Study and

Evaluation of

By: ATTY. PETER JAY S. GENISTON, CPA

 OBJECTIVES in UNDERSTANDING the
CLIENT’S INTERNAL CONTROL SYSTEM

❑ Identify types of potential misstatements

in the financial statements
❑ Identify factors that affect the risk of
material misstatements in the financial
statements
❑ Design the nature, extent and timing of
further audit procedures (tests of controls
and substantive tests
 INTERNAL CONTROL
- is the process designed and effected
by those charged with governance,
management, and other personnel to
provide reasonable assurance about
the achievement of the entity’s
objectives with regard to the
following:
❑ Reliability of financial reporting;
❑ Effectiveness and efficiency of operations; and
❑ Compliance with laws and regulations
 INTERNAL CONTROL -

❑ It is a PROCESS (a means to an end, not an end in

itself)
❑ It involves PEOPLE.

❑ It provides REASONABLE ASSURANCE.

❑ It is geared towards the ACHIEVEMENT of an entity’s

OBJECTIVES.
 INTERNAL CONTROL SYSTEM
- consists of all the POLICIES and PROCEDURES
adopted by the management of an entity to assist in
achieving management’s objective of ensuring, as
far as practicable, the following:
❑ Orderly and efficient conduct of its business;
❑ Adherence to management policies;
❑ Safeguarding of assets;
❑ Prevention and detection of fraud and error;
❑ Accuracy and completeness of accounting records;
❑ Timely preparation of reliable financial information
 FIVE INTER-RELATED COMPONENTS OF
INTERNAL CONTROL

1.Control Environment;
2.Risk Assessment;
3.Control Activities;
4.Information and Communication; and
5.Monitoring
 COMPONENTS OF INTERNAL CONTROL

CONTROL ENVIRONMENT
❑ Sets the tone of an organization, influencing the control
consciousness of its people.
❑ Elements of the Control Environment:
1. Communication and enforcement of integrity and ethical
values;
2. Commitment to competence;
3. Participation by those charged with governance;
4. Management’s philosophy and operating style;
5. Organizational structure;
6. Assignment of authority and responsibility;
7. Human resources policies and practices.
 COMPONENTS OF INTERNAL CONTROL

ENTITY’S RISK ASSESSMENT PROCESS

❑ Risk assessment – is the identification and analysis of
relevant risks to achievement of the objectives, forming
a basis for determining how the risks should be
managed.

❑ All entities, regardless of size, structure, nature or

industry, encounter risks at all levels within their
organizations.

❑ There is no practical way to reduce business risk to zero.

The decision to be in business creates risk.
 COMPONENTS OF INTERNAL CONTROL

ENTITY’S RISK ASSESSMENT PROCESS

❑ Risk identification – entity’s performance can be at risk
due to internal or external factors; must be
COMPREHENSIVE.

❑ Risk Analysis and Management –

1. Estimating the significance of a risk;
2. Assessing the likelihood (or frequency) of the risk
occurring;
3. Considering how the risk should be managed – that is, an
assessment of what actions need to be taken
 COMPONENTS OF INTERNAL CONTROL

INFORMATION SYSTEM AND COMMUNICATION

❑ Information System – consists of infrastructure (physical
and hardware components), software, people,
procedures and data.

❑ Information System relevant to financial reporting

objectives which includes the financial reporting system,
consists of the procedures and records established to
initiate, record, process and report entity transactions
and to maintain accountability for the related assets,
liabilities and equity.
 COMPONENTS OF INTERNAL CONTROL

INFORMATION SYSTEM AND COMMUNICATION

❑ Information System encompasses methods and records
that:
1. Identify and record all VALID transactions.
2. Describe on a TIMELY basis the transactions in sufficient
detail to permit proper CLASSIFICATION of transactions for
financial reporting.
3. MEASURE the value of transactions in a manner that permits
recording their proper monetary value in the financial
statements.
4. Determine the time period in which transactions OCCURRED to
permit recording of transactions in the proper accounting
period.
5. PRESENT properly the transactions and related DISCLOSURES
in the FS.
 COMPONENTS OF INTERNAL CONTROL

INFORMATION SYSTEM AND COMMUNICATION

❑ Communication involves providing an understanding of
individual roles and responsibilities pertaining to internal
control over financial reporting.
❑ Means of Communication – policy manuals, memoranda,
bulletin board notices and videotaped messages;
messages transmitted orally in large groups, smaller
meetings or one-on-one sessions.
 COMPONENTS OF INTERNAL CONTROL

CONTROL ACTIVITIES
❑ Control Activities are policies and procedures, which are
the actions of people to implement the policies, to help
ensure that management directives identified as
necessary to address risks are carried out.

