Professional Documents
Culture Documents
ATMAH 2nd Handout Auditing
ATMAH 2nd Handout Auditing
PSA 315 defines internal control as the process designed and effected by
those charged with governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity's objectives with regard
to reliability of financial reporting, effectiveness, and efficiency of operations and
compliance with applicable laws and regulations.
✓ Control Environment;
✓ Risk Assessment;
✓ Information and communication systems;
✓ Control activities; and
✓ Monitoring
Control Environment
The entity must have an audit committee which will be responsible for
overseeing the financial reporting policies and practices of the entity.
4. Commitment to Competence
The entity should consider the level of competence required for each task
and translate this to requisite knowledge and skills.
5. Personnel Policies and Procedures
Risk Assessment
Business risk - the risk that the entity’s business objectives will not be
attained as a result of internal and external factors (e.g. technological
developments, changes in customers demand, etc.)
Control Activities
These are policies and procedures that help ensure the management directives
are carried out. The specific control procedures that are relevant to financial
statement audit include:
1. Performance Reviews
2. Information Processing
3. Physical Controls
4. Segregation of Duties
Monitoring
Ongoing monitoring - built into the normal recurring activities of an entity and
includes regular management and supervisory activities.
o Narrative descriptions
o Flowchart
o Internal Control Questionnaires (ICQ)
➢ Assessment of Control Risk
o Auditor will now make a preliminary assessment of control risk. It can
be at a high level (100%) or less than high level.
o If the auditor believes that the internal control is not effective, the
assessed control risk is at a high level. Hence, no test is needed if the
auditor believes that it is effective.
o If the auditor believes that the internal control is reliable, the auditor
should determine whether it is efficient to obtain the evidence to
justify the assessment of control risk at a low level.
➢ Performing Test of Controls
o Irrespective of how effective the internal control is, the auditor needs
to perform a test of controls. It is used to obtain evidence about the
design and operation of the internal control.
o Nature of Tests of Control
- Inquiry
❖ Searching for the appropriate information about the
effectiveness of internal control.
- Observation
❖ Looking at the process being performed by others.
- Inspection
❖ Examination of documents and records to provide
evidence of reliability depending on their nature and
source.
- Reperformance
❖ Repeating the activity performed by the client to
determine whether proper results were obtained.
o Timing of Tests of Controls
- It can be performed during an interim visit in advance or period.
However, auditors shall still perform tests of controls for the
remaining period.
oExtent of Tests of Controls
- Determining the sample size that is sufficient to support the
assessed level of control risk.
o Using the results of Tests of Controls
- The conclusion reached is called the assessed level of control
risk.
- There is an inverse relationship between detection risk and
combined inherent risk and control risk.
➢ Documenting the Assessed Level of Control Risk
Performing Tests of Controls
Tests of controls are performed to obtain evidence about the effectiveness of the:
It is important to note that the auditor will only test the operating effectiveness
of controls that are likely to detect or prevent material misstatements. nut is, the
auditor only tests those controls that he or she plans to rely upon.
According to PSA, the auditor should obtain audit evidence through tests of
control to support any assessment of control risk at less than high level. The lower
the assessment of control risk, the more support the auditor should obtain that the
internal control is suitably designed and operating effectively. Thus, the greater the
reliance the auditor plans to place on internal control, the more extensive the tests
of those controls that need to be performed.
I Inquiry - searching for the appropriate information about the effectiveness of internal
control from knowledgeable persons inside or outside the entity,
Factors to consider:
Since the auditor cannot examine all transactions related to certain control
procedures, he should determine a sufficient sample size to support the assessed
level of control risk.
Based on the results of the tests of control, the auditor should evaluate
whether the internal controls are designed and operating as intended. The
conclusion reached as a result of this evaluation is called the assessed level of
control risk (together with the assessed level of inherent risk) to determine the
acceptable level of detection risk. There is an inverse relationship between
detection risk and the combined level of inherent and control risks. For example, if
the combined assessed level of inherent and control risk is high, detention risk
needs to be low to reduce audit risk to an acceptably low level. In this regard, the
auditor may consider modifying:
After evaluating the results of tests of control and assessing the control risk,
the auditor should document his assessment of control risk.
If the control risk is assessed at a high level, the auditor should document his
conclusion that control risk is at a high level.
If the control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high and the basis for that
assessment. This basis is actually the results of tests of control. Hence, the auditor
cannot assess control risk at less than high level without performing tests of control:
Source Authors