STU D Y A ND E V A L U A T I ON

OF I NT E R N A L C O N T R O L
PRESENTATION 2
LEARNING OBJECTIVES
• DEFINE INTERNAL CONTROL
• DISCUSS THE IMPORTANCE OF AN INTERNAL CONTROL SYSTEM
• IDENTIFY THE DIFFERENT COMPONENTS OF INTERNAL CONTROL
• DESCRIBE THE BASIC APPROACH TO PLANNING AN AUDIT BASED ON AN UNDERSTANDING OF INTERNAL
CONTROL

• DISCUSS THE TECHNIQUES THAT MAY BE USED TO DOCUMENT THE AUDITOR’S UNDERSTANDING OF AN
ENTITY’S INTERNAL CONTROL STRUCTURE
LEARNING OBJECTIVES

• DESCRIBE HOW CONTROL RISK IS ASSESSED, AND THE IMPLICATIONS OF THIS ASSESSMENT TO THE
REST OF THE FINANCIAL STATEMENT AUDIT PROCESS

• ENUMERATE THE DIFFERENT WAYS IN TESTING THE EFFECTIVENESS OF INTERNAL CONTROLS

• DISCUSS THE DISPOSITION OF SIGNIFICANT DEFICIENCIES IN INTERNAL CONTROL
INTRODUCTION

• THE OBJECTIVE OF THE AUDITOR IS TO IDENTIFY AND ASSESS THE RISKS OF MATERIAL MISSTATEMENT,
WHETHER DUE TO FRAUD OR ERROR, AT THE FINANCIAL STATEMENT AND ASSERTION LEVELS, THROUGH
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT, INCLUDING THE ENTITY’S INTERNAL CONTROL,
THEREBY PROVIDING FOR DESIGNING AND IMPLEMENTING RESPONSES TO THE ASSESSED RISKS OF
MATERIAL MISSTATEMENT.
INTRODUCTION
• PSA 315 (REDRAFTED) PROVIDES THAT THE AUDITOR SHALL OBTAIN AN UNDERSTANDING OF INTERNAL
CONTROL RELEVANT TO THE AUDIT.

• THE OBJECTIVES OF THE AUDITOR IN OBTAINING AN UNDERSTANDING OF THE CLIENT’S INTERNAL

CONTROL ARE TO:
1. IDENTIFY TYPES OF POTENTIAL MISSTATEMENTS IN THE FINANCIAL STATEMENTS
2. IDENTIFY FACTORS THAT AFFECT THE RISK OF MATERIAL MISSTATEMENTS IN THE FINANCIAL
STATEMENTS
INTRODUCTION

• THE OBJECTIVES OF THE AUDITOR IN OBTAINING AN UNDERSTANDING OF THE CLIENT’S INTERNAL

CONTROL ARE TO:
3. DESIGN THE NATURE, EXTENT AND TIMING OF FURTHER AUDIT PROCEDURES (TESTS OF CONTROLS
AND SUBSTANTIVE TESTS)
INTERNAL CONTROL DEFINED

• IS THE PROCESS DESIGNED AND EFFECTED BY THOSE CHARGE WITH GOVERNANCE, MANAGEMENT, AND
OTHER PERSONNEL TO PROVIDE REASONABLE ASSURANCE ABOUT THE ACHIEVEMENT OF THE ENTITY’S
OBJECTIVES WITH REGARD TO RELIABILITY OF FINANCIAL REPORTING EFFECTIVENESS AND EFFICIENCY
OF OPERATIONS, AND COMPLIANCE WITH LAWS AND REGULATIONS.

• CLEARLY, INTERNAL CONTROL IS DESIGNED AND IMPLEMENTED TO ADDRESS IDENTIFIED BUSINESS

RISKS THAT THREATEN THE ACHIEVEMENT OF ANY OF THESE OBJECTIVES
COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY
COMMISSION (COSO)

• INTERNAL CONTROL IS A PROCESS EFFECTED BY AN ENTITY’S BOARD OF DIRECTORS, MANAGEMENT AND

OTHER PERSONNEL, DESIGNED TO PROVIDE REASONABLE ASSURANCE REGARDING THE ACHIEVEMENT OF
OBJECTIVES IN THE FOLLOWING CATEGORIES: EFFECTIVENESS AND EFFICIENCY OF OPERATIONS,
RELIABILITY OF FINANCIAL REPORTING AND COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS.
INTERNAL CONTROL IS A PROCESS
• BUSINESS PROCESSES, WHICH ARE CONDUCTED WITHIN OR ACROSS ORGANIZATION UNITS OR
FUNCTIONS, ARE MANAGED THROUGH THE BASIC MANAGEMENT PROCESSES OF PLANNING, EXECUTING
AND MONITORING.

• INTERNAL CONTROL IS A PART OF THESE PROCESSES AND IS INTEGRATED WITH THEM.

• IT ENABLES THEM TO FUNCTION AND MONITORS THEIR CONDUCT AND CONTINUED RELEVANCY.
• IT IS A TOOL USED BY MANAGEMENT, NOT A SUBSTITUTE FOR MANAGEMENT.
INTERNAL CONTROL INVOLVES PEOPLE
• IT IS NOT MERELY POLICY MANUALS AND FORMS, BUT PEOPLE AT EVERY LEVEL OF AN ORGANIZATION.
• INTERNAL CONTROL IS EFFECTED BY A BOARD OF DIRECTORS, MANAGEMENT AND OTHER PERSONNEL IN
AN ENTITY.

