UNDERSTANDING

THE ENTITY’S
INTERNALCONTROL
 Without an effective system of
internal control, the entity will not be
able to survive for long.
 Obtaining the understanding of the
entity's internal control is part of
planning the audit in order to
identify and assess risks of material
misstatement of the financial
statements, which provides a basis
when the auditor designs and
implements responses to assessed
risks.
OVERVIEW OF RISK
ASSESSMENT
PROCESS
Overview of the Risk Assessment Process

Step 1
Design and perform Procedures to Obtain
Understanding of the Entity, Its
Environment, and Its Internal Control

Step 2
Identify and Assess Risk of Material
Misstatement of Financial Statement
 RISK ASSESSMENT
PROCEDURES (RAP)
TO OBTAIN
UNDERSTANDING
OF INTERNAL
CONTROL
In order to obtain understanding of
internal control, this may include:
 Inquiring of entity personnel.
 Observing the application of specific
controls.
 Inspecting documents and reports.
 Tracing transaction through the
information system relevant to
financial reporting, also known as
walkthrough test.
 NATURE OF
INTERNAL CONTROL
 Entity’s Objectives, Strategies, Business Risk, and
Internal Control

Entity
Objectives:
Processes 1. Financial
Internal reporting
Units (auditor’s
Control
primary
People Strategies
concerns)
Business Risks, 2.Operations
Including
3. Compliance
ROMM of F/S
The following concepts about the nature
of internal control can be deduced:

 Internal control is a process.

 Internal control is effected by people.
 Internal control can be only expected
to provide reasonable assurance, not
absolute assurance, that the entity’s
business risks are addressed and its
objectives are achieved.
 Internal control is designed towards
the achievement of objectives.
 THE FIVE
COMPONENTS OF
INTERNAL CONTROL
AND THE AUDITOR’S
REQUIRED
UNDERSTANDING
The five components of an effective
internal control:

 Control Environment ;
 Risk assessment process;
 The information system, including
the related business processes,
relevant to financial reporting, and
communication;
 Control activities; and
 Monitoring.
Interactions of Components of
Internal Control
Risk Assessment
Process

Financial
Control
Reporting
Environment
Objectives

Information
Monitoring System and
Communication

Control
Activities
 Control Environment
Components of Internal Control
Control Environment
The governance and management
functions and the attitudes,
awareness, and actions of TCWG and
management concerning the entity’s
internal control and its importance in
the entity.
 
Seven elements are:
1. Integrity and ethical values
2. Commitment to competence
3. Human resource policies and
practices
4. Assignment of authority and
responsibility
5. Management’s philosophy and
operating style
6. Participation by those charged with
governance
7. Organizational structure
Auditor’s Required Understanding
Whether:
a. Management, with the oversight of
TCWG, has created and maintained a
culture of honesty and ethical
behavior
b. The strengths in the control
environment elements collectively
provide an appropriate foundation
for the other components of internal
control, and whether those other
components are not undermined by
deficiencies in the control
environment.
Risk Assessment Process
Process for identifying business risks
relevant to financial reporting objectives
and deciding about actions to address those
risks, and the results thereof.
Information System and Communication
The identification, capture, and exchange of
information that enables individuals to carry
out their responsibilities. Methods to
record, process, summarize and report
transactions, which include:
 Identify and record all valid transactions
 Describe on a timely basis
 Measure the value properly
 Record in the proper time period
 Properly present and disclose
 Communicate responsibilities to
employees
Whether the entity has a process for:
a. Identifying business risks relevant to
financial reporting objectives;
b. Estimating the significance of the risks;
c. Assessing the likelihood of their
occurrence; and
d. Deciding about actions to address those
risks.
About:
a. Major transaction classes significant to
financial statements.
b. How transactions are initiated.
c. Available accounting records and support
d. Manner of processing of transactions
e. Financial reporting process used to
prepare financial statements
f. Means the entity uses to communicate
financial reporting roles and
responsibilities.
Control Activities
Policies and procedures of the entity
that help ensure that management
directives are carried out. Specifically
that pertain to
a. Performance reviews
b. Information processing
c. Physical controls
d. Segregation of duties
Classification of control activities:
 Preventive controls
 Detective controls
 Compensating controls
Monitoring
A process that assesses the
effectiveness of internal control
performance over time, including
taking of necessary corrective actions.
The types are:
a. Ongoing monitoring activities
b. Separate evaluations
c. A combination of the two
Control activities relevant to the audit
being those the auditor judges it
necessary to:
a. Understanding in order to assess the
risks of material misstatement at the
assertion level; and
b. Design further audit procedures
responsive to assessed risks.
Major activities that the entity uses to
monitor internal control over financial
reporting, including those related to
those control activities relevant to the
audit, and how the entity initiates
relevant remedial actions to deficiencies
in its controls.
 ENTITY-LEVEL AND
TRANSACTION-LEVEL
INTERNAL CONTROLS
Internal controls can be broadly
categorized as:

 Entity – Level (Pervasive) Controls:

These controls relate to the overall
operations of the entity. These typically
address governance and general management
and serve to establish the overall control
environment.
 Transaction – Level (Specific) Controls:

These are specific processes/controls that are

designed to ensure that:
• Transactions are appropriately recorded for the
preparation of financial statements
• Accounting records are maintained in reasonable
detail to accurately and fairly reflect all the
transactions and dispositions of assets
• Receipts and expenditures are made only in
accordance with the authorizations of
management
• Unauthorized acquisition, use, or disposition of
assets would be prevented or detected on a
timely basis.
EVALUATING ENTITY
LEVEL CONTROLS
 Evaluating Control Environment
Communication and  Conduct interviews with a sample of staff.
Enforcement of  Read the statement on the entity’s website and any code of
Integrity and Ethical conduct or equivalent.
Values  Review communication to staff.

Commitment to  Review hiring and firing policies.

Competence  Review job descriptions and documentation contained on selected
employee files.

Participation to  Review any self-assessment made.

those Charge with  Review qualifications of board members and minutes of meetings.
Governance  Attend a meeting as observer.

Management’s  Review any documentation.

Philosophy and  Conduct interviews with a sample of staff.
Operating Style

Organizational  Review structure in light of best practices for nature of entity.

Structure
Assignment of  Review any documentation such as job descriptions.
Authority and
Responsibility

Human Resources  Review policies and practices and compliance.

Policies and  Review employee files for staff evaluations, training programs
Practices attended, etc.
 Possible Overall Responses
An Effective The auditor will have more confidence in the entity’s internal
Control control. In this case, some audit procedures may be performed
Environment at interim dates rather than at year-end.

An Ineffective This will likely require the auditor to performed some additional
Control work such as:
Environment  Assigning more experienced audit staff or those with special
skills or using experts.
 Conducting more audit procedures at the period end rather
than at an interim date.
 Intensifying the nature, timing, or extent of substantive
procedures to be performed.
Similar Types of Test of Controls
 Risk assessment
 Information systems
 Monitoring
 The period-end close process
 Anti-fraud controls
 THE ENTITY’S
TRANSACTION CYCLES
AND CONTROLS
 Transaction Cycles refer to certain business
processes or segments into which related
transactions can be conveniently grouped
and for which specific accounting procedures
and control activities are established by an
entity management.
Understanding Internal Control
Through Transaction Cycle
The common divisions of an entity’s
transaction cycles are the following:
 Revenue and Receipt Cycle
 Purchasing and Payment Cycle
 Personnel and Payroll Cycle
 Inventory and Production Cycle
 Financing and Investing Cycle
INTERNAL CONTROLS
IN SMALLER ENTITIES
Internal control's design, implementation, and
maintenance vary with size and complexity of an entity.
Smaller entities may use less structured means and
simplers processes and procedures to achieve their
objectives.

In smaller entities, there are often few employees

because of constraint in resources, which may limit the
extent to which:

 Segregation of duties is practicable, and

 An appropriate paper trail of documentation
is available
Internal control in such entities often
pertains to the control environment as
opposed to specific cotrols over
transactions. Evaluating the control is
quite different from traditional control
activities, as it involves an assessment of
the behavior, attitudes, competence, and
actions of management.
DETERMINING
RELEVANT
CONTROLS
Factors relevant to the auditor's judgement about
whether a control, individually or in combination
with others, is relevant to the audit may include
such matters as the following:
 Materiality
 Significance of the related risk
 Size of the entity
 Nature of the entity's business
 Diversity and complexity of the entity's operations
 Applicable legal and regulatory requirements
 Circumstances and the applicable component of
internal control
 Nature & complexity of the systems
 Whether, and how, a specific control, individually
or in combination with others, prevents, detects
and corrects, material misstatement.
 EXTENT OF
UNDERSTANDING OF THE
ENTITY'S RELEVANT
CONTROLS-
DESIGN AND
IMPLEMENTATION NOT
(YET) OPERATING
EFFECTIVENESS
(Learning Objectives 11)
Objectives of understanding and testing
of the Relevant controls
Evaluating design of Involves considering whether the
control, individually or in
control combination with other controls, is
capable of effectively preventing
or detecting and correcting,
material misstatement.

Determining Means ascertaining whether the

properly designed the control
implementation of exists and that the entity is using
control it.

