CHAPTER 4: THE AUDIT PROCESS
risk by considering the different types of
GENERAL APPROACH WHEN
AUDITING FINANCIAL STATEMENTS
- An audit FS generally begins w/
the FS prepared by the entity. W/o
the FS, there would be no audit to
perform.
- A general approach to auditing FS
would require consideration of the
FS assertions, audit procedures, &
audit evidence.
MANAGEMENT ASSERTIONS
Audit procedures are designed to obtain
evidence about the assertions of
management that are embodied in the FS.
management assertions are implied or
expressed representations by
management about classes of
transactions (i.e. sales transactions) and
related accounts (i.e. sales & A/R) in the
FS. when the auditors have gathered
sufficient evidence to support each
management assertion, they have
sufficient evidence to support the audit
opinion.
FINANCIAL STATEMENT ASSERTIONS
The auditor should use assertions in
sufficient detail to form a basis for the
assessment of risks of material
misstatement & the design and
performance of further audit procedures.
The auditor uses assertions in assessing
potential misstatements that may occur, &
thereby designing audit procedures that
are responsive to assessed risks.
AUDIT PROCEDURES
Selection of the appropriate procedures to
satisfy a particular assertion is affected by
a number of factors including the auditor’s
assessment of materiality & risk.
Regardless of the procedures selected,
there is only one basic criterion. The
procedures selected should be enable the
auditor to gather sufficient appropriate
evidence about a particular assertion
INSPECTION
Involves examining of records,
documents, or tangible assets.
OBSERVATION
Consists of looking at a
process/procedure being performed by
others
INQUIRY
Consists of seeking information from
knowledgeable persons inside/outside the
entity.
CONFIRMATION
Consists of the response to an inquiry to
corroborate info contained in the
accounting records
COMPUTATION
Consists of checking the arithmetic
accuracy of source documents &
accounting records/performing
independent calculations.
ANALYTICAL PROCEDURES
Consist of the analysis of significant ratios
and trends including the resulting
investigation of fluctuations and
relationships that are inconsistent with the
other relevant information or deviate from
predicted amounts

AUDIT PROCEDURES are means used
by the auditor to obtain sufficient
appropriate evidence
AUDIT EVIDENCE refers to the info
obtained by the auditor in arriving at the
conclusions of which the audit opinion is
based.
It will comprise source documents &
accounting records underlying the FS and
corroborating information from other
sources. This evidence about the FS will
either prove/disprove the validity of
management assertions.
At the conclusion of the audit, the auditor
should carefully evaluate the audit
evidence obtained in order to come up
with an appropriate opinion.
OVERVIEW OF THE AUDIT PROCESS
The audit process is the sequence of
different activities involved in an audit. The
emphasis & order of certain activities may
vary depending upon a particular audit,
but basically this process should include
these activities, as shown on the pic:
STEP 1: ACCEPTING AN
ENGAGEMENT
The first step in the audit process is to
make a decision whether to accept/reject
an audit engagement. This process would
require the evaluation of the auditor’s
qualification as well as the auditability of
the prospective client’s FS.
A preliminary understanding of the client’s
business & background investigation of a
prospective client are usually performed at
this stage of the audit.
The procedures performed at this stage of
the audit are referred to in PSA 300 as
“preliminary planning activities”. These
procedures involve:
➢ Performing procedures regarding
the continuance of the client
relationship & the specific audit
engagement;
➢ Evaluating compliance w/ ethical
requirements, including
independence; &
➢ Establishing an understanding of
the terms of the engagement
STEP 2: AUDIT PLANNING
In planning an audit, the auditor obtains
more detailed knowledge about
the client’s business and industry in order
to understand the transactions
and events affecting the financial
statements, and to identify potential
problems that might be encountered
during the audit.
A preliminary assessment of risk and
materiality should also be made to
develop an overall audit strategy and a
detailed approach for the expected
conduct and scope of the examination
STEP 3: CONSIDERING THE INTERNAL
CONTROL
The auditor should give adequate
consideration to the entity’s internal
control because the condition of the
entity’s internal control directly affects the
reliability of the financial
statements.
The stronger the internal control, the more
assurance it provides
about the reliability of accounting data and
financial statements.
Consideration of internal control involves
obtaining understanding of the entity’s
control systems and assessing the level of
control risk that is, the risk that the client’s
internal
control may not prevent or detect material
misstatements in the FS.
If the auditor wants to assess control risk
at less than high level,
sufficient appropriate evidence must be
obtained to prove that
the internal control is functioning
effectively and that it can be relied upon
This evidence can be obtained by
performing test of controls.
STEP 4: PERFORMING SUBSTANTIVE
TESTS
Using the information obtained in steps 2
and 3 the auditor performs substantive
tests to determine whether the entity’s FS
are presented fairly in accordance with
financial reporting standards.
These procedures would involve
examination of the documents
and evidence supporting the amounts and
disclosures in the FS.
The extent of the substantive tests is
highly dependent on the results of the
auditor’s consideration of internal control If
based on the evaluation of internal control,
the auditor has obtained evidence that the
internal control is functioning effectively
the scope of the auditor’s substantive
tests can be reduced.
On the other hand, if the results of test of
control prove that the internal control is
weak, the auditor will have to compensate
for this weakness by performing more
extensive
substantive procedures.
STEP 5: COMPLETING THE AUDIT
The auditor must have sufficient
appropriate evidence in order to reach a
conclusion on the fairness of the FS After
the auditor has completed testing the
account balances, the auditor performs
additional audit procedures to complete
the audit and become satisfied that the
evidence gathered is consistent with the
auditor’s report
These procedures include:
1. Review of subsequent events and
contingencies
2. Assessing going concern
assumption
3. Performing overall analytical
review procedures and
4. Obtaining written representations
from the client management
STEP 6 : ISSUING A REPORT
On the basis of audit evidence gathered
and evaluated, the auditor forms a
conclusion about the FS This conclusion
(in the form of an opinion) is
communicated to various interested users
through an audit report.
ACCEPTING AN ENGAGEMENT
THE PROFESSIONAL STANDARD
RECAP CHAP 2
An important element of a firm’s quality
control policies & procedures is a system
of deciding whether to accept/reject an
audit engagement
ELEMENTS OF A SYSTEM OF
QUALITY CONTROL
PSA 220 states that audit firm should
implement policies and procedures
designed to ensure that
all audits are conducted in accordance
with PSAs.
The quality control policies and procedures
adopted by audit firms vary depending on
the firms deciding whether to accept or
reject an audit engagement factors. PSA
22O has identified the following quality
control policies that may serve as a guide
to audit firms in establishing their own
quality control system.