• IT IS ACCOMPLISHED BY THE PEOPLE OF AN ORGANIZATION, BY WHAT THEY DO AND SAY.

• PEOPLE ESTABLISH THE ENTITY’S OBJECTIVES AND PUT CONTROL MECHANISMS IN PLACE.
• SIMILARLY, INTERNAL CONTROL AFFECTS PEOPLE’S ACTIONS.
• PEOPLE MUST KNOW THEIR RESPONSIBILITIES AND LIMITS OF AUTHORITY.
INTERNAL CONTROL PROVIDES REASONABLE
ASSURANCE

• NO MATTER HOW WELL DESIGNED AND OPERATED, INTERNAL CONTROLS CAN PROVIDE ONLY
REASONABLE ASSURANCE TO MANAGEMENT AND THOSE CHARGED WITH GOVERNANCE REGARDING THE
ACHIEVEMENT OF AN ENTITY’S OBJECTIVES.
INTERNAL CONTROL IS GEARED TOWARDS THE
ACHIEVEMENT OF AN ENTITY’S OBJECTIVES
• OBJECTIVES FALL INTO THREE CATEGORIES; OPERATIONS, FINANCIAL REPORTING, AND COMPLIANCE.
• THIS CATEGORIZATION ALLOWS FOCUSING ON SEPARATE ASPECTS OF INTERNAL CONTROL.
• FOR EXAMPLE, OBJECTIVES COMMON TO VIRTUALLY ALL ENTITIES ARE ACHIEVING AND MAINTAINING A
POSITIVE REPUTATION WITHIN THE BUSINESS AND CONSUMER COMMUNITIES, PROVIDING RELIABLE
FINANCIAL STATEMENT TO STAKEHOLDERS, AND OPERATING IN COMPLIANCE WITH LAWS AND
REGULATIONS.
WHAT IS AN INTERNAL CONTROL SYSTEM?

• AN INTERNAL CONTROL SYSTEM CONSISTS OF ALL THE POLICIES AND PROCEDURES (I.E. RELATED TO
INTERNAL CONTROL PROCESSES) ADOPTED BY THE MANAGEMENT OF AN ENTITY TO ASSIST IN ACHIEVING
MANAGEMENT’S OBJECTIVE OF ENSURING, AS FAR AS PRACTICABLE, THE ORDERLY AND EFFICIENT
CONDUCT OF ITS BUSINESS, INCLUDING ADHERENCE TO MANAGEMENT POLICIES, THE SAFEGUARDING OF
ASSETS, THE PREVENTION AND DETECTION OF FRAUD AND ERROR, THE ACCURACY AND COMPLETENESS
OF THE ACCOUNTING RECORDS, AND THE TIMELY PREPARATION OF RELIABLE FINANCIAL INFORMATION.
EXAMPLES OF ECONOMIC DECISIONS MADE BY
USERS OF FINANCIAL STATEMENTS
Operations Relating to. effective and efficient use of the entity’s resources. These pertain to
effectiveness and efficiency of the entity’s operations, including performance and
profitability goals and safeguarding resources against loss. They vary based on
management’s choices about structure and performance.
Financial Relating to preparation of reliable published financial statements, including prevention
Operating of fraudulent public financial reporting. They are driven primarily by external
requirements.
Compliance Relating to the entity’s compliance with applicable laws and regulations. They are
dependent on external factors, such as environmental regulation, and tend to be similar
across all entities in some cases and across an industry in others.
COMPONENTS OF INTERNAL CONTROL
• THERE ARE FIVE INTER-RELATED COMPONENTS OF INTERNAL CONTROL
1. CONTROL ENVIRONMENT
2. RISK ASSESSMENT PROCESS
3. CONTROL ACTIVITIES
4. INFORMATION SYSTEM AND RELATED BUSINESS PROCESSES RELEVANT TO FINANCIAL REPORTING AND
COMMUNICATION
5. MONITORING OF CONTROLS
THE CONTROL ENVIRONMENT
• THE CONTROL ENVIRONMENT SETS THE TONE OF AN ORGANIZATION, INFLUENCING THE CONTROL CONSCIOUSNESS OF ITS
PEOPLE.

• IT IS THE FOUNDATION FOR ALL OTHER COMPONENTS OF INTERNAL CONTROL, PROVIDING DISCIPLINE AND STRUCTURE.
• THE PRIMARY RESPONSIBILITY FOR THE PREVENTION AND DETECTION OF FRAUD AND ERROR RESTS WITH BOTH THOSE
CHARGED WITH GOVERNANCE AND THE MANAGEMENT OF AN ENTITY.

• EFFECTIVELY CONTROLLED ENTITIES STRIVE TO HAVE COMPETENT PEOPLE, INSTILL AN ENTERPRISE-WIDE ATTITUDE OF
INTEGRITY AND CONTROL CONSCIOUSNESS, AND SET A POSITIVE TONE AT THE TOP.

