ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY

CPA Review Batch 45  May 2023 CPA Licensure Examination AT-09

AUDITING (Auditing Theory) J. IRENEO  E. ARAÑAS  F. TUGAS  C. ALLAUIGAN

UNDERSTANDING THE ENTITY’S INTERNAL CONTROL

Audit Risk and Risk Assessment Procedures
Definition of Terms:
Audit Risk- the risk that financial statements may contain material misstatements (i.e., inherent and
control risks) coupled with the possibility that the auditor may fail to detect those material
misstatements those misstatements (i.e., detection risk) that may lead the auditor to express an
inappropriate audit opinion.
a. Risk of Material Misstatements (RMM)
- Inherent Risk
- Control Risk
b. Detection Risk

RISK ASSESSMENT PROCEDURES (RAP)

Objective:
The auditor shall design and perform risk assessment procedures to obtain audit evidence that
provides an appropriate basis for:
(a) The identification and assessment of risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels; and
(b) The design of further audit procedures in accordance with ISA 330
PART II: Understanding the Components of the Entity’s System of Internal Control
A. Controls- Policies or procedures that an entity establishes to achieve the control objectives of
management or those charged with governance.
i. Policies are statements of what should or should not be done within the entity to
effect control.
ii. Procedures are actions to implement policies.
B. The auditor shall understand the Components of the Entity’s System of Internal
Control
System of internal control
1. The system designed, implemented, and maintained by
a. those charged with governance
b. Management
c. other personnel
2. Providing reasonable assurance about the achievement of an entity’s objectives
which include:
a. reliability of financial reporting
b. effectiveness and efficiency of operations
c. compliance with applicable laws and regulations.
Components of the Entity’s System of Internal Control
(i) Control environment;
(ii) The entity’s risk assessment process;
(iii) The entity’s process to monitor the system of internal control;
(iv) The information system and communication; and
(v) Control activities.

In the information system and communication and control activities components,

the controls are primarily direct controls. Direct controls are controls that are
sufficiently precise to prevent, detect, or correct misstatements at the assertion level.

In the control environment, the entity’s risk assessment process and the entity’s
process to monitor the system of internal control components, the controls are primarily
indirect controls (although there may be some direct controls, these are likely less in
these components). Indirect controls are controls that support direct controls.

C. Specific Consideration
The auditor shall obtain an understanding of the COMPONENTS relevant to the preparation
of the financial statements AND evaluate these components through performing risk
assessment procedures.

Page 1 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
CONTROL ENVIRONMENT

UNDERSTAND EVALUATE
(a) Understanding the set of controls, processes and structures and
that address:
(b) Evaluating whether:
(i) How management’s oversight responsibilities are carried out,
such as the entity’s culture and (i) Management, with the oversight of
management’s commitment to integrity and ethical values; those charged with governance, has
created and maintained a culture
(ii) When those charged with governance are separate from of honesty and ethical behavior;
management, the independence of, and
oversight over the entity’s system of internal control by, (ii) The control environment provides an
those charged with governance; appropriate foundation for the other
components of the entity’s system of
(iii) The entity’s assignment of authority and responsibility; internal control, considering the
nature and complexity of the entity;
(iv) How the entity attracts, develops, and retains competent and
individuals; and
(iii) Control deficiencies identified in the
(v) How the entity holds individuals accountable for their control environment undermine the
responsibilities in the pursuit of the objectives of the system other components of the entity’s
of internal control, system of internal control.

RISK ASSESSMENT PROCESS

UNDERSTAND EVALUATE

(a) Understanding the entity’s process for: and

(i) Identifying business risks relevant to financial reporting
objectives;
(ii) Assessing the significance of those risks, including the
likelihood of their occurrence; and
(b) Evaluating whether the entity’s risk
assessment process is appropriate to
the entity’s circumstances considering
the nature and complexity of the
entity.