1. Leadership responsibilities for
quality on audits;
2. Ethical requirements;
3. Independence;
4. Acceptance and continuance of
client relationships;
5. Human resources and assignment;
6. Engagement performance; and,
7. Monitoring
ACCEPTANCE AND CONTINUANCE OF
CLIENT RELATIONSHIPS
The firm should establish policies and
procedures for the acceptance and
continuance of client relationships and
specific engagements, designed to
provide it with reasonable assurance that
it will only undertake or continue
relationships and engagement where it
1. Has considered the integrity of the
client
2. Is competent to perform the
engagement and has the
capabilities, time and resources to
do so and,
3. Can comply with ethical
requirements
In making this decision, the firm should
consider:
 Competence
 Independence
 Ability to sever the client properly
 The integrity of the prospective
client’s management
COMPETENCE | ACCEPTING AN
ENGAGEMENT
One of the primary considerations before
accepting an audit engagement is to
determine whether the auditor has the
necessary skills and competence to
handle the engagement.
According to the Code of Ethics,
professional accountants should not
portray themselves as having expertise
which they do not possess. Competence
is acquired through a combination of (1)
education, (2) training, and (3) experience.
Before accepting an engagement, the
auditor should obtain a preliminary
knowledge of the client’s business and
industry to determine whether the auditor
has the degree of competence required by
the engagement or whether such
competence can be obtained before the
completion of the audit
INDEPENDENCE | ACCEPTING AN
ENGAGEMENT
Essential to the credibility of the auditor’s
report is the concept of independence
Before accepting
an audit engagement, the auditor should
consider whether there are any threats to
the audit team’s independence and
objectivity and, if so, whether adequate
safeguards can be established
ABILITY TO SERVE THE CLIENT
PROPERLY | ACCEPTING AN
ENGAGEMENT
Closely related to competence is the
auditor’s ability to serve the client
properly. An engagement should not be
accepted if there are not enough qualified
personnel to perform the audit.

PSA 220 Audit work should be assigned
to personnel who have the appropriate
capabilities, competence and time to
perform the audit engagement in
accordance with professional standards.
There should be sufficient direction,
supervision and review of work at all
levels in order to provide reasonable
assurance that the firm’s quality standard
is maintained.
INTEGRITY OF MANAGEMENT |
ACCEPTING AN ENGAGEMENT
PSA 220 The auditors should conduct a
background investigation of the
prospective client in order to minimize the
likelihood of association with clients
whose management lacks integrity.
 Makes inquiries with prospective
client’s banker, legal counsel,
underwriter, etc. to obtain
information about the prospective
client's reputation.
 Communicate with the
predecessor auditor. It allows the
incoming auditor to gather
information about the client that
will be helpful in deciding whether
or not to accept the engagement.
But before the incoming auditor contacts
the predecessor auditor, the incoming
auditor should obtain client’s permission to
contact the predecessor auditor because
the code of ethics prevents an auditor
from disclosing any client information
without it’s approval Refusal of the
prospective client’s management to permit
this will raise serious questions as to
whether the engagement will be accepted
Once client permission is obtained, the
incoming auditor should inquire into
matters that may affect the decision to
accept the engagement, such as: (1)
understanding as to the reasons for the
change in auditors (2) any disagreements
between the predecessor auditor and the
client and, (3) any facts that may have a
bearing on the integrity of the prospective
client’s management.
The Code of Ethics requires the
predecessor auditor to respond fully to the
incoming auditor’s inquiry and advise the
incoming auditor if there are any
professional reasons why the engagement
should not be accepted
RETENTION OF EXISTING CLIENTS
The auditor’s evaluation of clients is not a
one time consideration. Clients should be
evaluated at least once a year or upon
occurrence of major events such as
changes in management, directors,
ownership, nature of client’s business, or
other changes that may affect the scope
of examination.
In general, conditions which would have
caused an accounting firm to reject a
prospective client may also result or lead
to a decision of terminating an audit
engagement
ENGAGEMENT LETTER
After accepting the audit engagement, an
engagement letter should be prepared.
This serves as the written contract
between the auditor and the client. This
letter sets forth:
 Objective of the FS audit to
express an opinion on the FS
 Management’s responsibility for
the fair presentation of the FS
 Scope of the audit
 Forms of any reports/other
communication that the auditor
expects to issue
 Facts that because of audit
limitations, there is an unavoidable
risk that material misstatements
may remain undiscovered
  Client responsibility to allow the
auditor to have unrestricted access
to whatever records,
documentation and other
information requested in
connection with the audit.
The auditor may also include the ff. items
in the engagement letter:
 Billing arrangements
 Expectation of receiving
management representation letter
 Arrangement concerning the
involvement of others (experts,
other auditors, internal auditors,
and other client personnel)
 Request for the client to confirm
the terms of the engagement.
IMPORTANCE OF ENGAGEMENT
LETTER
It is in the interest of both the auditor and
the client that the auditor sends an
engagement letter in order to:
 Avoid misunderstandings w/
respect to the engagement
 Document & confirm the auditor’s
acceptance of the appointment
RECURRING AUDITS
The auditor does not normally send new
engagement letter every year. However,
the following factors may cause the
auditor to send a new engagement letter.
➢ Any indication that the client
misunderstands the objective and
scope of the audit
➢ Any revised or special terms of the
engagement
➢ A recent change of senior
management, board of directors or
ownership
➢ A significant change in the nature
or size of the client’s business and,
➢ Legal requirements and other
government agencies’
pronouncements
When the auditor decides not to send a
new engagement letter, it may be
appropriate for the auditor to remind the
client of the original arrangements.
AUDITS OF COMPONENTS
When the auditor of a parent entity is also
the auditor of its subsidiary, branch or
division (component), the auditor should
consider the following factors in making a
decision of whether to send a separate
letter to the component:
 Who appoints the auditor of the
component
 Whether a separate audit report is
to be issued on the component
 Legal requirements
 The extent of any work performed
by other auditor
 Degree of ownership by parent
and,
 Degree of independence of the
component’s management
The Audit Process and the Nature of
Risks
The Audit Process Overview
• Assessing Client Acceptance and
Retention Decisions
• Understanding the Client
• Obtaining Evidence about Controls
and Determining the Impact on the
FS Audit
• Obtaining Substantive Evidence
about Account Assertions
• Wrapping Up the Audit and Making
Reporting Decisions
Nature of Risk
Business risk
 - Risk that affects the operations
and potential outcomes of
organizational activities.
Financial reporting risk
- Risk that relates to the recording of
transactions and the presentation
of financial data in an
organization’s financial statements.
Engagement risk
- Risk that auditors encounter by
being associated with a particular
client, including loss of reputation,
inability of the client to pay the
auditor, or financial loss because
management is not honest and
inhibits the audit process
Audit risk
- Risk that the auditor may provide
an unqualified opinion on financial
statements that are materially
misstated.
Factors affecting Business Risk:
 Economic climate
 Technological change
 Competition
 Business volatility
 Geographic location
Factors affecting Financial Reporting
Risk:
 Competence and integrity of
management;
 Incentives for management to
misstate financial statements;
 Complexity of transactions; and,
 Internal controls.
