Chapter 16

System of Internal Control

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
1
 Agenda
1. Introduction
2. Risk Assessment and Understanding a System of
Internal Control
3. Characteristics of a System of Internal Control
4. Components of a System of Internal Control
5. Understanding an Entity’s System of Internal
Control
6. Control Environment
7. The Entity’s Risk Assessment Process
8. The Entity’s Process to Monitor the System of
Internal Control
9. The Information System and Communication
10. Control Activities
11. Control Deficiencies
©
12. Documentation
Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
2
 1. Introduction
Preliminary engagement activities

Designing and performing

Planning activities risk assessment procedures
Chapter 15
Understanding the entity
Obtaining an understanding of:

Identifying and assessing risks of

The entity’s Applicable
material misstatement system of
The entity
financial
and its
internal reporting
Designing and implementing auditor’s control
environment
framework
responses to assessed risks
Chapter 16 Chapter 15 Chapter 15
Overall reviewing (This chapter)

Drawing audit conclusions

and reporting

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
3
 2. Risk Assessment and Understanding a System
of Internal Control

• HKSA 315 requires an auditor to design and perform risk

assessment procedures to obtain an understanding of the
entity, an understanding of the entity and its environment,
the applicable financial reporting framework and the
entity’s system of internal control.
• The understanding of the entity’s system of internal control,
together with other understandings is in turn to assist the
auditor:
a. The identification and assessment of risks of material
misstatement, whether due to fraud or error, at the financial
statement and assertion levels (see Chapter 17); and
b. The design of further audit procedures (see Chapter 20).

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
4
 2. Risk Assessment and Understanding a System
of Internal Control

Designing and performing

risk assessment procedures

Understanding the entity, i.e. obtaining an understanding of:

The entity’s The entity Applicable

system of and its financial reporting
internal control environment framework
Control Inherent risk
deficiencies factors

Identifying and assessing

risks of material misstatement

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
5
 3. Characteristics of a System of Internal
Control
• System of internal control is defined as:
➢ The system designed, implemented and maintained by those
charged with governance, management and other personnel to
provide reasonable assurance about the achievement of an entity’s
objectives with regard to
– reliability of financial reporting,
– effectiveness and efficiency of operations, and
– compliance with applicable laws and regulations.
➢ For the purposes of the HKSAs, the system of internal control
consists of five inter-related components
• The entity’s system of internal control may be reflected in
policy and procedures manuals, systems and forms, and
the information embedded therein, and is effected by
people.
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
6
 4. Components of a System of Internal
Control
• For the purposes of the HKSAs, an entity’s system of
internal control consists of 5 inter-related components,
including:
a. Control environment;
b. The entity’s risk assessment process;
c. The entity’s process to monitor the
system of internal control;
d. The information system and
communication; and
e. Control activities.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
7
 4. Components of a System of Internal
Control
• HKSA 315 has also defined “controls” and explained that
controls are embedded within the components of an entity’s
system of internal control. The policies or procedures!
• Controls may be direct or indirect:
➢ Direct controls are controls that are precise enough to address
risks of material misstatement at the assertion level.
➢ Indirect controls are controls that support direct controls.
• HKSA 315 (Revised 2019) has changed the order of the
components of an entity’s system of internal control and
grouped the components that are similar in nature, i.e.
components that consist primarily of “indirect controls” are
presented first before the two components that consist
primarily of “direct controls”.
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
8
 4. Components of a System of Internal
Control
Perform risk assessment procedures
to obtain an understanding of the entity

Applicable
The entity’s The entity
financial
system of and its
reporting
internal control environment
framework
Inherent risk
factors
Indirect controls Direct controls
a. Control d. Information
environment system and
b. Risk assessment communication
process e. Control activities
c. Process to
monitor the
system of
internal control
Control
deficiencies
© Peter T. Y. Lau and Nelson C. Y. Lam
9
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
 5. Understanding an Entity’s System of
Internal Control
• In a financial statement audit, HKSA 315 requires an
auditor to obtain an understanding of:
a. The control environment relevant to the preparation of the
financial statements;
b. The entity’s risk assessment process relevant to the preparation
of the financial statements;
c. The entity’s process for monitoring the system of internal control
relevant to the preparation of the financial statements;
d. The entity’s information system and communication relevant to
the preparation of the financial statements; and
e. The control activities component of the entity.
• In addition to understanding the above 5 components,
HKSA 315 requires the auditor to evaluate them and
determine whether there are control deficiencies.
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
10
 6. Control Environment

• For control environment relevant to the preparation of the

financial statements, the auditor is required to understand
the set of controls, processes and structures that address:
i. How management’s oversight responsibilities are carried out,
such as the entity’s culture and management’s commitment to
integrity and ethical values;
ii. When those charged with governance are separate from
management, the independence of, and oversight over the entity’s
system of internal control by, those charged with governance;
iii. The entity’s assignment of authority and responsibility;
iv. How the entity attracts, develops, and retains competent
individuals; and
v. How the entity holds individuals accountable for their
responsibilities in the pursuit of the objectives of the system of
internal control.
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
11
 6. Control Environment