• THEY ESTABLISH APPROPRIATE POLICIES AND PROCEDURES, OFTEN INCLUDING WRITTEN CODE OF CONDUCT, WHICH FOSTER
SHARED VALUES AND TEAMWORK IN PURSUIT OF THE ENTITY’S OBJECTIVES.
ELEMENTS OF THE CONTROL ENVIRONMENT
1. COMMUNICATION AND ENFORCEMENT OF INTEGRITY AND ETHICAL VALUES
2. COMMITMENT TO COMPETENCE
3. PARTICIPATION BY THOSE CHARGED WITH GOVERNANCE
4. MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
5. ORGANIZATIONAL STRUCTURE
6. ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
7. HUMAN RESOURCES AND POLICIES AND PRACTICES
THE ENTITY’S RISK ASSESSMENT PROCESS

• IS THE IDENTIFICATION AND ANALYSIS OF RELEVANT RISKS TO ACHIEVEMENT OF THE OBJECTIVES,

FORMING A BASIS FOR DETERMINING HOW THE RISKS SHOULD BE MANAGED.

• RISK ASSESSMENT PROCESS IS ITS PROCESS FOR IDENTIFYING AND RESPONDING TO BUSINESS RISKS
AND THE RESULTS THEREOF.

• MANAGEMENT MUST FOCUS CAREFULLY ON RISKS AT ALL LEVELS OF THE ENTITY AND TAKE THE
NECESSARY ACTIONS TO MANAGE THEM.
RISK IDENTIFICATION

• AN ENTITY’S PERFORMANCE CAN BE AT RISK DUE TO INTERNAL OR EXTERNAL FACTORS.

• IT SHOULD CONSIDER ALL SIGNIFICANT INTERACTIONS – OF GOODS, SERVICES AND INFORMATION –
BETWEEN AN ENTITY AND RELEVANT EXTERNAL PARTIES.

• THESE EXTERNAL PARTIES INCLUDE POTENTIAL AND CURRENT SUPPLIERS, INVESTORS, CREDITORS,
SHAREHOLDERS, EMPLOYEES, CUSTOMERS, AS WELL AS PUBLIC BODIES AND NEWS MEDIA.
RISK IDENTIFICATION
Examples of Economic Decisions Made by Users of Financial Statements
External Factors Internal Factors
1. Technological developments can affect the 1. A disruption in information systems processing
nature and timing of research and development, can adversely affect the entity’s operations.
or lead to changes in procurement.

2. Changing customer needs or expectations can 2. The quality of personnel hired and methods of
affect product development, production process, training and motivation can influence the level of
customer service, pricing or warranties. control consciousness within the entity.

3. New legislation and regulation can force changes 3. A change in management responsibilities can
in operating policies and strategies. affect the way certain controls are effected.
RISK IDENTIFICATION
Examples of Economic Decisions Made by Users of Financial Statements
External Factors Internal Factors
4. National catastrophes can lead to changes in 4. The nature of the entity’s activities, and employee
operations or information systems and highlight accessibility to assets, can contribute to
the need for contingency planning. misappropriation of resources.

5. Economic changes can have an impact on 5. An assertive or ineffective board or audit

decisions related to financing, capital committee can provide opportunities for
expenditures and expansion. indiscretion.
RISK ANALYSIS AND MANAGEMENT

1. ESTIMATING THE SIGNIFICANCE OF A RISK

2. ASSESSING THE LIKELIHOOD (OR FREQUENCY) OF THE RISK OCCURRING;
3. CONSIDERING HOW THE RISK SHOULD BE MANAGED – THAT IS, AN ASSESSMENT OF WHAT ACTIONS
NEED TO BE TAKEN.
RISK ANALYSIS AND MANAGEMENT
Circumstances Demanding Special Attention
Changing in operating Changes in the regulatory or operating environment can result in changes in
environment competitive pressures and significantly different risks.
New personnel New personnel may have a different focus on or understanding of internal control.
New or revamped Significant and rapid changes in information systems can change the risk relating
information systems. to internal control.
Rapid Growth Significant and rapid expansion of operations can strain controls and increase the
risk of a breakdown in controls.
New technology Incorporating new technologies into production processes or information systems
may change the risk associated with internal control.
RISK ANALYSIS AND MANAGEMENT
Circumstances Demanding Special Attention
New business models, Entering into business production processes or information systems may change
products, or activities the risk associated with internal control.
Corporate Restructurings may be accompanied by staff reductions and changes in
restructurings supervision and segregation of duties that may change the risk associated with
internal control.
Expanded foreign The expansion or acquisition of foreign operations carries new and often unique
operations risks that may affect internal control, for example, additional or changed risks from
foreign currency transactions.
New accounting Adoption of new accounting principles or changing accounting principles may
pronouncements affect risks in preparing financial statements.
INFORMATION SYSTEM AND COMMUNICATION

• AN INFORMATION SYSTEM CONSISTS OF INFRASTRUCTURE (PHYSICAL AND HARDWARE COMPONENTS)

SOFTWARE, PEOPLE, PROCEDURES, AND DATA, INFRASTRUCTURE AND SOFTWARE WILL BE ABSENT, OR
HAVE LESS SIGNIFICANCE, IN SYSTEMS THAT ARE EXCLUSIVELY OR PRIMARILY MANUAL.

• MANY INFORMATION SYSTEMS MAKE EXTENSIVE USE OF INFORMATION TECHNOLOGY (IT).

