INTRODUCTION | CONCEPTS

Nature of Internal Control

When an entity is small, its owner or manager can personally perform, or

directly oversee, all of its functions. However, as the entity grows larger it becomes
necessary to delegate functional responsibilities to employees. Once this occurs,
mechanisms need to be introduced which enable the performance of the
employees to be checked, to ensure that they are fulfilling their responsibilities as
intended.

By obtaining evidence that the entity's internal control is operating

effectively, the auditor can potentially reduce the need for extensive additional
audit procedures. Thus, this improvement in audit efficiency does not compromise
audit effectiveness.

PSA 315 defines internal control as the process designed and effected by
those charged with governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity's objectives with regard
to reliability of financial reporting, effectiveness, and efficiency of operations and
compliance with applicable laws and regulations.

This definition embodies four essential concepts.

1. Internal control is a process.

2. Internal control is affected by those charged with governance,
management and other personnel.

Internal control is accomplished by people at every level of organization,

including the management, those charged with governance, and the entity's staff
personnel. It is the responsibility of the management to establish a control
environment and maintain policies and procedures to assist in achieving the
entity's objectives. Those who are entrusted with governance are tasked with
ensuring adherence to proper practices, diligently monitoring the executives to
guarantee their actions are conducted with integrity and precision. Simultaneously,
the staff personnel must diligently execute their duties to contribute to the
organization's attainment of its objectives.
3. Internal control can be expected to provide reasonable assurance of
achieving the entity's objectives.

Internal control can only provide reasonable assurance (not absolute

assurance) that the entity's objectives will be achieved. This is because there
are inherent limitations that may affect the internal control's effectiveness.
These limitations include:

a. Management's usual requirement that the cost of an internal control

should not exceed the expected benefits to be derived;
b. Most internal controls tend to be directed at routine transactions
rather than non-routine transactions;
c. The potential for human error due to carelessness, distraction,
mistakes of judgment and the misunderstanding of instructions;
d. The possibility of circumvention of internal controls through the
collusion among employees;
e. The possibility of management overriding the internal control; and
f. The possibility that procedures may become inadequate due to
changes in conditions, and compliance with procedures may
deteriorate.
4. Internal control is designed to help achieve the entity's objectives.
a. Operational Objective - Effectiveness and efficiency of operations;
b. Compliance Objective - Compliance with relevant laws and
regulations; and
c. Financial Reporting Objective - Reliability of financial reporting

The primary focus of auditors during the financial statement audit is to

assess the policies and procedures governing accounting and internal
control systems. Consequently, the main objective of the audit is to ensure
the reliability of financial reporting. Auditors may also consider operational
and compliance objectives. However, these objectives are only taken into
account if they are directly linked to the data that auditors examine to verify
the accuracy of specific financial statement assertions. For instance,
controls over non-financial data used in analytical procedures, such as
production statistics, or controls designed to detect non-compliance with
laws and regulations that can impact the financial statements, may be
relevant to the audit.
Components of Internal Control

Internal control policies and procedures differ across different organizations,

but there are certain important components that need to be in place to ensure that
the organization's objectives are met. These components are interrelated and
include the following:

✓ Control Environment;
✓ Risk Assessment;
✓ Information and communication systems;
✓ Control activities; and
✓ Monitoring

Control Environment

The control environment encompasses the attitudes, awareness, and actions of

management and those responsible for governance within an organization. It
refers to their recognition of the significant importance of internal control. This
fundamental element sets the overall tone of the organization with discipline,
shaping the mindset of its individuals towards embracing control measures.

Factors reflected in the control environment include:

1. Integrity and Ethical Values

Management should establish ethical standards that discourage

employees from engaging in dishonest, unethical, or illegal acts that could
materially affect the financial statements.

2. Management Philosophy and Operating Style

The auditor should assess the management attitude towards financial

reporting as well as its emphasis on meeting projected profit goals because
these will significantly influence the risk of material misstatements in the
financial statements.

3. Active Participation with Governance

The entity must have an audit committee which will be responsible for
overseeing the financial reporting policies and practices of the entity.

4. Commitment to Competence

The entity should consider the level of competence required for each task
and translate this to requisite knowledge and skills.
 5. Personnel Policies and Procedures

The entity must implement appropriate policies for hiring, training,

evaluating, promoting, and compensating the entity's personnel. because the
competence of the entity's employees will bear directly on the effectiveness of
the entity's internal control.

6. Assignment of Responsibility and Authority/Organizational Structure

Organizational structure provides a framework - for planning, directing,

and controlling the entity's operations. Appropriate methods of assigning
responsibility must be implemented to avoid incompatible functions and to
minimize the possibility of errors because. of too much workload assigned to an
employee.

Risk Assessment

Business risk - the risk that the entity’s business objectives will not be
attained as a result of internal and external factors (e.g. technological
developments, changes in customers demand, etc.)

