9.

Internal Controls Considerations

References:
a. PSA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement
b. PSA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management
The Entity’s Internal Control
Internal control is the process designed, implemented and maintained by those charged with
governance (TCWG), management and other personnel to address risks that are present between
the entity and the accomplishment of its objectives. Its purpose is to address identified business risks
that threaten the achievement of the entity’s objectives about:
• the reliability of the entity’s financial reporting (auditor’s primary concern);
• the effectiveness and efficiency of its operations (including safeguarding of assets); and
• its compliance with applicable laws and regulations.

Internal control structure varies with an entity’s size and complexity. Smaller entities may use less
structured means and simpler processes and procedures.

An understanding of internal control assists the auditor in identifying types of potential misstatements
and factors that affect the risk of material misstatement (ROMM), and in designing the nature, timing,
and extent of further audit procedures (test of controls and substantive procedures).

Components of Internal Control

The following are the five components of an effective internal control (CRIME):
1. Control Environment
2. Risk assessment process
3. Information system and communication
4. Control activities
5. Monitoring

Control Environment
Control environment is the governance and management functions and the attitudes, awareness, and
actions of TCWG and management concerning the entity’s internal control and its importance in the
entity. It is the foundation of internal control as it sets the tone of an organization that influences the
control consciousness of its people.
The seven elements of the control environment are (CHAMPOI):
1. Communication and enforcement of Integrity and ethical values
2. Commitment to Competence
3. Human resource policies and practices
4. Assignment of authority and responsibility
5. Management's philosophy and operating style
6. Participation of those charged with governance
7. Organizational structure

The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
1. Management, with the oversight of TCWG, has created and maintained a culture of honesty and
ethical behavior; and
2. The strengths in the control environment elements collectively provide an appropriate foundation
for the other components of internal control, and whether those other components are not
undermined by control environment weaknesses.
Relevant audit evidence may be obtained through a combination of inquiries and other risk
assessment procedures such as corroborating inquiries through observation or inspection of
documents. For example, through inquiries of management and employees, the auditor may obtain
an understanding of how management communicates to employees its views on business practices
and ethical behavior and considering whether management has a written code of conduct and
whether it acts in a manner that supports the code.
Risk Assessment Process
The entity’s risk assessment process refers to the entity’s process for identifying business risks
relevant to financial reporting objectives and deciding about actions to address those risks, and the
results thereof. If that process is appropriate to the circumstances, including the nature, size and
complexity of the entity, it assists the auditor in identifying ROMM. Whether the entity’s risk
assessment process is appropriate is a matter of judgment.
The auditor shall obtain an understanding of whether the entity has a process for (IDEA):
1. Identifying business risks relevant to financial reporting objectives;
2. Estimating the significance of the risks;
3. Assessing the likelihood of their occurrence; and
4. Deciding about actions to address those risks.

Information System and Communication

Information and communication relates to the identification, capture, and exchange of information that
enables individuals to carry out their responsibilities. It includes information system and
communication relevant to financial reporting system which consists of the procedures and records
established to initiate, record, process and report entity transactions (as well as events and
conditions) and to maintain accountability for the related assets, liabilities and equity.
Information system and communication consists of infrastructure (physical and hardware
components), software, people, procedures, and data.
The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including how the entity communicates financial reporting
roles and responsibilities and significant matters relating to financial reporting, including:
1. Communications between management and TCWG; and
2. External communications, such as those with regulatory authorities.

Control Activities
Control activities are policies and procedures of the entity that help ensure that management
directives are carried out.
Examples of control activities include policies and procedures on (PIPS):
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
The auditor shall obtain an understanding of control activities relevant to the audit.

Control activities that are relevant to the audit are:

• Those that are required to be treated as such, being control activities that relate to significant risks
and those that relate to risks for which substantive procedures alone do not provide sufficient
appropriate audit evidence; or
• Those that are considered to be relevant in the judgment of the auditor, being those necessary in
order to assess the ROMM at the assertion level and design further audit procedures responsive to
assessed risks

Risks arising from, and control activities, in information technology (IT)

In understanding the entity’s control activities, the auditor shall obtain an understanding of how the
entity has responded to risks arising from IT. This topic will be discussed separately in “Auditing in a
computerized information system (CIS) environment.”

Monitoring
Monitoring is a process that assesses the effectiveness of internal control performance over time. It
includes assessing the design and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.

The types of monitoring activities are:

• ongoing monitoring activities - often built into the normal recurring activities (e.g., sales and
purchases) of an entity and include regular management and supervisory activities.
• separate evaluations - often performed by internal auditors or company employees and provide
feedback on the effectiveness of other internal control processes.
• a combination of the two above.
Internal auditing is often considered a highly effective monitoring control. Monitoring activities may
also be performed by external parties (e.g., customers implicitly corroborate billing data by paying
invoices). The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over financial reporting, including those related to those control activities
relevant to the audit, and how the entity initiates corrective actions to its controls.

