AUDIT AND ASSURANCE: CONCEPTS AND

APPLICATIONS 1
Chapter 2 – Audit Planning and Internal Controls
Considerations – Part 2
Question 1

The standardization and regulation of

A
Philippine Accountancy Act accounting education
of 2004 (RA9298)1. The
objective of the Philippine The examination for registration of certified
B
Accountancy Act of 2004 public accountants
includes:
The supervision, control, and regulation of
C the practice of accountancy in the
Philippines

D All of the above

Question 1 1

The standardization and regulation of

A
Philippine Accountancy Act accounting education
of 2004 (RA9298)1. The
objective of the Philippine The examination for registration of certified
B
Accountancy Act of 2004 public accountants
includes:
The supervision, control, and regulation of
C the practice of accountancy in the
Philippines

D All of the above.

Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Process flow for understanding internal control

Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Understand the components of internal control and the entity’s flows of transactions

We are required to obtain an understanding of internal control relevant to the audit. Relevant
controls
may exist within each of the following components of internal control:
• The control environment;
• The entity’s risk assessment process;
• The information system, including the related business processes, relevant to financial
reporting, and communication;
• Control activities; and
• Monitoring of controls.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

The control environment

The control environment can be described as the attitudes, awareness, and actions
of management and those charged with governance concerning the entity’s internal
control and its importance in the entity.

Understanding of the control environment include the following:

a. Communication and enforcement of integrity and ethical values – These are
essential elements that influence the effectiveness of the design,
administration and monitoring of controls.
b. Commitment to competence – Matters such as management’s consideration of
the competence levels for particular jobs and how those levels translate into
requisite skills and knowledge.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

The control environment

c. Participation by those charged with governance – Attributes of those charged

with governance such as:
• Their independence from management.
• Their experience and stature.
• The extent of their involvement and the information they receive, and the
scrutiny of activities.
• The appropriateness of their actions, including the degree to which
difficult questions are raised and pursued with management, and their
interaction with internal and external auditors.
d. Management’s philosophy and operating style – Characteristics such as
management’s
• Approach to taking and managing business risks.
• Attitudes and actions toward financial reporting.
• Attitudes toward information processing and accounting functions and
personnel.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

The control environment

e. Organizational structure – The framework within which an entity’s activities for

achieving its objectives are planned, executed, controlled, and reviewed.
f. Assignment of authority and responsibility – Matters such as how authority and
responsibility for operating activities are assigned and how reporting relationships
and authorization hierarchies are established.
g. Human resource policies and practices – Policies and practices that relate to,
for example, recruitment, orientation, training, evaluation, counselling,
promotion, compensation, and remedial actions.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

The entity’s risk assessment process

The entity’s risk assessment process includes how management:

• Identifies business risks relevant to the preparation and fair presentation of
financial statements in accordance with the applicable financial reporting
framework
• Estimates their significance
• Assesses the likelihood of their occurrence
• Decides about actions to address them.

The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

The information system, including the related business processes, relevant to financial
reporting, and communication
An entity’s information system, including the related business processes, relevant
to financial reporting and communication, supports the identification, capture,
and exchange of information in a form and time frame that enables individuals to
carry out their financial reporting responsibilities. An information system may
consist of infrastructure (physical and hardware components), software, people,
procedures, and data. Many information systems make extensive use of
information technology (IT).

The auditor shall obtain an understanding of how the entity communicates

financial reporting roles and responsibilities and significant matters relating to
financial reporting, including:
(a) Communications between management and those charged with governance;
(b) External communications, such as those with regulatory authorities.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Control activities

Control activities are the policies and procedures that help ensure that
management directives are carried out. Control activities, whether within IT or
manual systems, have various objectives and are applied at various
organizational and functional levels. Examples of specific control activities include
those relating to the following:
• Authorization.
• Performance reviews.
• Information processing.
• Physical controls.
• Segregation of duties.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Monitoring of controls

Monitoring of controls refers to the entity’s process for assessing the effectiveness
of internal control relevant to financial reporting over time, including:
• The sources of the information related to monitoring activities
• The basis upon which management considers the information to be sufficiently
reliable for their purposes
• How management initiates remedial actions regarding deficiencies in controls.

Management’s monitoring of controls includes considering whether they are

operating as intended and that they are modified as appropriate for changes in
conditions.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Identify relevant control activities

Controls may vary due to the nature, approach, and type of the control implemented by the entity
to address a risk of material misstatement. Differences in the nature, approach, and type of a
control results in an individual control being more or less reliable, and impacts:

• Procedures performed and timing of testing necessary to support our evaluation of the design of a
control
• Determination of implementation; and
• Our determination of the risk associated with the control
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Identify relevant control activities

We consider the following characteristics when identifying relevant controls:

Nature: The nature of how the control is performed, i.e., manual or automated

Approach: The approach management implemented to address the assessed risks, i.e., preventive
or detective

Type: The type of control activity being performed, i.e., verifications, authorization and approvals,
physical controls and counts, controls over IUC, reconciliations, and controls with a review
element.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Identify relevant control activities

The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence
as to the operating effectiveness of relevant controls if:
(a)The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (that is, the auditor intends to rely on the
operating effectiveness of controls in determining the nature, timing and extent of substantive
procedures); or

(b)Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Evaluate design and determine implementation

Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements. The effectiveness of the design of a control depends on the degree to which
the control can mitigate the related risk(s) of material misstatement.

As a result, it is important in evaluating the design of a control to consider the related risk(s) of
material misstatement the control is intended to address.
BREAK
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Control deficiencies identification

Chapter 2 - Audit Planning and Internal Controls Considerations Part 2

Effect of reassessment of control risk on the audit approach