CHAPTER 5: AUDIT PLANNING
THE AUDT PROCESS
RECAP CHAP 4
Step 2: Audit Planning
In planning an audit, the auditor obtains
more detailed knowledge about the
client’s business and industry in order to
understand the transactions and events
affecting the financial statements, and
to identify potential problems that might
be encountered during the audit.
A preliminary assessment of risk and
materiality should also be made to
develop an overall audit strategy and a
detailed approach for the expected
conduct
AUDIT PLANNING
Audit Planning
- Involves developing a general audit
strategy and a detailed approach for
the expected conduct of the audit.
The auditor’s main objective in
planning the audit is to determine the
scope of the audit procedures to be
performed.
- The auditor should plan the audit work
so that the audit will be performed in
an effective and efficient manner. The
extent of planning will vary according
to the (1) size of the entity, (2) the
complexity of the audit and (3) the
auditor’s experience with the entity,
and (4) knowledge of the business.
Importance of adequate planning:
 Planning helps ensure that
appropriate attention is devoted
to important areas of the audit.
 It helps identify potential problems.
 It allows the work to be completed
expeditiously.
  It assists in the proper assignment
and coordination of work.
 It helps ensure that the audit is
conducted effectively and
efficiently.
PSA 315 requires the auditor to obtain
sufficient understanding of the entity and
its environment including its internal
control. Such understanding involves
obtaining knowledge about the entity’s:
a) Industry, regulatory, and other
external factors, including financial
reporting framework;
b) Nature of the entity, including
entity’s selection and application of
accounting policies;
c) Objectives and strategies and the
related business risks that may
result in a material misstatement of
the financial statements;
d) Measurement and review of the
entity’s performance; and
e) Internal Control
PSA 315 requires the auditor to obtain
sufficient understanding of the entity and
its environment including its internal
control. Such understanding involves
obtaining knowledge about the entity’s:
Understanding the entity and its
environment
For the audit to be carried out effectively
and efficiently, the auditor should obtain a
sufficient level of knowledge of the entity’s
business to identify and understand the
events, transactions and practices that
may have a significant effect on the
financial statements.
- The better the auditor understands the
client’s operations, the more efficient
the examination is likely to be, and the
greater the value to the client of the
auditor’s services.
If the auditor understands the operations
of the client, the auditor is often able to
evaluate the reasonableness of the
client’s estimates. In addition, procedure
can be selected with more assurance, or
perhaps uniquely applicable procedures
can be designed.
 Understand the entity’s
objectives and strategies, and
the related business risks. An
auditor’s understanding of
business risks encountered by the
entity increases the likelihood of
identifying risks of material
misstatement and helps the auditor
design appropriate audit
procedures.
 Understand the entity’s
measurement of performance.
This may create pressures on the
entity that may either motivate
management to take action to
improve the business performance
or to manipulate FS.
Sources of information
The auditor can obtain knowledge of the
industry and the entity from a number of
sources. These may include:
 Review of prior years’ working
papers;
 Tour of client’s facilities;
 Discussion with people within and
outside the entity;
 Reading books, periodicals and
other publications related to the
clients industry; or,
 Reading corporate documents and
financial reports
The auditor should also ensure that
assistants assigned to an audit
engagement obtain sufficient knowledge
of the client's business and industry to
enable them to carry out the work
delegated to them.
Users of information obtained
Knowledge of the client's business is a
frame of reference within which the
auditor exercises professional judgment.
Understanding the business and using this
information appropriately assists the
auditor in:
 Assessing risks and identifying
potential problems;
 Planning and performing the audit
effectively and efficiently;
 Evaluating audit evidence as
well as the reasonableness of
client's representations and
estimates; and,
 Providing better service to the
client.
To make effective use of knowledge
about the client's business and
industry, the auditor should consider
how it affects the financial statements
and whether the assertions in the
financial statements are consistent
with the auditor's knowledge of
business.
Obtaining understanding of the client's
business is a continuous and
cumulative process. For continuing
engagements, the auditor should
update and re-evaluate information
gathered previously, including
information in the prior year's working
papers.
Additional Consideration on New
Engagements
A first-time audit requires more work
than a repeat engagement because of
the problem associated with the
verification of the opening balances of
the balance sheet accounts. In this
regard, PSA 510 requires the auditor
obtain sufficient appropriate audit
evidence that:
 the opening balances do not
contain misstatements that
materially affect the current
year's financial statements;
 the prior period's closing
balances have been correctly
brought forward to the current
period or, when appropriate,
have been restated; and
 appropriate accounting policies
are consistently applied or
changes in accounting policies
have been properly accounted
for and adequately disclosed
The auditor may be able to obtain
sufficient appropriate evidence
regarding opening balances by
reviewing the predecessor auditor's
working papers. In these
circumstances, the auditor would also
consider the independence and
professional reputation of the
predecessor auditor.
MATERIALITY
Developing an Overall Audit Strategy
Once the auditor has gained a sufficient
understanding about the entity and its
environment including its internal
control, the auditor should formulate an
overall audit strategy for the upcoming
engagement. The best audit strategy is
the approach that results in the most
efficient audit- that is, an effective audit
performed at the least possible cost. An
audit plan should be made regarding:
 how much evidence to
accumulate;
 how and when this should be
done.
When developing an audit strategy, the
auditor must consider carefully the
appropriate levels of materiality and audit
risk.
Materiality
Materiality is defined in the Financial
Reporting Standard Council's "Framework
for the Preparation and Presentation of
Financial Statements," in the following
terms: "Information is material if its
omission or misstatement could influence
the economic decision of users taken on
the basis of the financial statements.”
In designing an audit plan, the auditor
should make a preliminary estimate of
materiality for use during the examination.
The concept of materiality recognizes that
some matters are important for fair
presentation of financial statements while
other matters are not important. Materiality
may be viewed as:
 the largest amount of
misstatement that the auditor could
tolerate in the financial statements,
or
 the smallest aggregate amount
that could misstate the financial
statements
Materiality is a matter of professional
judgment and necessarily involves
quantitative factors (amount of the item in
relation to the financial statements) and
qualitative factors (the nature of
misstatement).
Importance of materiality in planning
an audit
The auditor should make a preliminary
estimate of materiality to determine the
amount of evidence to accumulate. There
is an inverse relationship between
materiality and evidence. This means,
more evidence will be required for a low
peso amount of materiality than for a high
peso amount.
Uses of materiality
According to PSA 320, materiality should
be considered by the auditor:
 In the planning stage, to determine
the scope of audit procedures; and
 In the completion phase of the
audit, to evaluate the effect of
misstatements on the financial
statements.
Using Materiality Levels
The following steps may be used as a
guide when using materiality levels. Steps
1 and 2 are performed in the planning
phase while step 3 is performed in the
completion phase of the audit.