• TRANSACTIONS MAY BE INITIATED MANUALLY OR AUTOMATICALLY BY PROGRAMMED PROCEDURES
• PROCESSES WHICH ARE PART OF THE INFORMATION SYSTEM ARE AS FOLLOWS:
INFORMATION SYSTEM AND COMMUNICATION
Recording Includes identifying and capturing the relevant
information for transactions or events.
Processing Includes functions such as edit and validation,
calculation, measurement, valuation, summarization,
and reconciliation, whether performed by automated or
manual procedures.
Reporting Relates to the preparation of financial reports as well
as other information, in electronic or printed format,
that the entity uses in measuring and reviewing the
entity’s financial performance and in other functions.
INFORMATION SYSTEM AND COMMUNICATION
• THE QUALITY OF SYSTEM-GENERATED INFORMATION AFFECTS MANAGEMENT’S ABILITY TO MAKE
APPROPRIATE DECISIONS IN MANAGING AND CONTROLLING THE ENTITY’S ACTIVITIES AND TO PREPARE
RELIABLE FINANCIAL REPORTS.

• ACCORDINGLY, AN INFORMATION SYSTEM ENCOMPASSES METHODS AND RECORDS THAT:

1. IDENTIFY AND RECORD ALL VALID TRANSACTIONS.
2. DESCRIBE ON A TIMELY BASIS THE TRANSACTIONS IN SUFFICIENT DETAIL TO PERMIT PROPER
CLASSIFICATION OF TRANSACTIONS FOR FINANCIAL REPORTING.
INFORMATION SYSTEM AND COMMUNICATION

• ACCORDINGLY, AN INFORMATION SYSTEM ENCOMPASSES METHODS AND RECORDS THAT:

3. MEASURE THE VALUE OF TRANSACTIONS IN A MANNER THAT PERMITS RECORDING THEIR PROPER
MONETARY VALUE IN THE FINANCIAL STATEMENTS.
4. DETERMINE THE TIME PERIOD IN WHICH TRANSACTIONS OCCURRED TO PERMIT RECORDING OF
TRANSACTIONS IN THE PROPER ACCOUNTING PERIOD.
5. PRESENT PROPERLY THE TRANSACTIONS AND RELATED DISCLOSURES IN THE FINANCIAL STATEMENTS.
INFORMATION
• FINANCIAL INFORMATION IS NOT ONLY USED IN DEVELOPING FINANCIAL STATEMENTS FOR EXTERNAL
DISSEMINATION; IT IS ALSO USED FOR OPERATING DECISIONS, SUCH AS MONITORING PERFORMANCE
AND ALLOCATING RESOURCES.

• RELIABLE INTERNAL FINANCIAL MEASUREMENTS ALSO ARE ESSENTIAL TO PLANNING, BUDGETING,

PRICING, EVALUATING VENDOR PERFORMANCE, AND EVALUATING JOINT VENTURES AND OTHER
ALLIANCES.

• INFORMATION DEVELOPED FROM INTERNAL AND EXTERNAL SOURCES, BOTH FINANCIAL AND NON-
FINANCIAL, IS RELEVANT TO ALL OBJECTIVES CATEGORIES.
INFORMATION QUALITY

• THE QUALITY OF SYSTEM-GENERATED INFORMATION AFFECTS MANAGEMENT’S ABILITY TO MAKE

APPROPRIATE DECISIONS IN MANAGING AND CONTROLLING THE ENTITY’S ACTIVITIES.

• MODERN SYSTEMS OFTEN PROVIDE ON-LINE QUERY ABILITY, SO THAT THE FRESHEST INFORMATION IS
AVAILABLE ON REQUEST.

• IT IS CRITICAL THAT REPORTS CONTAIN ENOUGH APPROPRIATE DATA TO SUPPORT EFFECTIVE CONTROL.
INFORMATION QUALITY
• GUIDE OPERATIONS – QUALITY OF INFORMATION
1. CONTENTS IS APPROPRIATE –IS THE NEEDED INFORMATION THERE?
2. INFORMATION IS TIMELY – IS IT THERE WHEN REQUIRED?
3. INFORMATION IS CURRENT – IS IT THE LATEST AVAILABLE?
4. INFORMATION IS ACCURATE – ARE THE DATA CORRECT?
5. INFORMATION IS ACCESSIBLE – CAN IT BE OBTAINED EASILY BY APPROPRIATE PARTIES?
INFORMATION QUALITY

• ALL OF THESE QUESTIONS MUST BE ADDRESSED BY THE SYSTEM DESIGN. IF NOT, IT IS PROBABLE THAT
THE SYSTEM WILL NOT PROVIDE THE INFORMATION THAT MANAGEMENT AND OTHER PERSONNEL
REQUIRE.

• BECAUSE HAVING THE RIGHT INFORMATION, ON TIME, AT THE RIGHT PLACE IS ESSENTIAL TO EFFECTING
CONTROL, AN INFORMATION SYSTEM, WHILE ITSELF A COMPONENT OF INTERNAL CONTROL, ALSO MUST
BE CONTROLLED.
COMMUNICATION
• INVOLVES PROVIDING AN UNDERSTANDING OF INDIVIDUAL ROLES AND RESPONSIBILITIES PERTAINING
TO INTERNAL CONTROL OVER FINANCIAL REPORTING.

• IT INCLUDES THE EXTENT TO WHICH PERSONNEL UNDERSTAND HOW THEIR ACTIVITIES IN THE FINANCIAL
REPORTING INFORMATION SYSTEM RELATE TO THE WORK OF OTHERS AND THE MEANS OF REPORTING
EXCEPTIONS TO AN APPROPRIATE HIGHER LEVEL WITHIN THE ENTITY.