(iii) Addressing those risks;

MONITORING PROCESS

UNDERSTAND EVALUATE
(a) Understanding those aspects of the entity’s process that and
address:
(b) Evaluating whether the entity’s
(i) Ongoing and separate evaluations for monitoring the process for monitoring the system of
effectiveness of controls, and the identification and remediation internal control is appropriate to the
of control deficiencies identified; entity’s circumstances considering
the nature and complexity of the
(ii) The entity’s internal audit function, if any, including its entity.
nature, responsibilities and activities;

(b) Understanding the sources of the information used in the

entity’s process to monitor the system of internal control, and the
basis upon which management considers the information to be
sufficiently reliable for the purpose; and

Page 2 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
INFORMATION SYSTEM & COMMUNICATION

UNDERSTAND EVALUATE

(a) Understanding the entity’s information processing activities, and

including its data and information, the
resources to be used in such activities and the policies that (c) Evaluating whether the entity’s
define, for significant classes of transactions, account balances information system and
and disclosures; communication appropriately
support the preparation of the
(i) How information flows through the entity’s information system, entity’s
including how: financial statements in accordance
with the applicable financial
a. Transactions are initiated, and how information about them is reporting framework.
recorded, processed, corrected as necessary, incorporated in
the general ledger and reported in the financial statements;
and

b. Information about events and conditions, other

than transactions, is captured, processed and
disclosed in the financial statements;

(ii) The accounting records, specific accounts in the FS and other

supporting records relating to the flows of information in the
information system;

(iii) The financial reporting process used to prepare the entity’s FS,
including disclosures; and

(iv) The entity’s resources, including the IT

environment, relevant to (a)(i) to (a)(iii) above;

(b)Understanding how the entity communicates significant matters

that support the preparation of the financial statements and
related reporting responsibilities in the information system and
other components of the system of internal control:

(i) Between people within the entity, including how financial

reporting roles and responsibilities are
communicated;

(ii) Between management and those charged with governance; and

(iii) With external parties, such as those with regulatory

authorities;
Definition of terms:

General information technology (IT) controls – Controls over the entity’s IT processes that
support the continued proper operation of the IT environment, including the continued effective
functioning of information processing controls and the integrity of information (i.e., the completeness,
accuracy and validity of information) in the entity’s information system. Also see the definition of IT
environment.
Information processing controls – Controls relating to the processing of information in IT
applications or manual information processes in the entity’s information system that directly address
risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and
other information).
IT environment – The IT applications and supporting IT infrastructure, as well as the IT processes and personnel
involved in those processes, that an entity uses to support business operations and achieve business strategies.
For the purposes of this ISA:
(i) An IT application is a program or a set of programs that is used in the initiation, processing, recording
and reporting of transactions or information. IT applications include data warehouses and report writers.

(ii) The IT infrastructure comprises the network, operating systems, and databases and their related
hardware and software.

(iii) The IT processes are the entity’s processes to manage access to the IT environment, manage program
changes or changes to the IT environment and manage IT operations.

Page 3 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
CONTROL ACTIVITIES

UNDERSTAND EVALUATE

(a) Identifying (and understanding) controls that address risks of and

material misstatement at the assertion level in the control
activities component as follows: (d) For each control identified in (a) or
(c)(ii):
(i) Controls that address a risk that is determined to be a
significant risk; (i) Evaluating whether the control is
designed effectively to address the
(ii) Controls over journal entries, including nonstandard journal risk of material misstatement at
entries used to record nonrecurring, unusual transactions or the assertion level, or effectively
adjustments; designed to support the operation
of other controls; and
(iii) Controls for which the auditor plans to test operating
effectiveness in determining the nature timing and extent of (ii) Determining whether the control
substantive testing, which shall include controls that address has been implemented by
risks for which substantive procedures alone do not provide performing procedures in addition
sufficient appropriate audit evidence; and to inquiry of the entity’s personnel.

(iv) Other controls that the auditor considers to be appropriate to

enable the auditor to meet the objectives of RAP, based on the
auditor’s professional judgement.