• For control environment relevant to the preparation of

the financial statements, the auditor is required to
evaluate whether:
i. Management, with the oversight of those charged with
governance, has created and maintained a culture of honesty
and ethical behavior;
ii. The control environment provides an appropriate foundation
for the other components of the entity’s system of internal
control considering the nature and complexity of the entity;
and
iii. Control deficiencies identified in the control environment
undermine the other components of the entity’s system of
internal control.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
12
 6. Control Environment

• The control environment:

➢ sets the tone of an organization, influencing the control
consciousness of its people, and provides the overall
foundation for the operation of the other components of
the entity’s system of internal control;
➢ provides an overall foundation for the operation of the
other components of the system of internal control; and
➢ does not directly prevent, or detect and correct,
misstatements.
• Such understanding and evaluations affect the
auditor’s identification and assessment of risks of
material misstatement at the financial statement
level.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
13
 6. Control Environment

How to understand?
➢ Through a combination of inquiries and other risk assessment
procedures (i.e. corroborating inquiries through observation or
inspection of documents.). Inquiries of management and employees
➢ For example:
– How management communicates to employees its views on
business practices and ethical behavior
– Inspecting managements written code of conduct and observing
whether management acts in a manner that supports that code.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
14
 7. The Entity’s Risk Assessment Process

• For the entity’s risk assessment process relevant to the

preparation of the financial statements, through performing
risk assessment procedures, the auditor is required to:
a. Understand the entity’s process for:
i. Identifying business risks relevant to financial reporting
objectives;
ii. Assessing the significance of those risks, including the
likelihood of their occurrence; and
iii. Addressing those risks; and
b. Evaluate whether the entity’s risk assessment process is
appropriate to the entity’s circumstances considering the nature
and complexity of the entity (e.g., where and how to respond on
those risks)

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
15
 7. The Entity’s Risk Assessment Process

• Example 16.6 Risks can arise or change due to

circumstances and some such circumstances include the
following:
➢ Changes in operating environment
➢ New personnel
➢ New or revamped information system
➢ Rapid growth
➢ New business products, models
➢ Expanded foreign operations

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
16
 8. The Entity’s Process to Monitor the
System of Internal Control
• For the entity’s process for monitoring the system of
internal control relevant to the preparation of the financial
statements, the auditor is required to:
a. Understand those aspects of the entity’s process that address:
i. Ongoing and separate evaluations for monitoring the
effectiveness of controls, and the identification and remediation
of control deficiencies identified; and
ii. The entity’s internal audit function, if any, including its nature,
responsibilities and activities (next);
b. Understand the sources (e.g. external) of the information used in
the entity’s process to monitor the system of internal control, and the
basis upon which management considers the information to be
sufficiently reliable for the purpose; and
c. Evaluate whether the entity’s process for monitoring the system of
internal control is appropriate to the entity’s circumstances
considering the nature and complexity of the entity. (can be ongoing
or separate)
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
17
 8. The Entity’s Process to Monitor the
System of Internal Control
• Ongoing monitoring activities or separate evaluations or
some combination of the two.
• Ongoing: often built into the normal recurring activities of an
entity and regular management and supervisory activities
• Monitoring activity examples:
➢ Management’s review of whether bank reconciliations are being
prepared on timely basis
➢ Internal auditors’ evaluation of sales personnels’ compliance with
the entity’s policies on terms of sales contracts
➢ Legal department’s oversight of compliance with the entity’s ethical
or business practice policies
• Understanding the entity’s internal audit functions
➢ Reviewing the internal audit function’s audit plan
➢ Discussing that plan with the appropriate individuals within the
function
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
18
 9. The Information System and
Communication
• For the entity’s information system and communication
relevant to the preparation of the financial statements, the
auditor is required to:
a. Understand the entity’s information processing activities,
including its data and information, the resources to be used in
such activities and the policies that define, for significant classes
of transactions, account balances and disclosures:
i. How information flows through the entity’s information system,
ii. The accounting records, specific accounts in the financial
statements and other supporting records relating to the flows
of information in the information system;
iii. The financial reporting process used to prepare the entity’s
financial statements, including disclosures; and
iv. The entity’s resources, including the information technology
environment, relevant to (a)(i) to (a)(iii) above;
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
19
 9. The Information System and
Communication
• For the entity’s information system and communication
relevant to the preparation of the financial statements, the
auditor is required to:
b. Understand how the entity communicates significant matters that
support the preparation of the financial statements and related
reporting responsibilities in the information system and other
components of the system of internal control:
i. Between people within the entity, including how financial
reporting roles and responsibilities are communicated;
ii. Between management and those charged with governance;
and
iii. With external parties, such as those with regulatory authorities;
and