• OPEN COMMUNICATION CHANNELS HELP ENSURE THAT EXCEPTIONS ARE REPORTED AND ACTED ON.
• COMMUNICATION TAKE SUCH FORMS AS POLICY MANUALS, ACCOUNTING AND FINANCIAL REPORTING
MANUALS, MEMORANDA, MANAGEMENT COMMITTEE OR DEPARTMENTAL, SUPERVISORY MEETINGS.
CONTROL ACTIVITIES
• ARE POLICIES AND PROCEDURES, WHICH ARE THE ACTIONS OF PEOPLE TO IMPLEMENT THE POLICIES, TO
HELP ENSURE THAT MANAGEMENT DIRECTIVES IDENTIFIED AS NECESSARY TO ADDRESS RISKS ARE
CARRIED OUT.

• CONTROL ACTIVITIES OCCUR THROUGHOUT THE ORGANIZATION, AT ALL LEVELS AND IN ALL FUNCTIONS.
• CONTROL ACTIVITIES INCLUDE APPROVALS, AUTHORIZATIONS, VERIFICATIONS, RECONCILIATION,
REVIEWS OF OPERATING ASSETS, SECURITY OF ASSETS AND SEGREGATING OF DUTIES.
CONTROL ACTIVITIES
1. PERFORMANCE REVIEWS.
• REVIEWS AND ANALYSES OF ACTUAL PERFORMANCE VERSUS BUDGETS, FORECASTS, AND PRIOR PERIOD
PERFORMANCE;
• RELATING DIFFERENT SETS OF DATA – OPERATIONAL OR FINANCIAL – TO ONE ANOTHER, TOGETHER WITH
ANALYSES OF THE RELATIONSHIPS AND INVESTIGATIVE AND CORRECTIVE ACTIONS;
• COMPARING INTERNAL DATA WITH EXTERNAL SOURCES OF INFORMATION
• REVIEW OF FUNCTIONAL OR ACTIVITY PERFORMANCE, SUCH AS A BANK’S CONSUMER LOAN MANAGER’S
REVIEW OF REPORTS BY BRANCH, AND LOAN TYPE FOR LOAN APPROVALS AND COLLECTIONS.
CONTROL ACTIVITIES
2. INFORMATION PROCESSING.
• THESE CONTROLS ARE PERFORMED TO CHECK ACCURACY, COMPLETENESS, AND AUTHORIZATION OF
TRANSACTIONS. THE TWO BROAD GROUPINGS OF INFORMATION SYSTEMS CONTROL ACTIVITIES ARE GENERAL
IT-CONTROLS AND APPLICATION CONTROLS.

General IT Controls
Description Policies and procedures that relate to many applications and
support the effective functioning of application controls by
helping to ensure the continued proper operation of information
systems.
Examples Controls over data center and network operations, system
software acquisition, change and maintenance; access security;
and application system security acquisition, development and
maintenance.
CONTROL ACTIVITIES
2. INFORMATION PROCESSING.
• THESE CONTROLS ARE PERFORMED TO CHECK ACCURACY, COMPLETENESS, AND AUTHORIZATION OF
TRANSACTIONS. THE TWO BROAD GROUPINGS OF INFORMATION SYSTEMS CONTROL ACTIVITIES ARE GENERAL
IT-CONTROLS AND APPLICATION CONTROLS.

Application of controls
Description Controls that apply to the processing of individual applications.
Theses controls help ensure that transactions occurred, are
authorized, and are completely and accurately recorded and
processed.
Examples Checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such
as edit checks of input data and numerical sequence of checks,
and manual follow-up of exception reports.
CONTROL ACTIVITIES

3. PHYSICAL CONTROLS - THESE ACTIVITIES ENCOMPASS THE PHYSICAL SECURITY OF ASSETS, INCLUDING
ADEQUATE SAFEGUARDS SUCH AS:
• SECURED FACILITIES OVER ACCESS TO ASSETS AND RECORDS;
• AUTHORIZATION FOR ACCESS TO COMPUTER PROGRAMS AND DATA FILES;
• PERIODIC COUNTING AND COMPARISON WITH AMOUNTS SHOWN ON CONTROL RECORDS (FOR EXAMPLE COMPARING
THE RESULTS OF CASH, SECURITY AND INVENTORY COUNTS WITH ACCOUNTING RECORDS).
CONTROL ACTIVITIES

4. SEGREGATION OF DUTIES.
• ASSIGNING DIFFERENT PEOPLE THE RESPONSIBILITIES OF AUTHORIZATION, RECORDING TRANSACTIONS, AND
MAINTAINING CUSTODY OF ASSETS IS INTENDED TO REDUCE THE OPPORTUNITIES TO ALLOW ANY PERSON TO
BE IN A POSITION TO BOTH PERPETUATE AND CONCEAL ERRORS OR FRAUD IN THE NORMAL COURSE OF THE
PERSON’S DUTIES.
POLICIES AND PROCEDURES

• CONTROL ACTIVITIES USUALLY INVOLVE TWO ELEMENTS: A POLICY ESTABLISHING WHAT SHOULD BE
DONE AND, SERVING AS A BASIS FOR THE SECOND ELEMENT, PROCEDURES TO IMPLEMENT THE POLICY.