Step 1 Determine the Overall
Materiality - Financial Statement Level
The auditor should determine the amount
of misstatement that could be material to
the financial statements taken as a whole.
If the materiality level is set too low, the
auditor will be wasting his time auditing
accounts that are not important.
However, if materiality level is set too
high, the auditor may not detect
misstatements that could be material to
the readers of the financial statements.
When establishing materiality levels on a
financial statement level, the auditor
should consider that the financial
statements are interrelated- that is, a
misstatement on one financial statement
usually affects the other statement. For
this reason, the auditor should consider
materiality in terms of the smallest
aggregate level of misstatement that could
distort any one of the financial statements.
A common method of estimating
materiality at the financial statement level
is to multiply a statement base (total
assets, sales, or net income) by a certain
percentage.
For example, assume that the
auditor believes that
misstatements aggregating
P40,000 would have a material
effect on the client's income
statement and that these
misstatements would have to
aggregate P60,000 to materially
affect the balance sheet. When
designing audit procedures, it is
wiser for the auditor to design audit
procedures that will be expected to
detect misstatements aggregating
P40,000. By using P40,000 as the
 materiality level, the auditor will
have a reasonable assurance that
both financial statements are not
materially misstated.
Materiality Guidance:
Most accounting firms provide guidance to
their staff auditors in order to promote
consistent materiality judgments. The
guidelines usually involve applying
percentages to some base, such as total
assets, total revenue, or pretax income. In
choosing a base, the auditor considers the
stability of the base from year to year so
that materiality does not fluctuate
significantly between annual audits.
Income is often more volatile than total
assets or revenue.
A simple guideline for small business
audits could be, for example, to set overall
materiality at 1% of total assets or
revenue, whichever is higher. A traditional
starting point for many companies is 5% of
net income.
Step 2 Determine the Tolerable
Misstatement - Account Balance Level
Once the overall materiality is
established, the auditor determines
materiality at the account balance level.
This is done by allocating the overall
materiality to the financial statement
account balances. This allows the auditor
to determine the audit procedures that will
be applied to specific accounts. The
allocated materiality to an account is
called the tolerable misstatement for that
account.
The professional standards do not
provide specific guidelines as to
how the allocation should be done.
This process is highly subjective
and requires the exercise of great
deal of judgment by the auditor.
Step 3 Compare the aggregate
amount of uncorrected misstatements
with the overall materiality.
After performing audit procedures, the
auditor will have to compare the
aggregate uncorrected misstatements with
the overall materiality (preliminary
estimate of materiality or revised
materiality level) to determine whether or
not the financial statements are materially
misstated.
Basis that can be used to determine
the materiality level
Since audit planning is often performed
before year-end, annual financial
statements are usually not available. As a
result, the auditor uses alternative bases
to compute for the materiality levels, such
as:
 Annualized interim financial
statements
 Prior years' financial statements
 Budgeted financial statements of
the current year
AUDIT RISK
AUDIT RISK
After determining the materiality levels,
the auditor should design the audit to
provide reasonable assurance that the
financial statements taken as a whole are
free from material misstatements.
Reasonable assurance means that the
auditor can not possibly expect to
detect all material misstatements;
instead, the auditor should perform audit
procedures to increase the likelihood of
detecting these misstatements.
The auditor should use professional
judgment to assess audit risk and to
design audit procedures to ensure it is
reduced to an acceptably low level. When
designing substantive audit procedures,
the auditor should consider three main
issues:
1. What level of assurance does the
auditor wish to attain that the
financial statements do not contain
material misstatements? As this
level of assurance increases, the
scope of the auditor's substantive
tests increases.
2. How susceptible is the account to
material misstatement? As the
susceptibility of the account to
material misstatement increases,
the scope of the auditor's
substantive tests also increases.
3. How effective is the client's internal
control in preventing or detecting
misstatements? As the
effectiveness of the clients
internal control increases, the
scope of auditor's substantive
tests decreases.
Audit Risk Model
These three issues are the preliminary
basis for the development of the audit risk
model:
Audit Risk = Inherent Risk * Control Risk *
Detection Risk
Audit risk refers to the risk that the auditor
gives an inappropriate audit opinion on the
financial statements. This occurs because
the auditor believes that the financial
statements are fairly stated when in fact
the financial statements are materially
misstated.
Audit risk is the complement of audit
assurance. If the auditor is willing to
accept a 5% audit risk, he must design the
audit to have a 95% assurance or
confidence level that his opinion is correct
Because of the inherent limitations of the
audit, the auditor can not totally eliminate
the audit risk. The auditor should,
therefore, perform all the procedures in
order to limit his or her exposure to this
risk to low level. Thus, as the desired level
of audit risk decreases, the auditor should
design more effective substantive
procedures.
Inherent risk is the susceptibility of an
account balance or class of transactions
to a material misstatement assuming that
there were no related internal controls.
This concept recognizes that some
account balances, by nature, are more
susceptible to misstatement than
others. For example, those accounts that
are subject to complex calculations such
as pensions are more likely to be
misstated compared to other accounts.
PSA 315 requires the auditor to assess
inherent risk at the financial statement and
account balance or transaction class
levels.
Factors that affect the risk of
misstatement at the financial statement
level include:
1. The management integrity
2. Management Characteristics (e.g.
aggressive attitude toward
financial reporting)
3. Operating Characteristics (e.g.
profitability of the entity relative to
its industry is inadequate)
4. Industry Characteristics (e.g. the
industry is experiencing a large
number of business failures)
Factors affecting inherent risk at the
account balance level include:
1. Susceptibility of the account to
theft.
2. Complexity of calculations related
to account.
3. The complexity underlying
transactions and other events.
4. The degree of judgment involved
in determining account balances.
- As the assessed level of inherent risk
increases, the auditor should design more
effective substantive procedures.
- Control risk is the risk that a material
misstatement that could occur in an
account balance or class of transactions
will not be prevented or detected and
corrected on a timely basis by accounting
and internal control systems. Control risk
is related to the effectiveness of the
client's internal control. Like inherent risk,
control risk exists independently of the
audit of financial statements and is
assessed using the auditor's judgment. If
the entity's internal control is effective, the
assessed level of control risk decreases
(and vice versa).
- Holding other planning considerations
equal, as the assessed level of control risk
increases, the auditor should design more
effective substantive procedures.
- Detection risk is the risk that an
auditor's substantive procedure will not
detect a material misstatement.
- Detection risk is a function of the
effectiveness of the auditor's
substantive procedures.
- As the acceptable level of detection
risk decreases, the assurance directly
provided from substantive tests
increases. Hence, the auditor should
design more effective audit procedures in
order to achieve the desired level of
assurance.
- Unlike inherent and control risks, the
auditor can control the level of detection
risks by performing more effective
substantive procedures. The acceptable
level of detection risks is inversely related
to the assessed level of both inherent and
control risks.