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
20
 9. The Information System and
Communication
• For the entity’s information system and communication
relevant to the preparation of the financial statements, the
auditor is required to:
c. Evaluate whether the entity’s information system and
communication appropriately support the preparation of the
entity’s financial statements in accordance with the applicable
financial reporting framework.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
21
 9. The Information System and
Communication
• The controls in the information system and communication
and control activities are the direct controls
• It can prevent, detect or correct misstatements at the
assertion level
• Need to know the characteristics of information system that
relevant to preparation of F/S
➢ Initiate, record and process entity transactions
➢ Resolve incorrect processing of transactions
➢ Process and account for system overrides
➢ Capture and process information relevant to F/S other than
transactions (e.g. depreciation, changes in recoverability of assets)
➢ Disclosure
• Characteristics of communication
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
22
 9. The Information System and
Communication
• How?
• Inquiries of relevant personnel
• Inspection of policy and process manuals
• Observation of the performance by entity’s personnel
• Selecting transactions and tracing them through the
applicable process in the information system (i.e.
performing a walk-through test)

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
23
 10. Control Activities
• For control activities, the auditor is required to:
a. Identifying controls that address risks of material misstatement
at the assertion level in the control activities component as follows:
i. Controls that address a risk that is determined to be a
significant risk;
ii. Controls over journal entries (including non-standard
journals, unusual transactions or adjustments);
iii. Controls for which the auditor plans to test operating
effectiveness in determining the nature, timing and extent of
substantive testing, which shall include controls that address
risks for which substantive procedures alone do not
provide sufficient appropriate audit evidence; and
iv. Other controls that the auditor considers are appropriate to
enable the auditor to meet the objectives of HKSA 315 with
respect to risks at the assertion level, based on the auditor’s
professional judgment;
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
24
 10. Control Activities

• For control activities, the auditor is required to:

b. Based on controls identified in (a), identifying the information
technology applications and the other aspects of the entity’s
information technology environment that are subject to risks
arising from the use of information technology;
c. For such information technology applications and other aspects of
the information technology environment identified in (b),
identifying:
i. The related risks arising from the use of information
technology; and
ii. The entity’s general information technology (IT) controls
(next) that address such risks; and
ii. That directly address risk to the integrity of information
(i.e. completeness, accuracy and validity of transactions)

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
25
 10. Control Activities

• For control activities, the auditor is required to:

The entity’s general information technology (IT) controls are defined
as:
controls over the entity’s IT process that support the continued
proper operation of the IT environment, including the continued
effective functioning of information processing controls and the
integrity of information in the entity's information system.
Information technology applications controls are defined as:
An IT application is a program or a set of programs that is used in
the initiation, processing, recording and reporting transactions or
information.
Chapter 29 further explains the above issues.

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
26
 10. Control Activities

• For control activities, the auditor is required to:

d. For each control identified in (a) or (c)(ii):
i. Evaluating whether the control is designed effectively to
address the risk of material misstatement at the assertion
level, or effectively designed to support the operation of other
controls; and
ii. Determining whether the control has been implemented by
performing procedures in addition to inquiry of the entity’s
personnel.
• See Example 16.15, Appendix 3 para 20

© Peter T. Y. Lau and Nelson C. Y. Lam

© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
27
 11. Control Deficiencies

• Based on the auditor’s evaluation of each of the

components of the entity’s system of internal control, the
auditor is required to determine whether one or more
control deficiencies have been identified.
• If the auditor has identified one or more control deficiencies,
the auditor may consider the effect of those control
deficiencies on the design of further audit procedures in
accordance with HKSA 330 (see Chapter 20)
• If the auditor has identified one or more control deficiencies,
HKSA 265 requires the auditor to determine whether,
individually or in combination, the deficiencies constitute a
significant deficiency (see Chapter 35 for further
discussion). → Ex 16.21, A183
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
28
 12. Documentation

• Together with the documentation set out in Chapter 15, the auditor is
required to include the following documentation:
a. The discussion among the engagement team and the significant
decisions reached;
b. Key elements of the auditor’s understanding obtained in respect of the
entity;
c. The sources of information from which the auditor’s understanding was
obtained;
d. The risk assessment procedures performed;
e. The evaluation of the design of identified controls, and determination;
and
f. The identified and assessed risks of material misstatement at the
financial statement level and at the assertion level, including significant
risks and risks for which substantive procedures alone cannot provide
sufficient appropriate audit evidence, and the rationale for the
significant judgments made (see Ch. 17)
© Peter T. Y. Lau and Nelson C. Y. Lam
© Pilot Publishing Co. Ltd. 2021 Auditing and Assurance in Hong Kong
29