(b) Based on controls identified in (a), identifying the IT

applications and the other aspects of the entity’s IT
environment that are subject to risks arising from the use of IT;
(c) For such IT applications and other aspects of the IT
environment identified in (b), identifying:

(i) The related risks arising from the use of IT; and

(ii) The entity’s general IT controls that address such risks;

D. Control Deficiencies

Based on the auditor’s evaluation of each of the components of the entity’s system of internal
control, the auditor shall determine whether one or more control deficiencies have been
identified.
E. Assessing Control Risk

A. If the auditor plans to test the operating effectiveness of controls, the auditor shall assess
control risk.
B. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s
assessment of control risk shall be such that the assessment of the RMM is the same as the
assessment of inherent risk.
F. Documentation

The auditor shall include in the audit documentation the evaluation of the design of identified
controls, and determination whether such controls have been implemented.
G. Limitations of Internal Control

No matter how well designed and operated, IC can provide an entity with only reasonable
assurance about achieving the entity’s financial reporting objectives.
• human judgment in decision making
• breakdowns in internal control
• errors or mistakes
• collusion

Design, implementation, and monitoring of internal control varies depending on the entity’s
size and complexity of the processes.

Page 4 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
MULTIPLE CHOICE QUESTIONS

1. Which of the following is incorrect statement in relation to internal controls?

A. Internal controls are process designed, implemented and maintained by those charged
with governance, management, and other personnel
B Internal controls provide absolute assurance about the achievement of the entity’s
objectives on financial reporting, operations, and compliance.
C. There is a direct relationship between an entity’s objectives and the controls it
implements to provide reasonable assurance about their achievement.
D. Effective control scan reduce the cost of external audit.

2. Internal controls maybe classified as?

I. Manual, automated or-IT-dependent controls
II. Preventive, detective or corrective controls.
A. I only B. II only C. Both I and II D. Neither I nor II

3. Internal control can only provide reasonable, not absolute, assurance of achieving entity control
objectives. Which of the following is a limiting factor of achieving those objectives?
I. In the performance of most control procedures, there are possibilities of errors arising from
mistakes in judgment.
II. The board of directors is active and independent.
III. The cost of internal control should not exceed its benefits.
IV. Collusion may occur even if incompatible functions or duties have been segregated.
A. I and III only B. I, II and III only C. I, III and IV only D. I, II, III and IV

4. Which of the following conditions supports strong internal control?

A. Strict monitoring by the Bureau of Internal Revenue.
B. The existence of related parties and related party transactions.
C. Pressure by the financial community to improve earnings performance.
D. An economic downturn.

5. Which of the following is not useful for obtaining an understanding of internal controls?
A. Observe client activities and operations C. Make inquiries of the client’s personnel
B. Examine documents and records D. Read industry trade magazines

6. Evaluate the following statements:

I. When obtaining an understanding of an entity's control environment, an auditor should
concentrate on the substance of management's policies and procedures rather than their form
because management may establish appropriate policies and procedures but not act on them.
II. In the assessment of control risk, the auditor is basically concerned that the client's internal
control provides reasonable assurance that errors and fraud have been prevented or detected.
A. Both statements are false C. Only the first statement is true
B. Both statements are true D. Only the second statement is true

7. The 5 components of the system of internal control have been split into two types that align with the
nature of the controls within each component, and may affect the auditor’s identification and assessment
of risks of material misstatement, as well as responding to the assessed risks. Which among these
components have controls that are primarily indirect controls?
I. Control environment
II. The entity’s risk assessment process
III. The entity’s process to monitor the system of internal control
IV. The information system and communication
V. Control activities.
A. I, II,III
B. I, IIII
C. IV,IV
D. II, IV, V

8. S1 The control environment does not directly prevent, or detect and correct, misstatements.
S2 Control environment may provide an appropriate foundation for the system of internal control
and may help reduce the risk of fraud, an appropriate control environment is not necessarily
an effective deterrent to fraud.
A. False, True
B. True, False
C. True, True
D. False, False