Management should adopt policies and procedures designed to identify

and analyze the risks affecting the entity’s business and take appropriate action to
manage these risks. Meanwhile, the auditor is only concerned with risks relevant to
the preparation of reliable financial statements.

Information and Communication Systems

The information system relevant to financial reporting objectives, includes the

financial reporting system, consists of procedures and records established to
initiate, record, process, and report entity transactions as well as maintaining
accountability for the related assets and liabilities. It encompasses methods and
records that:

✓ Identify and record all valid transactions;

✓ Describe the transactions in sufficient detail and in a timely manner, in order
to permit proper classification of transactions for financial reporting;
✓ Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements;
✓ Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period; and
✓ Present properly the transactions and related disclosures in the financial
statements properly.
 Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting. It can be
made electronically, verbally, and through the actions of the management in the
form of policy manuals, accounting and financial reporting manuals, and
memoranda.

Control Activities

These are policies and procedures that help ensure the management directives
are carried out. The specific control procedures that are relevant to financial
statement audit include:

1. Performance Reviews

It includes reviews and analyses of actual performance versus budgets,

forecasts, and prior period performance then relating different sets of data to one
another together with analyses of relationships and investigative and corrective
actions.

2. Information Processing

A variety of controls are performed to check accuracy, completeness, and

authorization of transactions. When it is used, it can be classified as general and
application controls.

3. Physical Controls

It encompasses physical security of assets, including adequate safeguards

such as secured facilities over access to assets and records; authorization for
access to computer programs and data files; and periodic accounting and
comparison with amounts shown on control records.

4. Segregation of Duties

Assigning different people, the responsibilities is intended to reduce the

opportunities to allow any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of a person's duties.

Monitoring

It is a process of assessing the quality of internal control performance over time

by assessing the design and operation of controls on a timely basis and taking
necessary corrective actions.

Ongoing monitoring - built into the normal recurring activities of an entity and
includes regular management and supervisory activities.

Separate evaluations - performed on a non-routine basis.

Internal Control for A Small Business

Considering small businesses have few employees, it is difficult to have

segregation of duties. Therefore, internal control systems of small businesses tend
to be weak. These weaknesses, however, can be compensated if the
owner/manager actively participates in the operation of the business.

Consideration of Internal Control

Auditors are not responsible for establishing and maintaining an entity’s

accounting and internal control: that is the responsibility of the management.
However, auditors should give adequate consideration of these controls because
the condition of the entity’s internal control systems can have a significant impact
on the audit.

Steps on Considering the Entity’s Internal Control Systems

➢ Obtaining understanding of the internal control

o This can be involved by evaluating the design of a control and
determining whether it has been implemented.
o Design evaluation can be obtained through:
- Making Inquiries
- Inspecting documents and records
- Observing entity’s activities and operations
o Walk-through can per performed to determine whether the internal
control has been implemented.
o Obtaining understanding of internal control should be adequate
enough to
- Identify the types of potential misstatements.
- Factors that affect the risk of material misstatement.
- Nature, timing, and extent of audit procedures to be performed.
➢ Documenting the understanding of accounting and internal controls
o After obtaining an understanding of entity’s internal control, the
auditor is required to document his understanding of accounting and
internal controls.

The following are ways of documenting:

o Narrative descriptions
o Flowchart
o Internal Control Questionnaires (ICQ)
➢ Assessment of Control Risk
o Auditor will now make a preliminary assessment of control risk. It can
be at a high level (100%) or less than high level.
o If the auditor believes that the internal control is not effective, the
assessed control risk is at a high level. Hence, no test is needed if the
auditor believes that it is effective.
o If the auditor believes that the internal control is reliable, the auditor
should determine whether it is efficient to obtain the evidence to
justify the assessment of control risk at a low level.
➢ Performing Test of Controls
o Irrespective of how effective the internal control is, the auditor needs
to perform a test of controls. It is used to obtain evidence about the
design and operation of the internal control.
o Nature of Tests of Control
- Inquiry
❖ Searching for the appropriate information about the
effectiveness of internal control.
- Observation
❖ Looking at the process being performed by others.
- Inspection
❖ Examination of documents and records to provide
evidence of reliability depending on their nature and
source.
- Reperformance
❖ Repeating the activity performed by the client to
determine whether proper results were obtained.
o Timing of Tests of Controls
- It can be performed during an interim visit in advance or period.
However, auditors shall still perform tests of controls for the
remaining period.
oExtent of Tests of Controls
- Determining the sample size that is sufficient to support the
assessed level of control risk.
o Using the results of Tests of Controls
- The conclusion reached is called the assessed level of control
risk.
- There is an inverse relationship between detection risk and
combined inherent risk and control risk.
➢ Documenting the Assessed Level of Control Risk
Performing Tests of Controls

Irrespective of how effective internal control procedures may appear to be

in preventing material misstatements from occurring the statements, before the
auditor can rely on them to reduce substantive tests, the auditor must test these
controls to obtain evidence that they are working effectively as the preliminary
assessment suggests.