• UNWRITTEN POLICIES CAN BE EFFECTIVE WHERE THE POLICY IS A LONG-STANDING AND WELL-
UNDERSTOOD PRACTICE, AND IN SMALLER ORGANIZATIONS WHERE COMMUNICATION CHANNELS
INVOLVE ONLY LIMITED MANAGEMENT LAYERS AND CLOSE INTERACTION AND SUPERVISION OF
PERSONNEL.
EVALUATION OF CONTROL ACTIVITIES

• CONTROL ACTIVITIES MUST BE EVALUATED IN THE CONTEXT OF MANAGEMENT DIRECTIVES TO ADDRESS

RISKS ASSOCIATED WITH ESTABLISHED OBJECTIVES FOR EACH SIGNIFICANT ACTIVITY.

• AN EVALUATOR (E.G. INTERNAL AUDITOR OR EXTERNAL AUDITOR) WILL CONSIDER NOT ONLY WHETHER
ESTABLISHED CONTROL ACTIVITIES ARE RELEVANT TO THE RISK-ASSESSMENT PROCESS, BUT ALSO
WHETHER THEY ARE BEING APPLIED PROPERLY.
MONITORING OF CONTROLS

• IS A PROCESS TO ASSESS THE QUALITY OF INTERNAL CONTROL PERFORMANCE OVER TIME. IT INVOLVES
ASSESSING THE DESIGN AND OPERATION OF CONTROLS ON A TIMELY BASIS AND TAKING NECESSARY
CORRECTIVE ACTIONS. MONITORING IS DONE TO ENSURE THAT CONTROLS CONTINUE TO OPERATE
EFFECTIVELY .
THE NEED TO MONITOR CONTROLS
• INTERNAL CONTROL SYSTEMS CHANGE OVERTIME. ACCORDINGLY, MANAGEMENT NEEDS TO DETERMINE
WHETHER THE INTERNAL CONTROL SYSTEM CONTINUES TO BE RELEVANT AND ABLE TO ADDRESS NEW
RISKS.

• THE PROCESS INVOLVES ASSESSMENT BY APPROPRIATE PERSONNEL OF THE DESIGN AND OPERATION OF
CONTROLS ON A SUITABLY TIME BASIS, AND THE TAKING OF NECESSARY ACTIONS.

• EXAMPLE
ARRIVAL OF NEW PERSONNEL, THE VARYING EFFECTIVENESS OF TRAINING AND SUPERVISION, TIME
AND RESOURCES CONSTRAINTS, NEW PHASING OF WORKING ENVIRONMENT
 METHODS FOR MONITORING CONTROLS
• MONITORING CAN BE DONE IN TWO WAYS: THROUGH ON GOING ACTIVITIES OR SEPARATE EVALUATIONS.
Monitoring of Controls – Issues to consider
Ongoing Monitoring
1. Extent to which personnel, in carrying out their regular activities obtain evidence as to whether the system
of internal control continues to function.
2. Extent to which communications from external parties corroborate internally generated information or
• indicate problems.
3. Periodic comparison of accounts recorded by the accounting system with physical assets.
4. Responsiveness to internal and external auditor recommendations on means to strengthen internal
controls.
5. Whether personnel are asked periodically to state whether they understand and comply with the entity’s
code of conduct and regularly perform critical control activities.
6. Effectiveness of internal audit activities.
 METHODS FOR MONITORING CONTROLS
• MONITORING CAN BE DONE IN TWO WAYS: THROUGH ON GOING ACTIVITIES OR SEPARATE EVALUATIONS.
Monitoring of Controls – Issues to consider
Separate Evaluations
1. Scope and frequency of separate evaluations of the internal control systems.
2. Appropriateness of the evaluating process.
3. Whether the methodology for evaluating a system is logical and appropriate.
•
4. Appropriateness of the level of documentation.

Reporting Deficiencies
1. Existence of mechanism for capturing and reporting identified internal control deficiencies.
2. Appropriateness of reporting protocols and of follow-up actions.
INHERENT LIMITATIONS OF INTERNAL CONTROL

1. MANAGEMENT’S USUAL REQUIREMENT THAT A CONTROL BE COST EFFECTIVE, I.E. THAT THE COST OF A
CONTROL PROCEDURE NOT BE DISPROPORTIONATE TO THE POTENTIAL LOSS DUE TO FRAUD OR ERROR;
2. THE FACT THAT MOST CONTROLS TEND TO BE DIRECTED AT ANTICIPATED TYPES OF TRANSACTIONS
AND NOT AT UNUSUAL TRANSACTIONS; THE POTENTIAL FOR HUMAN ERROR DUE TO CARELESSNESS,
DISTRACTION, MISTAKES OF JUDGMENT OR THE MISUNDERSTANDING OF INSTRUCTIONS;
INHERENT LIMITATIONS OF INTERNAL CONTROL

3. THE POSSIBILITY OF CIRCUMVENTION OF CONTROLS THROUGH WITH PARTIES OUTSIDE THE ENTITY
OR WITH EMPLOYEES OF THE ENTITY
4. THE POSSIBILITY THAT A PERSON REASONABLE FOR EXERCISING CONTROL COULD ABUSE THAT
RESPONSIBILITY, FOR EXAMPLE, A MEMBER OF MANAGEMENT OVERRIDING A CONTROL;
5. THE POSSIBILITY THAT PROCEDURES MAY BECOME INADEQUATE DUE TO CHANGES IN CONDITION AND
COMPLIANCE WITH PROCEDURES MAY DETERIORATE.
RELEVANCE OF CONTROLS TO THE AUDIT

• THE DESIGN AND THE MANNER INTERNAL CONTROLS IS IMPLEMENTED VARIES WITH AN ENTITY’S SIZE
AND COMPLEXITY.