Inter-relationship of Components of Internal Control

Internal control consists of five interrelated components designed to work together as a process in
order to address entity’s business risks and help it accomplish the it’s objectives.

Inherent Limitations of Internal Control

Internal control can only provide reasonable assurance that the entity’s objectives are met because of
the following inherent limitations:
• Cost-benefit considerations
• Human errors or mistakes
• Management override or circumvention
• Collusion among employees or outside parties

Understanding Entity’s Internal Controls Through Transaction Cycles

Transaction cycles refer to certain business processes, or segments into which related transactions
can be conveniently grouped and for which specific accounting procedures and control activities are
established by an entity's management.
Typical transaction cycles for a trading or manufacturing companies are:
• Revenue and receipt cycle
• Purchasing and disbursement cycle
• Payroll and personnel cycle
• Production or conversion (Inventory and warehousing) cycle
• Investing and financing cycle
Collectively these cycles have no beginning or end except at the origin and final disposition of an
entity.

Relevant Controls: Nature and Extent of the Auditor’s Understanding

The auditor shall obtain an understanding of internal control relevant to the audit, not all controls that
relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional
judgment whether a control, is relevant to the audit.
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate
the design of those controls and determine whether they have been implemented, by performing
procedures in addition to inquiry of the entity’s personnel.
Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements. Implementation of a control means that the control exists and that the entity
is using it. There is little point in assessing the implementation of a control that is not effective, and so
the design of a control is considered first.
An improperly designed control may represent a material weakness (to be discussed at the end part
of the lecture notes) in the entity’s internal control.

Procedures to Obtain Understanding of Internal Controls

Risk assessment procedures to obtain audit evidence about the design and implementation (D&I) of
relevant controls may include:
• Inquiring of entity personnel
• Observing the application of specific controls.
• Inspecting documents and reports.
• Tracing transactions through the information system relevant to financial reporting. (Walkthrough
procedure)
Inquiry alone, however, is not sufficient for such purposes. Evaluating the design of a control involves
considering whether the control is capable of effectively preventing, or detecting and correcting,
material misstatements. Implementation of a control means that the control exists and that the entity
is using it. There is little point in assessing the implementation of a control that is not effective, and so
the design of a control is considered first.
An improperly designed control may represent a material weakness in the entity’s internal control.
Obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness
(which is determined through test of controls), unless there is some automation that provides for the
consistent operation of the controls.

Documentation
The auditor shall document the key elements of each of the internal control components, including the
sources of information from which the understanding was obtained.
The auditor may document its understanding through any or combination of the following techniques:
1. Internal Control Questionnaires (ICQ) – An ICQ asks a series of questions about the controls in
each audit area as a means of identifying internal control deficiencies. Most questionnaires require a
“yes” or a “no” response, with “no” responses indicating potential internal control deficiencies.
2. Narratives/Memoranda – A narrative is a written description of a client’s internal controls.
3. Flowcharts – An internal control flowchart is a diagram of the client’s documents and their
sequential flow in the organization.

Performing a Transaction Walkthrough Test

Walkthrough test involves tracing a few transactions through the financial reporting system. This test
is normally done after the auditor has initially documented its understanding of the transaction cycles
and significant business processes. It should be done every year.
The auditor shall perform walkthroughs to achieve the following objectives:
• Confirm understanding, as identified in during process documentation, of the flow of significant
classes of transactions within significant processes or sources and preparation of information
resulting in significant disclosures, including how these transactions are initiated, authorized,
recorded, processed and reported:
and
• Verify the identified “what can go wrongs” (WCGWs) that have the potential to materially affect
relevant financial statement assertions related to significant accounts and disclosures within each
significant class of transactions.

Method Advantage Disadvantages

§ Easy to complete § May be answered without
ICQ § Comprehensive list of questions make it unlikely adequate thought being given
that important portions of internal control will be to questions
overlooked § Questions may not “fit”
§ Weaknesses become obvious (generally those client adequately
questions answered with a “no”)

§ Tailor-made for engagement § May become very long and

§ Requires a detailed analysis and thus forces time consuming
Narrativesn\ auditor to understand functioning of structure § Weaknesses in structure not
(Memo.) always obvious
§ Auditor may overlook
important portions of internal
control

§ Graphic representation of structure § Preparation is time

§ Usually makes it unlikely that important portions consuming
Flowchart of internal control will be over-looked § Weaknesses in structure not
§ Good for electronic systems always obvious
§ No long wording (as in case of memoranda) § (especially to inexperienced
auditor)

Deficiencies in Internal Control

The auditor shall determine whether, on the basis of the audit work performed, the auditor has
identified one or more deficiencies in internal control.
Deficiency in internal control exists when:
1. A control is designed, implemented or operated in such a way that it is unable to prevent, or detect
and correct, misstatements in the financial statements on a timely basis; or
2. A control necessary to prevent, or detect and correct, misstatements in the financial statements on
a timely basis is missing.
A deficiency in design exists when (a) a control necessary to meet the control objective is missing or
(b) an existing control is not properly designed so that, even if the control operates as designed, the
control objective would not be met. A deficiency in operation exists when a properly designed control
does not operate as designed, or when the person performing the control does not possess the
necessary authority or competence to perform the control effectively.