Tests of controls are performed to obtain evidence about the effectiveness of the:

➢ Design of the accounting and internal control systems; or

➢ Operation of the internal controls throughout the period.

It is important to note that the auditor will only test the operating effectiveness
of controls that are likely to detect or prevent material misstatements. nut is, the
auditor only tests those controls that he or she plans to rely upon.

According to PSA, the auditor should obtain audit evidence through tests of
control to support any assessment of control risk at less than high level. The lower
the assessment of control risk, the more support the auditor should obtain that the
internal control is suitably designed and operating effectively. Thus, the greater the
reliance the auditor plans to place on internal control, the more extensive the tests
of those controls that need to be performed.

Nature of Test of Controls

I Inquiry - searching for the appropriate information about the effectiveness of internal
control from knowledgeable persons inside or outside the entity,

O Observation - looking at the process being performed by others

I Inspection - examination of documents and records to provide reliable evidence

depending on their nature and source and the effectiveness of internal control over
their processing

R Reperformance - repeating the activity performed by the client to determine if the

proper results were obtained.

Timing of Tests of Controls

Factors to consider:

✓ Result of interim tests

✓ Length of the remaining period; and
✓ Whether changes have occurred in the accounting and internal control
systems during the remaining period.
Extent of Test of Control

Since the auditor cannot examine all transactions related to certain control
procedures, he should determine a sufficient sample size to support the assessed
level of control risk.

Using the Results of Tests of Control

Based on the results of the tests of control, the auditor should evaluate
whether the internal controls are designed and operating as intended. The
conclusion reached as a result of this evaluation is called the assessed level of
control risk (together with the assessed level of inherent risk) to determine the
acceptable level of detection risk. There is an inverse relationship between
detection risk and the combined level of inherent and control risks. For example, if
the combined assessed level of inherent and control risk is high, detention risk
needs to be low to reduce audit risk to an acceptably low level. In this regard, the
auditor may consider modifying:

• The nature of substantive tests from less effective to more effective

procedures;
• The timing of substantive tests by performing them at year-end rather than
at interim; or
• The extent of substantive tests from smaller to larger sample size.

Operating Effectiveness vs. Implementation

Testing the operating effectiveness of controls is different from obtaining

audit evidence that controls have been implemented. When obtaining audit
evidence of implementation by performing risk assessment procedures, the
auditor determines that the relevant controls exist and that the entity is using them.
When performing tests of the operating effectiveness of control, the auditor obtains
audit evidence that controls operate effectively. This includes obtaining audit
evidence about how controls were applied at relevant times during the period
under audit, the consistency with which they were applied, and by whom or by what
means they were applied.

Documenting the Assessed Level of Control Risk

After evaluating the results of tests of control and assessing the control risk,
the auditor should document his assessment of control risk.

If the control risk is assessed at a high level, the auditor should document his
conclusion that control risk is at a high level.
 If the control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high and the basis for that
assessment. This basis is actually the results of tests of control. Hence, the auditor
cannot assess control risk at less than high level without performing tests of control:

Control Risk at High Control Risk at Less than

Level High Level

1. Understanding of Internal Control Required Required

2. Conclusion Required Required

3. Basis for the Conclusion Required Not Required

Communication of Significant Deficiencies in Internal Control

As a result of the auditor’s consideration of the accounting and internal

control systems, the auditor may become aware of significant deficiencies in the
entity’s internal control systems. In this regard, the auditor is required to report to
the appropriate level of management and those charged with governance any
significant deficiencies in the internal control systems, which have come to the
auditor’s attention. This communication should be in writing and can be done
either before or after the auditor’s report on the financial statements is issued.
Regardless of the timing of the written communication of significant deficiencies,
the auditor may communicate these orally in the first instance to management
and, when appropriate, to those charged with governance to assist them in taking
timely remedial action to minimize the risks of material misstatement. Doing so,
however, does not relieve the auditor of the responsibility to communicate the
significant deficiencies in writing.

It is to be emphasized that auditors are not required to search for and/or

identify internal control deficiencies. The auditors must, however, communicate
significant deficiencies in internal control to the client when they come to their
attention during the course of the audit. These internal control deficiencies,
together with other matters of concern, are ordinarily communicated to the client
in a formal report called a management letter.

Source Authors

Auditing Theory: A Guide in Understanding the Philippine Jekell G. Salosagcol, CPA

Standards on Auditing, 2021 Edition Michael F. Tiu, CPA
Roel Hermosilla, CPA, MBA, LLB
Auditing and Assurance Principles, 2021 Edition Raymund Francis Escala, CPA, MBA
Rein Ronald Bercasio, CPA
Jamil Carandang, CPA, MBA