Steps in using the audit risk model
Step 1 Set the desired level of Audit
Risk
There are no specific guidelines for setting
individual audit risk. The auditor uses his
judgment in determining the risk that he is
willing to take of accepting an assertion as
fairly stated when in fact it is materially
misstated. The auditor should plan the
audit in such a way that, after performing
audit procedures, an opinion can be
issued on the financial statements at a low
level of audit risk.
Step 2 Assess the Level of Inherent
Risk
Every account or assertion has a built-in
risk of being misstated. However, there
are some accounts that, by nature, are
more likely to be misstated compared to
other accounts. These are the accounts
that have high inherent risks.
When assessing inherent risks for each
account, the auditor must consider
specific factors related to the client that
may affect the risk of a material
misstatement for a particular account. In
making this assessment, the auditor will
rely primarily on his knowledge of the
client's business and industry, and the
results of his preliminary analytical
procedures.
Step 3 Assess the Level of Control
Risk
As stated earlier, control risk is the risk
that the client's internal control may not
detect or prevent a material
misstatement. Assessment of control
risk would involve studying and
evaluating the effectiveness of the client's
accounting and internal control systems.
When assessing the level of control risk,
the auditor should recognize that some
control risk will always be present
because of the inherent limitations of the
internal control. However, if a client
maintains effective internal control
systems, the risk of material
misstatements in the financial statements
can be minimized.
Step 4 Determine the Acceptable Level
of Detection Risk
Base on the desired audit risk level (Step
1) and the auditor's assessment of
inherent control risks (Steps 2 and 3), the
auditor determines the acceptable level of
detection risk. By rearranging the audit
risk model,
the acceptable level of detection risk can
be determined as follows:
Step 5 Design Substantive Tests
Unlike inherent risk and control risk,
detection risk can be increased or
decreased by the auditor by performing
substantive tests. Detection risk can be
looked at as the complement of the
assurance provided by substantive tests.
A 10% acceptable level of detection risk
means that substantive tests must be
designed to provide a 90% assurance of
detecting material misstatements.
Thus, a lower acceptable level of
detection risk increases the assurance
to be provided by substantive tests. To
obtain greater assurance, the auditor will
have to modify the scope of his
substantive tests such as:
 performing more effective
substantive procedures (nature)
 performing year-end procedures
(timing)
 using larger sample size (extent)
On the other hand, if the acceptable level
of detection risk is high, the assurance to
be provided by substantive tests will
decrease. As a result, the auditor could
reduce the scope of his substantive
procedures like:
 performing less effective
substantive procedures
(nature)
 performing the tests at interim
(timing)
 using smaller sample size
(extent)
Figure 5.2 – Using The Audit Risk
Model
Relating inherent, control, and
detection risk to the overall audit risk
The inherent, control, and detection risks
are components of the overall audit risk.
Therefore, an increase or decrease in
any of these components would cause
a corresponding increase or decrease in
the overall audit risk.
Of the three components, only the
detection risk can be controlled by the
auditor. Inherent and control risks are
functions of management and its
environment, and as such, the auditor can
not change the levels of inherent and
control risks. The auditor can only assess
their levels. On the other hand, detection
risk is a function of the auditor.
Accordingly, the level of detection risk can
be controlled by the auditor by performing
substantive procedures.
During an audit the auditor performs
procedures to assess the levels of
inherent and control risks. Based on the
results of such assessment, the auditor
determines the acceptable level of
detection risk and modifies the scope of
his substantive tests.
For example, if the assessed level of
inherent and control risk is high, the
auditor should minimize the level of
detection risk to be able to maintain the
planned overall audit risk level.
Conversely, if the assessed level of
inherent and control risk is low, the auditor
could accept a high level of detection risk
and still maintain the desired audit risk
level.
Relationship between materiality and
risk
When planning the audit, the auditor
considers what would make the
financial statements materially misstated.
The auditor's assessment of materiality
related to specific account helps the
auditor select audit procedures that can
be expected to reduce audit risk to an
acceptable level.
There is an inverse relationship between
materiality and the level of audit risk, that
is, the higher the materiality level, the
lower the audit risk and vice versa.
The auditor takes the inverse relationship
between materiality and audit risk into
account when determining the nature,
timing, and extent of audit procedures. For
example, if, after planning for specific
audit procedure, the auditor determines
that the acceptable materiality level is
lower, audit risk is increased. The auditor
would compensate for this by either:
 reducing the assessed level of
control risk, where this is possible,
and supporting the reduced level
by carrying out extended or
additional tests of control; or
 reducing detection risk by
modifying the nature, timing, and
extent of planned substantive
procedures.
Figure 5.3 – Effect of materiality on
audit risk and planned audit
procedures
RISK ASSESSMENT & ANALYTICAL
PROCEDURES
Risk Assessment Procedures
The procedures performed by auditors
to obtain an understanding of the
entity and its environment including its
internal control and to assess the risks of
material misstatements in the financial
statements are called "risk assessment
procedures". These include
a. Inquiries of management and
others within the entity
b. Analytical procedures; and
c. Observation and inspection
Information obtained in performing these
risk assessment procedures may be used
by the auditor as evidence to support
assessment of risk of material
misstatement. In addition, in performing
risk assessment procedures the auditor
may obtain audit evidence about the fair
presentation of financial statements or
about the operating effectiveness of
internal control even though such
procedures were not specifically planned
as substantive tests or tests of control.
ANALYTICAL PROCEDURES
Analytical procedures involve analysis of
significant ratios and trends, including the
resulting investigation of fluctuations and
relationships that are inconsistent with
other relevant information or deviate from
predicted amounts. A basic premise
underlying the use of analytical
procedures is that plausible relationships
among data may reasonably be expected
to exist and continue in the absence of
known conditions to the contrary.
PSA 520 requires the auditor to use
analytical procedures in the planning and
overall review stages of the audit. In the
planning stage of the audit, the application
of analytical procedures helps the auditor
assess the risk of material misstatements
in the financial statements.
Steps in Applying Analytical
Procedures
Analytical procedures help the auditor in
identifying unusual transactions and
events that may affect the fair
presentation of the financial statements.
Application of analytical procedures
involves the following steps:
Figure 5.4 – Steps in Applying
Analytical Procedures
Step 1 Develop expectations regarding
financial statements using:
 Prior years' financial statements
 Anticipated results such as
budgets or forecasts
 Industry averages (Financial
statements of other entities
operating within the same industry)
 Non-financial information
 Typical relationships among
financial statements account
balances
Step 2 Compare the expectations with
the financial statements under audit.
The auditor compares the financial
statements with his expectations to
identify significant fluctuations that are
inconsistent with the auditor's knowledge
or that deviate from predicted amounts.
Step 3 Investigate significant
unexpected differences (unusual
fluctuations) to determine whether
financial statements contain material
misstatements.
