evaluations – are monitoring activities that are performed on a non-routine basis,
such as functions performed by internal auditors.

Consideration of Internal Control

 Consideration of the entity’s internal control systems involves the following steps:
1. Understanding Internal Control
 The auditor should obtain sufficient understanding of the components of the entity’s internal
control relevant to the audit.
 Obtaining an understanding of internal control involves
a. Evaluating the design of a control; and
b. Determining whether it has been implemented

 An initial Understanding of the design of the entity’s internal control systems is ordinarily
obtained by:
a. Making inquiries of appropriate individuals;
b. Inspecting documents and records; and
c. Observing of entity’s activities and operations.

The auditor uses the understanding of internal control to.

o Identify types of potential misstatements that can occur.
o Consider factors that affect the risk of material misstatements o Design the
nature, timing, and extent audit procedures to be performed.

2. Documenting the auditor’s understanding of internal control

 This documentation need not be in any particular form. The extent of documentation may
vary depending on the size and complexity of the entity and nature of the entity’s internal
control system.

3. Assessment of control risk

 The auditors preliminary assessment of control risk may be at a high level (100%) or less than
high level.
 When the auditor’s knowledge of the entity’s internal control indicates that internal controls
related to a particular assertion are not effective the auditor may simply assess control risk at
a high level.
 Auditors response if control risk is assess at maximum level o Auditor will not perform test of
controls o Auditor will primarily rely on substantive tests
 On the other hand, if the auditor believes that controls appear to be reliable, the auditor
should determine whether it is efficient to obtain the evidence to justify an assessment of
control risk at a lower level.
o Identify specific internal control policies or procedures that are likely to prevent or
detect and correct material misstatement relevant to financial statements assertion, and
o Perform test of control to determine the effectiveness of such policies or procedures.

4. Performing test of controls

 Test of controls are performed to obtain evidence about the effectiveness of the o Design of
the accounting and internal control systems; or o Operation of the internal controls
throughout the period.
 According to PSA, The auditor should obtain audit evidence through test of control to support
any assessment of control risk at less than high level, the lower the assessment of control risk,

4|Page
 the more support the auditor should obtain that the internal control is suitably designed and
operating effectively.

Nature of Test of Control

Test of controls generally consists of one (or a combination) of the following evidence
gathering techniques – (1) inquiry, (2) observation, (3) inspection, and (4) Reperformance.
o Inquiry - consists of searching for the appropriate information about the effectiveness
of internal control from knowledgeable persons inside or outside the entity.
o Observation - refers to looking at the process being performed by others.
o Inspection - Involves the examination of documents and records to provide evidence
of reliability depending on their nature and source and the effectiveness of internal
control over the processing.
o Reperformance - involves repeating the activity performed by the client to determine
whether proper result were obtained.

Timing of Test Controls.

Auditors Usually perform test of controls during an interim visit in advance of period end.
However, auditors cannot rely on the result of such test without considering the need to
obtain further evidence relating to the remainder of the period. This evidence may be
obtained by performing test of control for the remaining period or by reviewing whether
there are changes affecting the entity’s internal control system, in determining whether or not
to test the remaining period, the following factors must be considered:
o The result of the interim tests.
o The length of the remaining period
o Whether changes have occurred in the accounting and internal control system during
the remaining period.

Extent of Test Control

The auditor cannot possibly examine all transaction related to certain control procedures, in
an audit the auditor should determine the size of a simple sufficient to support the assessed
level of control risk.

Using the Result of Test of Control

The conclusion related as a result of this evaluation is called the Assessed level of control risk.
The auditor uses the assessed level of control risk (together with the assessed level of
inherent risk) to determine the acceptable level of detection risk. There is an inverse
relationship between detection risk and the combined level of inherent and control risk.

In this regard, the auditor may consider modifying. o The nature of substantive test from
less effective to more effective procedures o The timing of substantive test by
performing them at year end rather than at interim
o The extent of substantive test from smaller to larger sample sized.

5. Documenting the assessed level of control risk

 After evaluating the result of test of control and assessing the control risk, the auditor should
document his assessment of control risk.
 If the control risk is assessed at a high level , the auditor should document his conclusion that
control risk is at a high level.
 If control risk is assessed at less than high level, the auditor should document his conclusion
that the control risk is less than high and the basis of that assessment. This basis is actually the
result of test of control.

Communication of Internal Control Weakness

 As a result of the auditor’s consideration of the accounting and internal controls systems, the auditor may
become aware of weakness in the systems. In this regard the auditor is required to report to the
appropriate level of management material weakness in the design or operation of the accounting and
internal control systems, which have come to the auditor’s attention.

5|Page
Computerized Information System (CIS)
 Is a system composed of people and computers that processes or interprets information

Characteristics of CIS
a. Lack of visible transaction trails
b. Consistency of performance
c. Ease of access to Data and Computer Programs
d. Concentration of duties
e. Systems generated transactions
f. Vulnerability of data and program storage media

Internal Control in a CIS Environment

 When computer processing is used in significant accounting applications, internal control procedures can
be classified into two types: general and application controls.