Testing operating Involves evaluating whether the

properly designed and actually
effectiveness of control utilized internal control operates
effectively in preventing, or
detecting and correcting, material
misstatements in the FS.
DOCUMENTATION
OF
UNDERSTANDING
OF INTERNAL
CONTROL
Narratives
A narrative memorandum is a written description of a client's
internal controls. A proper narrative describe four things:

1. The origin of every document and record in the system.

2. All processing that takes place.
3. The disposition of every document and record in the system.
4. An indication of the controls relevant to the assessment of
ROMM.
FLOWCHARTS
An internal control flowchart is a diagram of the client's
documents and their sequential flow in the organization. An
adequate flowchart includes the same four characteristics
identified for narratives.

Well prepared flocharts are advantageous primarily because

they provide a concise overview of the client's system, which
helps auditors identify controls and deficiency in the client's
system.
Exhibit that illustrates a sample
documentation of entity level controls.
Entity Level Controls Documentation
Control Environment
Does the management place emphasis on
importance of Integrity and Ethical Value?
Is the management committed to employee
competence?
Do those charged with governance conduct
effective oversight of the management?
 
Yes. Based on inspection and observations
performed, the entity is communicated with
employees. It requires all employees to uphold
integrity and ethical values in their daily
operations.
Yes. Inspection of relevant documents
revealed that the HR Department has an
annual training plan for all employees.
Additional training may also be provided to
interested employees, subject to prior
approval. Further studies are also encouraged
in the entity’s culture.
Yes. Based on the reviews of certain
documents, the entity has a formal governance
structure. Board of directors act independently
from management. Three out of nine members
of the board are independent individuals with
considerable expertise in financial matters.
Does management have a proactive
attitude toward effectiveness of internal
control to mitigate business risks?
Does the entity have effective/
appropriate organizational structure for
planning, controlling and achieving
objectives?
Does the entity have policies and
procedures to ensure effective HR
management?
Risk Assesment:
Does the management prevent being
surprised by events that were not
previously identified/ assessed that could
be detrimental to the entity by planning
ahead?
Yes. Interviews of top management
disclosed that it has a proactive attitude
for effective internal control. Management
has implemented internal auditor’s
recommendation in past that were
feasible.
Yes. Inspection of the entity’s organization
chart signifies well defined lines of
responsibility and authority.
Yes. Inspection of HR documents revealed
that there are clear personnel policies from
bringing prtomotion, demotion and salary
grades to employee tardiness and
absenteeism.
Yes. Review of copy of the annual business
plan, which did highlight the potential for
the economy to impact sales, indicate entity
plan ahead its future courses of actions to
effectively meet its objectives.
Are Events and conditions that are
significant to the financial statements
be captured or recorded in the
financial statements?
Fraud Prevention:
Has a managemenr considered or
assessed the risks of fraud occurring
(including management override)
IT General Controls:
Are there policies/procedures to
ensure effective IT management or IT
staff supervision aligned with entity’s
business objectives, risks and IT plans?
Yes. The entity’s Accounting Manager
and CFO perform review of financial
statements by comparing them with
budgets to capture significant
transactions.
Yes. Entity’s cash and valuable placed
in banks and safe depository accounts.
Inspection of these accounts revealed
to be the case.
Yes. Evaluation of IT department
documents and personnel disclosed that
IT plans are developed to support the
whole entity operations.
IT expenses and capital purchases part
of annual budget(if foreseen) to ensure
software is up to date and a back up of
the data is maintained.
WALKTROUGH
TESTS
The auditor shall walkthroughs to achieve the
following objectives:

 To confirm understanding of the flow of

significant classes of transactions; and
 To verify the identified “what can go
wrongs” (WCGWS) that have the potential to
materially affect relevant financial
statement assertions related to significant
accounts and disclosures within each
significant class of transactions.
 The walkthrough includes both manual and
automated steps of the process and use the same
source documents and information technology
that client personnel typically would use.

 It must be remembered that performing a systems

walkthrough should be done every year of audit.
The auditor required to determine whether
information obtained in prior periods remains
relevant, if the auditor intends to use that
information for the purposes of the current audit.
 DEFICIENCIES IN
INTERNAL CONTROL
 Aspects of Internal Control
Deficiencies

Deficiency in internal control exists when:

 A control is designed, implemented or
operated in such way that is unable to
prevent or detect or correct misstatements
in the FS on a timely basis; or
 A control necessary to prevent or detect and
correct misstatements in the FS on a timely
basis is missing.
Severity of Internal Control
Deficiencies
Deficiencies of Internal Control
Deficiency Severity Communication to Mgt. &
TCWG

1. Control Deficiency Not allow in the normal Only if it merits their

course of functions to intention
prevent or detect and
correct misstatement on a
timely basis

2. Material Weaknesses A reasonable possibly that Yes

a material misstatement
will not be prevented or
detected and corrected
on a timely basis

3. Significant Deficiency Less Severe than a Yes

material weakness
Deficiencies of Internal Control Comparison II

Severity of Deficiency Likelihood Magnitude

1. Control deficiency Remote Inconsequential

2. Material deficiency More than remote More than Insequential

3. Significant defeciency More than remote Material