Investigation of unusual fluctuations
ordinarily begins with inquiries of
management, followed by corroboration of
management responses and applying
other appropriate audit procedures.
Uses of analytical procedures
Analytical procedures may be used for the
following purposes:
 As a planning tool to determine the
nature, timing, and extent of other
auditing procedures
 As a substantive test to obtain
corroborative evidence about
particular assertions related to the
account balance or transaction
class
 And as an overall review of the
financial statements in the
completion phase of the audit
Figure 5.5 – The Use of Analytical
Procedures in an Audit
Analytical procedures in planning an
audit
Analytical procedures used in planning an
audit should focus on
 Enhancing the auditor’s
understanding of the client’s
business
 Identifying areas that may
represent specific risks
The auditors understanding of the client's
business enables the auditor to develop
certain expectations regarding the client's
financial position and performance during
the period. If the figures reflected in the
financial statements do not conform to
the auditor's expectations, questions can
be raised about the reliability of the
financial statements or about the accuracy
of information obtained about the entity’s
business. Thus, analytical procedures
performed in the planning phase of the
audit are useful for confirming or
challenging the auditors understanding of
the client's business.
Figure 5.6 – Using Analytical
Procedures as a Planning Tool
In addition, analytical procedures can be
used to draw the auditor's attention to
those accounts in the financial statements
that are likely to be misstated. Once the
auditor has identified the areas
representing specific risks, the auditor can
direct audit effort to these accounts and
plan the nature, timing and extent of audit
procedures.
Documenting the Audit Plan
The final step in the planning process is
the documentation of the audit planning
process by preparing an overall audit plan,
audit program, and time budget.
 Audit Plan
o An audit plan is an overview of
the expected scope and
conduct of the audit. The
overall audit plan sets out in
broad terms the nature,
timing and extent of the
audit procedures to be
performed. While the audit
plan varies for each client, it
should be sufficiently detailed
to guide in the development of
an audit program.
 Audit Program
o The auditor should develop
and document an audit
program setting out the nature,
timing and extent of planned
audit procedures required to
implement the overall audit
plan. In effect, audit program
executes the audit strategy. It
sets out in detail the audit
procedures to be performed in
each segment of the audit. The
audit program serves as a set
of instructions to assistants
involved in the audit and as a
means to control and record
the proper execution of the
work.
o The form and content of the
audit program may vary for
each particular engagement
but it should always include a
detailed list of audit
procedures that the auditor
believes are necessary to
accomplish the audit
objectives.
 Time Budget
o A time budget is an
estimate of the time that
will be spent in executing
the audit procedures listed
in the audit program. This
provides a basis for
estimating audit fees and
assists the auditor in
assessing the efficiency of
the assistants.
Changes to all the plan and program
Planning is continuous throughout the
engagement because of changes in
conditions or unexpected results of audit
procedures. The overall audit plan and the
audit program should be revised as
necessary during the course of the audit
and the reasons for significant changes
would be recorded.
CHAPTER 6: CONSIDERATION OF
INTERNAL CONTROL
NATURE OF INTERNAL CONTROL
- Once the auditor has set the
desired level of audit risk &
assessed the appropriate level of
inherent risk, the next step is to
assess the level of control risk.

- Assessing control risk is the
process of evaluating the design
and operating effectiveness of an
entity’s internal control as to how it
prevents/detects material
misstatements in the fs. The
conclusion reached as a result of
assessing control risk is referred to
as the assessed level of control
risk.
- When an entity is small, it's owner
or manager can personally
perform, or directly oversee all of
its functions However as the entity
grows larger, it becomes
necessary to delegate functional
responsibilities to employees Once
this occurs, mechanisms need to
be introduced which enable the
performance of employees to be
checked, to ensure that they are
fulfilling their responsibilities as
intended.
- According to PSA 315 internal
control is the process designed
and effected by those charged with
governance, management, and
other personnel to provide
reasonable assurance about the
achievement of the entity's
objectives with regard to reliability
of financial reporting, effectiveness
and efficiency of operations and
compliance with applicable laws
and regulations.
1) Internal control is not an end in
itself. Instead, it is a means of
achieving the entity’s objectives.
2) Internal control is accomplished by
people at every level of
organization, including the
management, those change w/
governance, & entity’s staff
personnel.
It is the responsibility of the management
to establish a control environment and
maintain policies and procedures to assist
in achieving the entity's objectives Those
charged with governance, on the other
hand, ensure the integrity of accounting
and financial reporting systems through
oversight of management. Staff personnel
should also perform their respective
functions in order to accomplish the
objectives of the entity.
3.) Internal control can only provide
reasonable assurance (not
absolute assurance) that the
entity’s objectives will be achieved.
This is because there are inherent
limitations that may affect the
internal control’s effectiveness.
4.) Internal control is geared towards
the achievement of the entity’s
objectives.
INHERENT LIMITATIONS THAT MAY
AFFECT THE INTERNAL CONTROL’S
EFFECTIVENESS
 Management’s usual requirement
that the cost of an internal control
should not exceed the expected-
benefits to be derived.
 Internal controls tend to be
directed at a route transactions
rather than non routine
transactions.
 The potential for human error due
to carelessness, distraction,
mistakes of judgment and the
misunderstanding of instructions.
  The possibility of circumvention of
internal controls through the
collusion among employees.
 The possibility of management
overriding the internal control
 The possibility that procedures
may become inadequate due to
changes in conditions, and
compliance with procedures may
deteriorate.
In the audit of financial statements, the
auditor is only concerned with those
policies and procedures within the
accounting and internal control systems
that are relevant to the financial
statement assertions.
Therefore the objective that is most
relevant to the audit is the financial
reporting objective.
Operational and compliance objectives
may be relevant to the audit only if they
relate to data the auditor evaluates to
determine the reliability of some financial
statement assertions.
 Controls pertaining to non-financial
data that the auditor uses in
analytical procedures, such as
production statistics, or
 Controls pertaining to detecting
non-compliance with laws and
regulations that may have a direct
and material effect on the financial
statements, such as controls over
compliance with income tax laws
and regulations used to determine
the income tax provision, may be
relevant to an audit.
COMPONENT OF INTERNAL CONTROL
Although internal control policies and
procedures vary significantly from one
entity to another, there are essential
components of internal control that must
be established to provide reasonable
assurance that the entity's objectives will
be achieved. There are five interrelated
components of
the entity's internal control, namely:
CONTROL ENVIRONMENT
- The control environment includes
the attitudes, awareness, and
actions of management and those
charged with governance
concerning the entity's internal
control and its importance in the
entity. The control environment
also includes the governance and
management functions and sets
the tone of an organization,
influencing the control
consciousness of its people. It is
the foundation for effective internal
control, providing discipline and
structure.