1. General Controls
 General controls are those control policies and procedures that relate to the overall computer
information system. These include: a. Organizational controls o designed to define the
strategic direction and establish an organizational framework over CIS activities

b. Systems development and documentation controls o Software development as well

as change thereof must be approved by the appropriate level of management and
the user department.

c. Access controls o Every computer system should have adequate security controls to
protect equipment, files, and programs. Access to the computer should be limited
only to operators and other authorized employees.

d. Data recovery controls o Computer files can be easily lost and the loss of these files
can be disastrous to an entity. The survival of an entity affected by such disaster
depends on its ability to recover the files on a timely basis.

e. Monitoring controls o Monitoring controls are designed to ensure that CIS controls
are working effectively as planned.

2. Application Controls
 Are those policies and procedures that relate to the specific use of the system. These are
designed to provide reasonable assurance that all transactions are authorized, and that they
are processed completely, accurately and in a timely manner. These include

a. Control over input o The input stage involves capturing of a mass of data. o Input
controls are designed to provide reasonable assurance that data submitted for
processing are complete, properly authorized, and accurately translated into machine
readable form.

Examples of input controls

This requires data to be entered twice (usually by different
Key
operators) to provide assurance that there are no key entry
Verification
errors committed
This ensures that the input data agree with the required field
Field Check
format.
Information entered are compared with valid information in
Validity Check
the master file to determine the authenticity of the input.

6|Page
 This is a mathematically calculated digit which is usually
Self-checking
added to a document number to detect common
Digit
transpositional errors in data submitted for processing.
Limit check or reasonable check is designed to ensure that
Limit Check data submitted for processing do not exceed a
predetermined limit or reasonable amount.
These are totals computed based on the data submitted for
Control Totals processing. Control totals ensure the completeness of data
before and after they are processed.

b. Controls over processing

o The processing stage involves converting the mass of raw data into useful
information
o Processing controls are designed to provide reasonable assurance that input data
are processed accurately, and that data are not lost, added, excluded, duplicated
or improperly changed

c. Controls over output o Output stage involves preparation of information in a form

useful to those who need to use it.
o Output controls are designed to provide reasonable assurance that the results of
processing are complete, accurate and that these outputs are distributed inly to
authorized personnel

Test of Control in a CIS Environment

 Test of control in a CIS environment involves evaluating the client’s internal control policies and
procedures to determine if they are functioning as intended.
 The auditor’s objective and scope of the audit do not change in a CIS environment. However, the use of
the computer changes the processing and storage of financial information and may affect the
organization and procedures employed by the entity to achieve adequate internal control
 Testing the reliability of general controls may include observing client’s personnel in performing their
duties; inspecting program documentation and observing the security measure in force.
 In testing application controls, the auditor may either:
(a) Audit around the computer
(b) Use of Computer assisted audit technique

a. Audit Around the Computer

 When using this

approach, the auditor
ignores the client’s data
processing procedures,
focusing solely on the
input documents and the
CIS output.  This is also
known as the black-box
approach because it does
not permit direct assessment of actual processing of transactions.

b. Use of Computer-assisted Audit Technique (CAATs)

 Are computer programs and data which the auditor uses a part of the audit procedures to
process data of audit significance contained in an entity’s information systems.
 When computerized accounting systems perform tasks for which no visible evidence is
available, it may be impracticable for the auditor to test manually, the auditor will have to
audit directly the client’s computer program using CAATs.
 This is also called the white box approach.

7|Page
Commonly used CAATs:
1. Test Data
o Primarily designed to test the effectiveness of the internal control procedures which are
incorporated in the client’s computer program.
o The objective of the test data technique is to determine whether the clients computer
programs can correctly handle valid and invalid conditions as they arise.
o A disadvantage of the test data technique is that the auditor does not have an
assurance that the program tested is the same program used by the client throughout
the accounting period

2. Integrated Test Facility

o The auditor creates dummy or fictitious employee or other appropriate unit for testing
within the entity’s computer system. Unlike test data, which is run independently of the
client’s data, an ITF integrates the processing of test data with the actual processing of
ordinary transactions without management being aware of the testing process.

3. Parallel Simulation
o Parallel simulation requires the auditor to write a program that simulates key features or
processes of the program under review. The simulated program is then used to reprocess
transactions that were previously processed by the client’s program.

4. Snapshots

8|Page
 o This technique involves taking picture of a transaction as it flows through the computer
systems. Audit software routines are embedded at different points in the processing logic to
capture the images of the transaction as it progresses through the various stages of
processing.
5. Systems Control Audit Review Files (SCARF)
The system control audit review file (SCARF) uses embedded audit modules to
continuously monitor transaction activity and collect data on transactions with special
audit significance.

Data recorded in a SCARF file or audit log include transactions

that:
• Exceed a specified peso limit;
• Involve inactive accounts;
• Deviate from company policy; or • Contain write-downs of asset values.

Periodically the auditor:

• Receives a printout of SCARF transactions;
• Looks for questionable transactions among them; and investigates

9|Page