• SPECIFICALLY, SMALLER ENTITIES MAY USE LESS FORMAL MEANS AND SIMPLER PROCESSES AND
PROCEDURES TO ACHIEVE THEIR OBJECTIVES.

• FOR VERY SMALL ENTITIES, THE OWNER MANAGER MAY PERFORM FUNCTIONS WHICH IN A LARGER
ENTITY WOULD BE REGARDED AS BELONGING TO SEVERAL OF THE COMPONENTS OF INTERNAL
CONTROL.
RELEVANCE OF CONTROLS TO THE AUDIT
• AUDITORS SHOULD CONSIDER THAT CONTROLS THAT ARE RELEVANT TO AN AUDIT PERTAIN TO THE
ENTITY’S OBJECTIVE OF PREPARING FINANCIAL STATEMENTS FOR EXTERNAL PURPOSES THAT ARE
PRESENTED FAIRLY, IN ALL MATERIAL RESPECTS, IN ACCORDANCE WITH THE APPLICABLE FINANCIAL
REPORTING FRAMEWORK AND THE MANAGEMENT OF RISK THAT MAY GIVE RISE TO A MATERIAL
MISSTATEMENT IN THOSE FINANCIAL STATEMENTS.

• IT IS A MATTER OF THE AUDITOR’S PROFESSIONAL JUDGMENT, WHETHER A CONTROL INDIVIDUALLY OR IN

COMBINATION WITH OTHERS, IS RELEVANT TO THE AUDITOR’S CONSIDERATIONS IN ASSESSING THE RISK
OF MATERIAL MISSTATEMENT AND DESIGNING AND PERFORMING FURTHER PROCEDURES IN RESPONSE TO
ASSESSED RISKS.
INTERNAL CONTROL EVALUATION IN FS AUDIT
• AN AUDITOR’S APPROACH IN THE STUDY AND EVALUATION OF THE CLIENT’S INTERNAL CONTROL IS
GENERALLY CONSISTS OF THE FOLLOWING STEPS:
1. OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE
2. MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK
3. DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
4. REASSESS CONTROL RISK
5. DETERMINE THE NATURE, EXTENT AND TIMING OF SUBSTANTIVE TESTS
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

1. PERFORMING A PRELIMINARY REVIEW

IN DETERMINING THE LEVEL OF UNDERSTANDING NECESSARY TO PLAN THE AUDIT, AN AUDITOR USES
SOURCES SUCH AS PAST EXPERIENCE WITH THE CLIENT, AND AN UNDERSTANDING OF THE INDUSTRY IN
WHICH THE CLIENT OPERATES TO DETERMINE THE RISK OF MATERIAL MISSTATEMENTS.
AN UNDERSTANDING OF THE COMPONENTS OF THE INTERNAL CONTROLS RELEVANT TO THE AUDIT PROVIDES
THE AUDITOR WITH A GENERAL KNOWLEDGE OF THE ENTITY’S ORGANIZATIONAL STRUCTURE, OF METHODS
USED TO COMMUNICATE RESPONSIBILITY AND AUTHORITY, AND OF METHODS USED BY MANAGEMENT TO
SUPERVISE THE SYSTEM.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

1. PERFORMING A PRELIMINARY REVIEW

IN TURN, AN UNDERSTANDING OF THE FLOW OF TRANSACTIONS PROVIDES THE AUDITOR WITH A GENERAL
KNOWLEDGE OF THE VARIOUS CLASSES OF TRANSACTIONS AND THE METHODS BY WHICH EACH
SIGNIFICANT CLASS OF TRANSACTIONS IS AUTHORIZED, EXECUTED, INITIALLY RECORDED, AND
SUBSEQUENTLY PROCESSED.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

2. IDENTIFYING TRANSACTIONS CYCLES

THE MAJOR TRANSACTION CYCLES IN A COMMERCIAL AND INDUSTRIAL ENTITY INCLUDE:
• REVENUE/RECEIVABLES/CASH RECEIPTS CYCLE
• PURCHASING/PAYABLES/DISBURSEMENTS CYCLE
• PAYROLL CYCLE
• PRODUCTION/CONVERSION CYCLE
• FINANCING AND INVESTING CYCLE
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

2. IDENTIFYING TRANSACTIONS CYCLES

THESE CYCLES DEALS WITH CONTROLS OVER THE AUTHORIZATION AND EXECUTION OF THE RELATED TRANSACTIONS, THEIR RECORDING
IN THE ACCOUNTS AND THEIR SUMMARIZATION FOR POSTING TO THE GENERAL LEDGER. THIS PROVIDES THE FOLLOWING ADVANTAGES:
A. IT ENABLES THE AUDITOR TO GAIN AN ADEQUATE UNDERSTANDING OF THE FLOW OF TRANSACTIONS FROM INCEPTION TO
CONCLUSION, TO MAKE SURE THAT HE HAS IDENTIFIED ALL SIGNIFICANT PROCESSES AND HAS NOTED AND EVALUATED EACH PHASE
OF THE TRANSACTION FLOW.
B. IT ENABLES THE AUDITOR TO BETTER EVALUATE THE IMPACT OF INTERNAL CONTROL (OR LACK OF IT) ON SPECIFIC FINANCIAL
STATEMENTS ITEMS AFFECTED AND, THEREFORE, ASSISTS HIM IN DETERMINING THE NATURE, TIMING AND EXTENT OF
SUBSTANTIVE TESTS.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. DOCUMENTATION OF UNDERSTANDING OF INTERNAL CONTROL