❑ Control Activities include a range of activities as diverse

as approvals, authorizations, verifications,
reconciliations, reviews of operating performance,
security of assets and segregation of duties.
 COMPONENTS OF INTERNAL CONTROL

CONTROL ACTIVITIES

❑TYPES OF CONTROL ACTIVITIES:

1. PERFORMANCE REVIEWS
2. INFORMATION PROCESSING
3. PHYSICAL CONTROLS
4. SEGREGATION OF DUTIES
 COMPONENTS OF INTERNAL CONTROL

MONITORING OF CONTROLS
❑ Monitoring is a process to assess the quality of internal
control performance over time. It involves assessing the
design and operation of controls on a timely basis and
taking necessary corrective actions.

❑ METHODS for MONITORING CONTROLS:

1. Ongoing Activities
2. Separate Evaluations
The greater the degree and effectiveness of ongoing monitoring,
the less need for separate evaluations.
 INHERENT LIMITATIONS OF
INTERNAL CONTROL
❑ Management’s usual requirement that a control be cost
effective;
❑ The fact that most controls tend to be directed at anticipated
types of transactions and not at unusual transactions; the
potential for human error due to carelessness, distraction,
mistakes of judgment or the misunderstanding of instructions;
❑ The possibility of circumvention of controls through collusion
❑ The possibility that a person reasonable for exercising control
could abuse that responsibility
❑ The possibility that procedures may become inadequate due to
changes in condition and compliance with procedures may
deteriorate.
 RELEVANCE OF CONTROLS TO THE AUDIT

❑ Auditors should consider controls that are relevant to the audit

particularly those pertaining to the entity’s objective of
preparing financial statements;

❑ It is a matter of auditor’s professional judgment, whether a

control, individually or in combination with others, is relevant to
the auditor’s considerations in assessing the risk of material
misstatement and designing and performing further procedures
in response to assessed risks.
 INTERNAL CONTROL EVALUATION in FS AUDIT

❑ Nature, timing and extent of audit procedures to be performed in

gathering audit evidence take their most significant momentum
from a THOROUGH UNDERSTANDING of the design and
evaluation of the operating effectiveness of internal control;

❑ AUDITOR’S APPROACH in the study and evaluation of client’s

internal control generally consists of the following steps:
1. Obtaining an understanding of the client’s internal control
structure;
2. Make a preliminary assessment of control risk;
3. Determine the appropriate response to the assessed risks;
4. Reassess control risk;
5. Determine the nature, timing and extent of substantive tests.
 INTERNAL CONTROL EVALUATION in FS AUDIT

OBTAIN AN UNDERSTANDING OF THE

CLIENT’S INTERNAL CONTROL

1.Performing a preliminary review;

2.Identifying transaction cycles
3.Documenting the system
4.Performing a transaction walkthrough
5.Identifying controls that are
potentially reliable
 INTERNAL CONTROL EVALUATION in FS AUDIT

OBTAIN AN UNDERSTANDING OF THE

CLIENT’S INTERNAL CONTROL

❑ Major TRANSACTION CYCLES in a commercial

and industrial entity include:

1. Revenue / Receivables/ Cash Receipts Cycle

2. Purchasing / Payables/ Disbursements Cycle
3. Payroll Cycle
4. Production / Conversion Cycle
5. Financing and Investing Cycle
 INTERNAL CONTROL EVALUATION in FS AUDIT

OBTAIN AN UNDERSTANDING OF THE

CLIENT’S INTERNAL CONTROL

❑ Documentation of Understanding of Internal

Control:

1. Narratives
2. Internal Control Questionnaires
3. Flowcharts
 INTERNAL CONTROL EVALUATION in FS AUDIT

OBTAIN AN UNDERSTANDING OF THE

CLIENT’S INTERNAL CONTROL

❑ Performing a transaction WALKTHROUGH -

- following documentation, a single transaction
(or a small number of transactions) for each
major segment of the internal control structure is
selected and followed, or walked through the
accounting system.
- purpose: to verify narrative, questionnaire
and/or flowchart documentation
 INTERNAL CONTROL EVALUATION in FS AUDIT

OBTAIN AN UNDERSTANDING OF THE

CLIENT’S INTERNAL CONTROL

❑ RELATIONSHIP of CONTROLS to ASSERTIONS:

1. Assertions about classes of transactions and

events for the period under audit;
2. Assertions about account balances at the
period end;
3. Assertions about presentation and disclosure.
 INTERNAL CONTROL EVALUATION in FS AUDIT

MAKE A PRELIMINARY ASSESSMENT OF

CONTROL RISK

❑ In assessing control risk, the AUDITOR:

1. Considers the errors or irregularities that could occur
and that could result in material misstatements in the
financial statements;
2. Identifies relevant control procedures designed to
prevent the errors or irregularities; and
3. Performs tests of controls on the control procedures
to be relied on in designing substantive tests.
 INTERNAL CONTROL EVALUATION in FS AUDIT

MAKE A PRELIMINARY ASSESSMENT OF

CONTROL RISK
❑ HIGH CONTROL RISK ASSESSMENT can result from the
auditor’s belief that control structure policies and
procedures have not been effectively designed or have
not operated effectively.