FACTORS REFLECTED IN THE
CONTROL ENVIRONMENT INCLUDE:
✓ Integrity and ethical values
- Management should establish
ethical standards that discourage
employees from engaging in
dishonest, unethical, or illegal acts
that could materially affect the
financial statements.
✓ Management philosophy and operating
style
- The auditor should assess the
management attitudes towards
financial reporting and their
emphasis on meeting projected
profit goals because these will
significantly influence the risk of
material misstatements in the fs.
✓ Active participation of those charged
with governance
 - The entity must have an audit
committee which will be
responsible for overseeing the
financial reporting policies and
practices of the entity.
✓ Commitment to competence
- The entity should consider the
level of competence required for
each task and translate it to
requisite knowledge and skills.
✓ Personnel policies and procedures
- The entity must implement
appropriate policies for hiring,
training, evaluating, promoting,
and compensating entity's
personnel because the
competence of the entity's
employees will bear directly on the
effectiveness of the entity's internal
control.
✓ Assignment of responsibility and
authority Organizational structure
- Organizational structure provides a
framework for planning, directing,
and controlling the entity's
operations Appropriate methods of
assigning responsibility must be
implemented to avoid incompatible
functions and to minimize the
possibility of errors because of too
much work load assigned to an
employee.
RISK ASSESSMENT
- Management should adopt policies
and procedures that are designed
to identify and analyze the risks
affecting the entity's business and
to take the appropriate action to
manage these risks. For audit
purposes, the auditor is concerned
only with those risks that are
relevant to the preparation of
reliable financial statements.
INFORMATION & COMMUNICATION
SYSTEMS
- Effective internal control must
provide timely information and
communication The information
system relevant to financial
reporting objectives, which
includes the financial reporting
system, consists of the procedures
and records established to initiate,
record, process, and report entity
transactions (as well as events and
conditions) and to maintain
accountability for the related
assets, liabilities, and equity.
AN INFORMATION SYSTEM
ENCOMPASSES METHODS &
RECORDS THAT:
 Identify and record all valid
transactions.
 Describe on a timely basis the
transactions in sufficient details to
permit proper classification of
transactions for financial reporting.
 Measure the value of transactions
in a manner that permits recording
their proper monetary value in the
financial statements.
 Determine the time period in which
the transactions occurred to permit
recording of transactions in the
proper accounting period.
 Present properly the transactions
and related disclosures in the
financial statements.
Communication involves providing an
understanding of individual roles and
responsibilities pertaining to internal
control over financial reporting. Open
communication channels help ensure
that exceptions are reported and acted on.
Communication can be made
electronically orally and through the
actions of management. It can take such
forms as policy manuals accounting and
financial reporting manuals and
memoranda.
CONTROL ACTIVITIES
- Control activities are the policies
and procedures that help ensure
the management directives are
carried out Specific control
procedures that are relevant to
financial statement audit would
include: (1) performance reviews,
(2) information processing, (3)
physical controls, and (4)
segregation of duties.
1.) PERFORMANCE REVIEWS
- These control activities include
reviews and analyses of actual
performance versus budgets,
forecasts, and prior period
performance relating different sets
of data to one another, together
with analyses of the relationships
and investigative and corrective
actions.
2.) INFORMATION PROCESSING
- A variety of controls are performed
to check accuracy, completeness,
and authorization of transactions
When computer processing is
used in significant accounting
applications, internal control
procedures can be classified into
two types general and
application controls
3.) PHYSICAL CONTROLS
- These activities encompass the
physical security of assets,
including adequate safeguards
such as secured facilities over
access to assets and records
authorization for access to
computer programs and data files
and periodic counting and
comparison with amounts shown
on control records
4.) SEGREGATION OF DUTIES
- Assigning different people the
responsibilities of authorizing
transactions, recording
transactions, and maintaining
custody of assets is intended to
reduce the opportunities to allow
any person to be in a position to
both perpetrate and conceal errors
or fraud in the normal course of the
person's duties. Examples of
segregation of duties include
reporting, reviewing and approving
reconciliations, and approval and
control of documents.
MONITORING
- Monitoring is a process of
assessing the quality of internal
control performance over time It
involves assessing the design and
operation of controls on a timely
basis and taking necessary
corrective actions. Monitoring is
done to ensure that controls
continue to operate effectively.
- Monitoring of controls is
accomplished through ongoing
monitoring activities, separate
evaluations, or combination of two.
Ongoing monitoring activities are built
into the normal recurring activities of an
entity and include regular management
and supervisory activities such as
preparation of monthly bank reconciliation.
Separate evaluations are monitoring
activities that are performed on a non-
routine basis such as functions performed
by internal auditors.
INTERNAL CONTROL FOR A SMALL
BUSINESS
In small businesses, with very few office
employees, it is difficult to have proper
segregation of duties or maintain a
separate internal audit department
Consequently, internal control systems in
small businesses tend to be weak
compared to the internal control systems
of larger entities. These weaknesses,
however, can be compensated if the
owner/manager actively participates in
the operations of the business.
CONSIDERATION OF INTERNAL
CONTROL
- Auditors are not responsible for
establishing and maintaining an
entity's accounting and internal
control systems that is the
responsibility of the entity's
management. Nevertheless, the
auditors should give adequate
consideration to these controls
because the quality of the entity's
internal control systems can have
a significant impact on the audit.
(1) Understanding internal control
The auditor should obtain sufficient
understanding of the components of the
entity's internal control relevant to the
audit Obtaining an understanding of
internal control involves:
 evaluating the design of a control
and
 determining whether it has been
implemented
Evaluating the design of a control involves
considering whether the control,
individually or in combination with other
controls, is capable of effectively
preventing, or detecting and correcting
material misstatements. Implementation of
a control means that the control exists and
the controls have been placed in
operation.
An initial understanding of the design of
the entity’s internal control systems is
ordinarily obtained by:
 Making inquiries of appropriate
individuals
 Inspecting documents & records
 Observing of entity’s activities &
operations
After obtaining sufficient knowledge about
the design of the system, the auditor
should determine whether these controls
have been implemented. This is
accomplished by performing a "walk
through" test. This task involves tracing
one or two transactions through the entire
accounting systems, from their initial
recording at source to their final
destination as a component of an account
balance in the financial statements Walk
through test also confirms the auditor's
understanding of how the accounting
systems and control procedures function.
It is to be emphasized that the auditor is
not required to obtain knowledge about
the operating effectiveness of the
internal control when obtaining an
understanding of the entity's internal
control system. At this stage of the audit,
the auditor is basically concerned about
the design of relevant control policies and
procedures and whether such controls are
actually being applied.
The auditor uses the understanding of
internal control to:
 Identity types of potential
misstatements that can occur
 Consider factors that affect the risk
of material misstatement.
 Design the nature, timing, and
extent audit procedures to be
performed.