Page 5 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
9. Which of the following statements best describes “control activities”?
A. The entity’sprocessforidentifyingbusinessrisksrelevanttofinancialreportingobjectives
and deciding about actions to address those risks, and the results thereof.
B. The system for transferring information from transaction processing systems to the general
ledger or the financial reporting system.
C. Policies and procedures that help ensure that management directives are carried out.
D. This includes the governance and management functions and the attitudes, awareness,
and actions of those charged with governance and management concerning the entity’s
internal control and its importance to the entity.
10. Which of the following is not an element of “control environment”?
A. Commitment to competence
B. Communication and enforcement of integrity and ethical values
C. Assignment of authority and responsibility
D. Leadership responsibilities for quality within the firm
11. Management’s attitude towards aggressive financial reporting and its emphasis on meeting
projected profit goals most likely would significantly influence an entity’s control environment
when:
A. Management is dominated by one individual who is also a shareholder.
B. External policies established by parties outside the entity affect its accounting practices.
C. The audit committee is active in overseeing the entity’s financial reporting policies.
D. Internal auditors have direct access to the board of directors and entity management.
12. An entity’s risk assessment process includes how management:
I. Identifies business risks relevant to financial reporting objectives
II. Estimates the significance of the risks
III. Assesses the likelihood of the occurrence of risks
IV. Decides on actions to address the risks.
A. I and III only B.I, II and III only C.I, III and IV only D.I, II, III and IV

13. Risks can arise or change due to circumstances such as the following, except:
A. There is a change in the regulatory or operating environment.
B. No new employees have been hired by the company.
C. The company switched from manual information systems to a computerized system.
D. The accounting and financial reporting framework has experienced significant revisions.
14. Which of the following pertains to risk assessment?
I. An audit client’s process for identifying business risks relevant to the financial reporting
objective
II. Business procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed, corrected, transferred to the general ledger and reported
in the financial statements
III. Client policies on limiting physical access to assets and records
A. I and III only B. I only C.II and III only D.I, II and III

15. The information system consists of the following:

A. Infrastructure (physical and hardware components) and software
B. People
C. Procedures and data
D. All of these.

16. Control activities are the policies and procedures that help ensure that management directives are
carried out. These include activities relating to authorization, performance reviews, information
processing, physical controls and segregation of duties. There is proper segregation of duties when
an individual who
A. Authorizes a transaction records it.
B. Authorizes a transaction maintains custody of the asset that resulted from the transaction.
C. Records a transaction do not compare the accounting record of the asset with the asset itself.
D. Maintains custody of an asset has access to the accounting records for the asset.

Page 6 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-09
17. The objective of the recording function of transactions (in the context of internal accounting control) is
to
A. Limit access to assets and to permit preparation of financial statements in accordance with GAAP.
B. Assure compliance with the rules of all regulatory bodies having jurisdiction over the reporting
entity.
C. Permit preparation of financial statements in accordance with GAAP and to maintain accountability
of assets.
D. Encourage operational efficiency and adherence to prescribed managerial policies.

18. Which of the following descriptions pertain to performance reviews?

A. Control activities that include reviews and analyses of actual performance versus budgets,
forecasts, and prior period performance.
B. Controls performed to check accuracy, completeness, and authorization of transactions.
C. Physical security of assets, including adequate safeguards such as secured facilities over access
to assets and records.
D. The assignment of incompatible functions to different people.
E. Control activities involving the specific or general authorization of a transaction.
19. An entity’s ongoing monitoring activities often include:
A. Periodic audits by the audit committee.
B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.

20. Which of the following is not a detective control?

A. The use of batch totals.
B. Reconciling the accounts receivable subsidiary file with the control account.
C. Requirement that two persons open mail.
D. Preparation of bank reconciliation.

21. Not an example of general transaction authorization is the:

A. Setting of automatic reorder points.
B. Establishment of sales prices.
C. Establishment of a customer’s credit limits.
D. Approval of a construction budget for a new warehouse.

22. A control that reduces the risk that an existing or potential control weakness will result in a failure
to meet a control objective is referred toas:
A. Compensating control C. Conditional control
B. Non-routine control D. Offset control

23. Which of the following is (are) a correct statement(s) for internal control systems of small
companies?
I. Elements of internal control for small entities may not be available in documentary form
II. Segregation of incompatible duties are often inadequate due to staff limitations
III. The involvement of the owner-manager may be a compensatory control for the inadequate
segregation of incompatible duties

A. I and III only B. II only C. II and III only D. I, II and III

24. According to PSA315, the auditor uses the understanding of internal control to:
I. Identify types of potential misstatements
II. Consider factors that affect the risk of material misstatements
III. Design the nature, timing and extent of further audit procedures (i.e., tests of controls and
substantive tests)

A. I and III only B. II only C. II and III only D. I, II and III

- END -

Page 7 of 7 0915-2303213  www.resacpareview.com