❑ LESS THAN HIGH CONTROL RISK ASSESSMENT – the

auditor must be able to identify specific control structure
policies and procedures that are in place and are likely
to prevent or detect material misstatements; and MUST
test whether those policies and procedures are designed
and operating effectively.
 INTERNAL CONTROL EVALUATION in FS AUDIT

DETERMINE THE APPROPRIATE RESPONSE

TO THE ASSESSED RISKS

PRELIMINARY EFFECT ON
AUDIT TEST OF SUBSTANTIVE
CONTROL RISK ACCEPTABLE
APPROACH CONTROLS? TESTING?
ASSESSMENT DETECTION RISK
HIGH /
DECREASE NO RELIANCE NO YES
MAXIMUM
LESS THAN HIGH
or BELOW THE INCREASE RELIANCE YES YES
MAXIMUM
 INTERNAL CONTROL EVALUATION in FS AUDIT

DETERMINE THE APPROPRIATE RESPONSE

TO THE ASSESSED RISKS
❑ TEST OF CONTROLS are used to test either the
effectiveness of the design or operation of a client’s
internal control policy or procedure in support of a ‘less
than high’ control risk assessment.

❑ TEST OF CONTROLS are applied only to those controls

on which the auditor intends to rely when designing
substantive tests of account balances.
 INTERNAL CONTROL EVALUATION in FS AUDIT

DETERMINE THE APPROPRIATE RESPONSE

TO THE ASSESSED RISKS
❑ TEST OF CONTROLS generally consist of one, or a
combination of, the following procedures:

1. Inquiry of client personnel;

2. Observation of the application of policies and
procedures;
3. Inspection;
4. Reperformance or recalculation
 INTERNAL CONTROL EVALUATION in FS AUDIT

REASSESS LEVEL OF CONTROL RISK

REASSESSMENT OF EFFECT ON SUBSTANTIVE
AUDIT APPROACH
CONTROL RISK TESTING AUDIT PROGRAM
LESS EFFECTIVE
ASSESSMENT REMAINS AT PROCEDURES; INTERIM
LESS THAN HIGH OR RELIANCE TESTING MAY BE
BELOW THE MAXIMUM APPROPRIATE; LOWER
SAMPLE SIZES
MORE EFFECTIVE
PROCEDURES; TESTS
ASSESSMENT IS CHANGED
SWITCH TO NO-RELIANCE MOVED TO NEARER OR AT
TO HIGH OR MAXIMUM
YEAR-END; LARGER
SAMPLE SIZES
 INTERNAL CONTROL EVALUATION in FS AUDIT

REASSESS LEVEL OF CONTROL RISK

SHOULD THE AUDITOR DOCUMENT THE….

RISK ASSESSMENT Basis for the

Understanding of Control Risk
Control Risk
Internal Control? Assessment?
Assessment?

HIGH / MAXIMUM YES YES NO

LESS THAN HIGH or

BELOW THE YES YES YES
MAXIMUM
 INTERNAL CONTROL EVALUATION in FS AUDIT

DETERMINE THE NATURE, EXTENT AND

TIMING OF SUBSTANTIVE TESTS
❑ As the assessed level of control risk decreases, the
auditor may modify substantive tests in the following
ways:
1. Changing the NATURE of substantive tests (e.g. using
analytical review rather than detailed substantive testing)
2. Changing the TIMING of substantive tests (e.g. performing
them at an interim date rather than at year-end)
3. Changing the EXTENT of substantive tests (e.g. selecting
a small sample size)
 INTERNAL CONTROL EVALUATION in FS AUDIT

DETERMINE THE NATURE, EXTENT AND

TIMING OF SUBSTANTIVE TESTS

❑ SIGNIFICANT RISK – when the auditor has

determined that an assessed risk of
material misstatement at the assertion level
is a significant risk, the auditor SHOULD
perform substantive procedures that are
specifically responsive to that risk.
 DEFICIENCIES IN INTERNAL CONTROL

❑ A deficiency in internal control exists when:

1. A control is designed, implemented or operated in such a way

that it is UNABLE to prevent, or detect and correct,
misstatements in the FS on a timely basis; or
2. A control necessary to prevent, or detect and correct,
misstatements in the FS on a timely basis is MISSING.

❑ The AUDITOR shall communicate in WRITING significant

deficiencies in internal control identified during the audit to
those charged with governance on a timely basis.