If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on
the basis of the audit work performed, whether, individually or in combination, they constitute
significant deficiencies.
Significant deficiency in internal control refers to a deficiency or combination of deficiencies in internal
control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of
those charged with governance.
Significant deficiency is less severe than a material weakness.
The auditor shall evaluate whether, on the basis of the audit work performed, the auditor has
identified a material weakness in the design, implementation or maintenance of internal control.

Material weakness in internal control is deficiency, or a combination of deficiencies, in internal control

over financial reporting, such that there is a reasonable possibility that a material misstatement of the
company’s annual or interim financial statements will not be prevented or detected on a timely basis.
In other words, if a deficiency in an internal control is thought to be of material weakness, this means
that it could lead to a material misstatement in a company's financial statements.

The types of material weaknesses in internal control that the auditor may identify when obtaining an
understanding of the entity and its internal controls may include:
• ROMM that the auditor identifies and which the entity has not controlled, or for which the relevant
control is inadequate.
• A weakness in the entity’s risk assessment process that the auditor identifies as material, or the
absence of a risk assessment process in those cases where it would be appropriate for one to have
been established.
The auditor shall communicate significant deficiencies and material weaknesses in internal control in
writing (e.g., management letter, the “by-product” of audit) identified during the audit on a timely basis
to management at an appropriate level of responsibility and with those charged with governance.

Internal Control in Smaller Entities

Smaller entities may use less structured means and simpler processes and procedures.
In smaller entities, there are often few employees because of constraint in resources, which may limit
the extent to which:
• Segregation of duties is practicable; and
• An appropriate paper trail of documentation is available.
Internal control in such entities often derives from the control environment (management’s
commitment to ethical values, competence, attitude toward control, and its dayto- day actions) as
opposed to specific controls over transactions. Evaluating the control environment is quite different
from traditional control activities, as it involves an assessment of the behavior, attitudes, competence,
and actions of management.
The owner-manager may perform functions that address several of the components of internal
control. The presence of a highly involved owner-manager is often an internal control strength and a
control weakness. The control strength is that the person (assuming his/her competence) will be
knowledgeable about all aspects of operations, and it is highly unlikely that material misstatements
will be missed. The control weakness is the opportunity provided for that person to override the
internal control for his/her own benefit.

Deficiency Severity Communication to Mgt. &

TCWG?

Control deficiency
Not allow, in the normal course Only if it merits their attention.
of functions, to prevent or
detect and correct
misstatements on a timely
basis.
Significant deficiency
Material Weakness
Less severe than a material Yes
weakness.
A reasonable possibility that a Yes
material misstatement will not
be prevented, or detected and
corrected on a timely basis.

Summary of Internal Control Components and The Auditor’s Required Understanding to

Plan the Audit

Summary of Components Required Understanding to

Plan Audit
Objective is to prepare financial Obtain knowledge about design
statements for external purposes that and whether
are fairly controls have been
presented in conformity with GAAP (or implemented; the
Overall Internal another comprehensive basis) understanding should be
Control adequate to allow the
for Financial auditor to
Reporting 1) Identify types of potential
misstatements
2) Consider factors affecting
risk of material
misstatements
3) Design effective substantive
tests
Factors Obtain sufficient knowledge to
• Integrity and ethical values understand
• Commitment to competence management and board of
• Human resource policies and practices directors
• Assignment of authority and 1) Attitudes
Control Environment responsibility 2) Awareness
• Management’s philosophy and 3) Actions
operating style
• Participation by those charged with
governance
• Organizational structure

The identification, analysis, and Obtain understanding of how

management of risks relevant to the management
preparation of financial statements 1) Identifies risks
Risk Assessment following GAAP 2) Estimates the significance of
the risks
3) Assesses the likelihood of
occurrence

Policies and procedures that pertain to Obtain additional

• Performance reviews understanding as necessary to
Control Activities • Information processing plan the audit. Ordinarily, an
• Physical controls understanding of control
• Segregation of duties activities related to each
account or to every assertion is
not necessary.

Methods to record, process, summarize, Obtain understanding of

and report transactions, which include 1) Major transaction classes
Information and • Identify and record all valid transactions 2) How transactions are
Communication • Describe on a timely basis initiated
• Measure the value properly 3) Available accounting records
• Record in the proper time period and support
• Properly present and disclose 4) Manner of processing of
• Communicate responsibilities to transactions
 employees 5) Financial reporting process
used to prepare
financial statements
6) Means the entity uses to
communicate
financial reporting roles and
responsibilities

Monitoring Methods to consider whether controls Obtain sufficient understanding

are operating as intended of major types of monitoring
activities