CONSIDERATION OF INTERNAL CONTROL

ASSESSING CONTROL RISK

- process of evaluating the design and operating effectiveness of an entity’s internal control

INTERNAL CONTROL
- process designed and effected by those charged with governance, management, and other
personnel
- provide reasonable assurance about the achievement of the entity's objectives

FOUR ESSENTIAL CONCEPTS

1. Internal control is a process
- means of achieving the entity's objectives
2. Internal control is effected by those charged with governance, management, and other
personnel
- Responsibility of the management to ESTABLISH A CONTROL ENVIRONMENT and MAINTAIN
POLICIES AND PROCEDURES to assist in achieving the entity's objectives.
3. Internal control can be expected to provide reasonable assurance of achieving the entity’s
objectives
- there are INHERENT LIMITATIONS that may affect the internal control's effectiveness
 cost of an internal control should not exceed the expected benefits to be derived
 directed at routine transactions rather than non-routine transactions
 potential for human error
 possibility of circumvention of internal controls through the collusion among employees
 possibility of management overriding the internal control
 possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate
4. Internal control is designed to help achieve the entity’s objectives
 Operational Objective - EFFECTIVENESS AND EFFICIENCY OF OPERATIONS
 Compliance Objective - COMPLIANCE WITH LAWS AND REGULATIONS
  Financial Reporting Objective - RELIABILITY OF FINANCIAL REPORTING (most relevant
to audit)

COMPONENTS OF INTERNAL CONTROL

1. CONTROL ENVIRONMENT
- attitudes, awareness, and actions of management and those charged with governance
concerning the entity's internal control and its importance in the entity.
- influencing the control consciousness of its people
- foundation for effective internal control, providing discipline and structure

FACTORS REFLECTED IN THE CONTROL ENVIRONMENT:

 Integrity and ethical values
 Management philosophy and operating style
 assess the management attitudes towards financial reporting and their emphasis on
meeting projected profit goals
 Active participation of those charged with governance
 Must have an audit committee which will be responsible for overseeing the financial
reporting policies and practices of the entity
 Commitment to competence
 Consider the level of competence required for each task and translate it to requisite
knowledge and skills
 Personnel policies and procedures
 Assignment of responsibility and authority/Organizational structure
 provides a framework for planning, directing, and controlling the entity's operations

2. RISK ASSESSMENT
- BUSINESS RISK is the risk that the entity's business objectives will not be attained as a result of
internal and external factors such as technological developments, changes in customers demand
and other economic changes.
- For audit purposes, the auditor is concerned only with those risks that are relevant to the
preparation of reliable financial statements.

3. INFORMATION AND COMMUNICATION SYSTEMS

Effective internal control must provide timely information and communication.
 Identify and record all valid transactions
 Describe on a timely basis the transactions
 Measure the value of transactions
 Determine the time period in which transactions occurred
  Present properly the transactions and related disclosure in the financial statements
- COMMUNICATION involves providing an understanding of individual roles and responsibilities
pertaining to internal control over financial reporting.
 Can be made electronically, verbally, and through the actions of
management
 Can take such forms as policy manuals, accounting, and financial
reporting manuals, and memoranda

4. CONTROL ACTIVITIES
- are the policies and procedures that help ensure that management directives are carries out.

Specific control procedures that are relevant to financial statement audit would include:
 Performance reviews
- Include reviews and analyses of actual performance versus budgets, forecasts, and prior period
performance
 Information processing
- A variety of controls are performed to check accuracy, completeness, and authorization of
transactions.
 Physical Controls
- encompass the physical security of assets, including adequate safeguards
 Segregation of duties
- assigning different people different responsibilities to reduce the opportunities to allow any
person to be in a position to both perpetrate and conceal errors or fraud in the normal course of
the person's duties

5. MONITORING
- is a process of assessing the quality of internal control performance over time.
- involves assessing the design and operation of controls on a timely basis and taking necessary
corrective actions.
- ONGOING MONITORING activities are built into the normal recurring activities of an entity
- SEPARATE EVALUATIONS are monitoring activities that are performed on a non-routine basis,
such as functions performed by internal auditors

CONSIDERATION OF INTERNAL CONTROL

- Auditors are not responsible for establishing and maintaining an entity's accounting and internal
control systems; THAT IS THE RESPONSIBILITY OF THE ENTITY'S MANAGEMENT.

Consideration of the entity’s internal control systems involves the following steps:

1. UNDERSTANDING OF THE INTERNAL CONTROL

- Involves evaluating the design of a control and determining whether it has been implemented
 - EVALUATING THE DESIGN OF A CONTROL involves considering whether the control, individually
or in combination with other controls, is capable of effectively preventing, or detecting and
correcting, material misstatements.

Understanding the design of the entity involves:

 INQUIRIES of appropriate individuals

 INSPECTING documents and records
 OBSERVING of entity's activities and operations

Determining whether these controls have been implemented is accomplished through:

 WALK-THROUGH TEST involves tracing one or two transactions through the entire accounting
systems, from their initial recording at source to their final destination...
 Also confirms the auditor’s understanding of how the accounting systems and control
procedure’s function

It is to be emphasized that the auditor is not required to obtain knowledge about the operating
effectiveness of the internal control when obtaining an understanding of the entity’s internal control
system.

The auditor uses the understanding of internal control to:

 Identify the types of potential misstatements that can occur

 Consider factors that affect the risk of material misstatements
 Design the nature, timing, and extent audit procedures to be performed

2. DOCUMENTING THE AUDITOR’S UNDERSTANDING OF INTERNAL CONTROL

Subsequent to obtaining sufficient knowledge about the design and implementation of the
internal control, the auditor is required to document his understanding of accounting and
internal control systems.
- Documentation need not be in any particular form
 Narrative description
 Flowcharts
 Internal control questionnaire

3. ASSESSMENT OF CONTROL RISK

After documentation, the auditor should make a preliminary assessment of control risk, at the
assertion level, for each material account balance or class transactions.
The auditor’s preliminary assessment of control risk may be at a high level (100%) or less than
high level.
 internal control related to a particular assertion are not effective = control risk at a
HIGH LEVEL - no test of controls need to be performed and the auditor will rely primarily
on substantive tests
  appear to be reliable = auditor should determine whether it is efficient to obtain the
evidence to justify an assessment of control risk at a LOWER LEVEL
 concludes that it is more efficient to rely on the entity's internal control systems =
auditor would plan to assess control risk at LESS THAN HIGH LEVEL
 identify specific internal control policies or procedures that likely corrects
material misstatements
 perform tests of control to determine the effectiveness of such policies or
procedures

4. PERFORMING TESTS OF CONTROLS

This is performed to obtain evidence about the effectiveness of the:

- Design of the accounting and internal control systems

- Operation of the internal controls throughout the period

The auditor will only test those controls that he or she plans to rely upon.

According to PSA, the auditor should obtain audit evidence through tests of control to support any
assessment of control risk at less than high level.

NATURE OF TESTS OF CONTROL

INQUIRY
- Searching for the appropriate information about the effectiveness of internal control from
knowledgeable persons inside or outside the entity.

OBSERVATION
- Looking at the process being performed by others

INSPECTION
- Examination of documents and records to provide evidence of reliability

REPERFORMANCE
- Repeating the activity performed by the client to determine whether proper results were
obtained

Obtaining understanding of the entity’s internal control system and assessing control risks are often done
simultaneously.