 Assessing control risk – evaluation of how internal control prevents or detects material

misstatements in the fs
 Assessed level of control risk
o Conclusion reached as a result of the assessment
 Internal control
o Process
o Effected by those charged w governance, management, and other personnel
o Provides reasonable assurance of achieving the entity’s objective
o Designed to help the entity’s objective
 Process-
o a means of achieving the objective
 effected by those charged w governance, mgmt. and other personnel
o management
 control environment
 maintain policies abd procedures to achieve objectives
o charged w governance
 integrity of accounting and financial reporting system thru oversight of mgmt.
o staff personnel
 perform respective function
 provide reasonable assurance of achieving the entity’s objective bcs
 cost-benefit principle
 directed at routine transaction
 error in human judgement
 circumvention (collusion among employees)
 management override
 procedures becoming inadequate
 changes in condition
 compliance may deteriorate
 obsolete
 designed to help achieve the entity’s objective
o operational objective
o compliance objective
o financial reporting objective
 main concern of fs audit
 components of internal control
o control environment
o risk assessment
o information and communication system
o control activities
o monitoring
 control environment
o attitude, awareness, actions towards internal control and its importance
o sets the tone
o foundation for effective internal control
o IMACPA
 integrity and ethical values
 mgmt. philosophy and operating style
 active participation of those charged w governance
 commitment to competence
 personnel policies and procedures
 assignment of responsibility and authority/organizational structure
 Risk assessment
o Business risk
 Is the risk that the business objectives will not be attained bc of internal and
external factors
 o Policies and procedures designed to identify and analyze the risks and take appropriate
actions to manage the said risks
 Information and communication sysem
o Communication
 Providing an understanding of individual roles and responsibilities pertaining to
internal control over fin rep
 Can be electronically, verbally, thru the actions of mgmt.
 Control activities
o Policies and procdeures that help ensure that mgmt. directives are carried out
o PIPS
 Performance reviews
 Information processing
 Physical controls
 Segregation of duties
o Performance review
 Review and analysis
o Information provrdding
 Checks accuracy, completeness, and authorization
 Computer processing: general and application control
o Physical control
 Physical security of asset
 Secured facilities
 Authorization for access
 Periodic counting and comparison
o Segregation of duties
 Authorizing
 Recording
 Maintaining
 Monitoring
o To assess the quality of internal control performance
o Done to ensure that IC is operating effectively
o Accomplished thru: -ongoing -separate -combined
 Ongoing monitoring
 Built into normal recurring activities of an entity
 Regular mgmt. and supervisory activities
 Ex. preparation of bank recon
 Separate
 Non-routine basis
 Performed by internal auditors
 Internal control for small businesses
o Difficulty of segregating duties or having a sep internal audit dept
o Weak, compensated if owner/manager participates
 Consideration of internal contro
o ODATD
 Obtaining understanding of internal control
 Documenting the understanding of accounting and internal control system
 Assessing the level of control risk
 Performing tests of control
 Documenting the assessed level of control risks
o Understanding Internal Control
 Design and Implementation
 This stage does not consider the efficiency & effectiveness
 DESIGN
 Can prevent or detect and correct MM
 Thru
o Inquiry
 o Inspection
o observation
 Implementation
 Whether control exists and placed in operation
 Walk-through test
 Sufficient understanding to
 Identify potential misstatements
 Consider factors that affect the risk of MM
 Design audit proc to be performed
o Documenting the understanding
 Required
 No particular form and extent varies (size & complexity of entity || nature of IC)
 Ex of forms
 Narrative
 Flowchart
 Questionnaire
o Assessment of CR
 Preliminary Assessment of CR at the assertion level
 High CR
 Ineffective IC
 No test of control
 Less than high CR
 IC is reliable
 Determine if efficient to obtain evidence to assess CR at less than high
o If efficient:
 Less than high
 Identify policies and procedures that can P/D & C MM
 TOC is necessary
 Test of control
 Obtains evidence abt the EFFECTIVENESS of
o Design of Acc and IC system
o Operation of the IC throughout the period
 Will only test those controls that the auditor plans to rely on
 The greater the reliance, the more extensive TOC should be
 Nature of TOC
 Inquiry
 Observation
 Inspection
 Reperformance
 Note:
o for controls w no audit trail: inquire and observe
o obtaining understanding of IC and assessing CR are often done
simultaneously
 Timing
 Usually at interim
o However auditors obtain evidence for the rem period by
 Performing TOC for the rem period
 Review whether there are changes that affects IC
o In determining whether to test the rem period
 Results of the interim test
 Length of the rem period
 Whether changes occurred
 Extent
 Determine sample size sufficient to support assessed level of CR
 Results of the TOC
  Evaluate whether IC is designed and operating as intended
 Conclusion based on this evaluation is the ASSESSED LEVEL OF CR
 Operating effectiveness and implementation
 Implemenation
o Thru risk assessment procedure (understanding)
 Whether control exist and if the entity used them
 Operating effectiveness
o Thru TOC
 Test effectiveness
o How controls were applied
o Consistency
o By whom, by what means
o Documenting the assessed level of CR
 At high level
 Understanding of IC
 Conclusion
 At less than high
 Understanding of IC
 Conclusion
 Basis (result of TOC)
o Auditor cannot assess at less than high w/o TOC
 Communication of significant deficiency
o Require to report to the app level of mgmt. and those charged w gov
o Should be in writing
o Can be done before or after issuance of audit report
o May be communicated orally but still should be in writing later on
o Auditors not required to identify deficiencies, but if incidentally identified one, must
communicate
o Communicated thru a management letter