(2) Documenting the auditors
understanding of internal control
After obtaining sufficient knowledge about
the design of internal control system and
verifying the policies and procedures are
implemented, the next step would be for
the auditor to document his understanding
of accounting and internal control
systems. This documentation need not be
in any particular form. The extent of
documentation may vary depending on
the size and complexity of the entity and
nature of the entity's internal control
systems. Some commonly used forms of
documentation include:
 Narrative description of the entity’s
internal control
 Flowchart that diagrams the flow of
transactions and documents
 Internal control questionnaire
providing management’s
responses to questions about
internal control
(3) Assessment of control risk
After obtaining and documenting the
auditor's understanding of the accounting
and internal control systems, the auditor
should make a preliminary assessment
of control risk, at the assertion level, for
each material account balance or class
transactions. The auditor's preliminary
assessment of control risk may be at a
high level 100 or less than high level.
When the auditor's knowledge of the
entity's internal control indicates that
internal controls related to a particular
assertion are not effective; the auditor
may simply assess control risk at a high
level. Hence, no tests of controls need to
be performed and the auditor will rely
primarily on substantive tests.
On the other hand, if the auditor believes
that controls appears to be reliable the
auditor should determine whether it is
efficient to obtain the evidence to justify an
assessment of control risk at a lower level.
If the auditor concludes that it is more
efficient to rely on the entity's internal
control systems, the auditor would plan to
assess control risk at a less than high
level. For this purpose, the auditor should
 Identify specific internal control
policies or procedures that are
likely to prevent or detect and
correct material misstatement
relevant to fs assertion
 Perform tests of control to
determine the effectiveness of
such policies & procedures.
(4) Performing tests of controls
Irrespective of how effective internal
control procedures may appear to be in
preventing material misstatements from
occurring in the financial statements,
before the auditor can rely on them to
reduce substantive tests, the auditor must
test these controls to obtain evidence that
they are working effectively as the
preliminary assessment suggests.
Test of controls are performed to obtain
evidence about the effectiveness of the
 Design of the acctg & internal
control systems or
 Operation of the internal controls
throughout the period
It is important to note that the auditor will
only tests the operating effectiveness of
controls that are likely to detect or prevent
material misstatements. That is, the
auditor will only test those controls that he
or she plans to rely upon.
The auditor should obtain audit evidence
through tests of control to support any
assessment of control risk at less than
high level. The lower the assessment of
control risk, the more support the auditor
should obtain that the internal control is
suitably designed and operating effectively
Thus, the greater the reliance the auditor
plans to place on internal control, the
more extensive the tests of those controls
that need to be performed.
(5) Documenting the assessed level of
control risk
After evaluating the results of tests of
control & assessing the control risk, the
auditor should document his assessment
of control risk.
If the control risk is assessed at a high
level the auditor should document his
conclusion that control risk is at a high
level.
If control risk is assessed at less than high
level the auditor should document his
conclusion that control risk is less than
high and the basis for that assessment.
This basis is actually the results of tests of
control. Hence, the auditor can not assess
control risk at less than high level without
performing tests of control
Communication of Internal Control
Weaknesses
- As a result of the auditor's
consideration of the accounting
and internal control systems, the
auditor may become aware of
weaknesses in the systems In this
regard, the auditor is required to
report to the appropriate level of
management material weaknesses
in the design or operation of the
accounting and internal control
systems, which have come to the
auditor's attention. This
communication would ordinarily be
in writing and should be done at
the earliest opportunity so that
appropriate corrective actions may
be taken as soon as possible. Oral
communications could also be
made provided these are
adequately documented in the
audit working papers
- It is to be emphasized the
auditors are not required to
search for and/or identify
internal control weaknesses.
The auditors must, however,
communicate internal control
weaknesses to the client when
they come to their attention during
the course of the audit. These
internal control weaknesses
together with other matters of
concern are documented in a
formal management letter.
TEST OF CONTROLS
NATURE OF TEST OF CONTROLS
- Tests of controls generally consist
of one (or a combination) of the
following evidence gathering
techniques: (1) inquiry, (2)
observation, (3) inspection, and (4)
reperformance
INQUIRY
- Searching for the appropriate
information about the effectiveness
of internal control from
knowledgeable persons
inside/outside the entity.
OBSERVATION
- Looking at the process being
performed by others.
- Ex: the auditor may observe the
payroll payoff procedures/ the
performance of internal control
system procedures that leave no
evidence of performance
INSPECTION
- Examination of documents &
records to provide evidence of
reliability depending on their nature
& source & the effectiveness of
internal control over their
processing.
REPERFORMANCE
- Repeating the activity performed
by the client to determine whether
proper results were obtained
- Ex: tracing the sales process
through the authorized price list in
effect at the date of the transaction
if no errors are found, the auditor
 can conclude that the procedure is
operating as intended.
For certain controls such as SOD,
documentary evidence (audit trail) may
not exist In this case, the auditor will have
to test the effectiveness of the control
procedure by making inquiry of
appropriate
client personnel and observing the
application of the control procedures.
There is a significant overlap between the
procedures used to obtain understanding
and tests of controls. Notice that inquiry of
client personnel, observation of
procedures and inspection of documents
are also used when obtaining
understanding about the entity's internal
control system. In fact, many of the
procedures used to understand the design
of internal control may provide
evidence about the reliability of the client's
accounting and internal control systems.
Consequently, obtaining understanding
of the entity's internal control system
and assessing control risks are often
done simultaneously.
TIMING OF TEST OF CONTROLS
Auditors usually perform tests of controls
during an interim visit in advance of period
end. However, auditors cannot rely on the
results of such tests without considering
the need to obtain further evidence
relating to the remainder of the period.
This evidence may be obtained by
performing tests of control for the
remaining period or by reviewing whether
there are changes affecting the entity's
internal control system. In determining
whether or not to test the remaining
period, the following factors must be
considered:
 The results of the interim tests
 The length of the remaining period
 Whether changes have occurred in
the accounting and internal control
systems during the remaining
period.
EXTENT OF TESTS OF CONTROLS
- The auditor can not possibly
examine all transactions related to
certain control procedures. In an
audit, the auditor should determine
the size of sample sufficient to
support the assessed level of
control risk.
- Based on the results of the tests of
control, the auditor should evaluate
whether the internal controls are
designed and operating as
intended.
- The conclusion reached as a result
of this evaluation called the
assessed level of control risk.
USING THE RESULTS OF TESTS OF
CONTROL
The auditor uses the assessed level of
control risk (together with the assessed
level of inherent risk) to determine the
acceptable level of detection risk. There is
an inverse relationship between
detection risk and the combined level of
inherent and control risks.
Ex: if the combined assessed level of
inherent and control risk is high detection
risk needs to be low
to reduce audit risk to an acceptably low
level
The auditor may consider modifying:
 The nature of substantive tests
from less effective to more
effective procedures
 The timing of substantive tests by
performing them at year-end rather
than at interim
 The extent of substantive tests
from smaller to larger sample size