DOCUMENTATION OF THE AUDITOR’S UNDERSTANDING OF THE INTERNAL CONTROL STRUCTURE IS
INFLUENCED BY THE SIZE AND COMPLEXITY OF THE ENTITY, AS WELL AS THE NATURE OF THE ENTITY’S
INTERNAL CONTROL STRUCTURE.
A. NARRATIVES – IS A WRITTEN DESCRIPTION OF A PARTICULAR PHASE OR PHASES OF AN ACCOUNTING
SYSTEM. ALTHOUGH USEFUL FOR DESCRIBING UNCOMPLICATED SYSTEMS, NARRATIVES MAY BE
INAPPROPRIATE WHEN A SYSTEM IS COMPLEX OR FREQUENTLY REVISED.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. DOCUMENTATION OF UNDERSTANDING OF INTERNAL CONTROL

DOCUMENTATION OF THE AUDITOR’S UNDERSTANDING OF THE INTERNAL CONTROL STRUCTURE IS INFLUENCED BY THE
SIZE AND COMPLEXITY OF THE ENTITY, AS WELL AS THE NATURE OF THE ENTITY’S INTERNAL CONTROL STRUCTURE.
B. INTERNAL CONTROL QUESTIONNAIRE– CONSIST OF A SERIES OF QUESTIONS DESIGNED TO IDENTIFY CONTROL POINTS
AND TECHNIQUES AND DETECT CONTROL DEFICIENCIES. QUESTIONNAIRE REQUIRE
YES – SUGGESTS SATISFACTORY CONTROL CONDITIONS
NO – SIGNALS POTENTIAL MATERIAL DEFICIENCIES THAT COULD LEAD TO MISSTATEMENTS IN THE FS, OR ILLEGAL ACTS
NOT APPLICABLE
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. DOCUMENTATION OF UNDERSTANDING OF INTERNAL CONTROL

DOCUMENTATION OF THE AUDITOR’S UNDERSTANDING OF THE INTERNAL CONTROL STRUCTURE IS
INFLUENCED BY THE SIZE AND COMPLEXITY OF THE ENTITY, AS WELL AS THE NATURE OF THE ENTITY’S
INTERNAL CONTROL STRUCTURE.
C.. FLOW CHARTS CONSTITUTE INTERRELATED SYMBOLS WHICH DIAGRAM THE FLOW OF TRANSACTIONS
AND EVENTS THROUGH A SYSTEM, OR PORTIONS THEREOF. WHEN PREPARING SYSTEMS FLOWCHARTS, AN
AUDITOR SHOULD STRIVE TO BE EFFICIENT, BY DISPLAYING OPERATIONS AS CONCISELY AS PRACTICABLE,
AND INFORMATIVE, BY CLEARLY INDICATING EMPLOYEE RESPONSIBILITIES AND DOCUMENT FLOW.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. PERFORMING A TRANSACTION WALKTHROUGH

FOLLOWING DOCUMENTATION, A SINGLE TRANSACTION (OR A SMALL NUMBER OF TRANSACTIONS) FOR
EACH MAJOR SEGMENT OF THE INTERNAL CONTROL STRUCTURE IS SELECTED AND FOLLOWED, OR WALKED
THROUGH THE ACCOUNTING SYSTEM.
THE PURPOSE OF A WALKTHROUGH IS TO VERIFY NARRATIVE, QUESTIONNAIRE, AND /OR FLOWCHART
DOCUMENTATION AND TO FAMILIARIZE THE AUDITOR WITH THE AUDIT TRAIL.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. PERFORMING A TRANSACTION WALKTHROUGH

THE RELATIONSHIP OF CONTROLS TO ASSERTIONS

Assertions about classes of transactions and events for the period under audit
a. Occurrence – transactions and events that have been recorded have occurred and pertain to the entity
b. Completeness – all transactions and events that should have been recorded have been recorded.
c. Accuracy – amounts and other data relating to recorded transactions and events have been recorded
appropriately.
d. Cutoff – transactions and events have been recorded in the correct accounting period
e. Classification – transactions and events have been recorded in the proper accounts.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. PERFORMING A TRANSACTION WALKTHROUGH

THE RELATIONSHIP OF CONTROLS TO ASSERTIONS

Assertions about account balances at the period end

a. Existence – assets, liabilities, and equity interest exist.
b. Rights and obligations – the entity holds or controls the rights to assets, and liabilities are the obligations
of the entity
c. Completeness – all assets, liabilities and equity interests that should have been recorded.
d. Valuation and allocation - assets, liabilities and equity interests are included in the FS at appropriate
amounts and any resulting valuation or allocation adjustments are appropriately recorded.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE

3. PERFORMING A TRANSACTION WALKTHROUGH

THE RELATIONSHIP OF CONTROLS TO ASSERTIONS

Assertions about presentation and disclosure

a. Occurrence and rights and obligations – disclosed events, transactions, and other matters have occurred
and pertain to the entity.
b. Completeness – all disclosures that should have been included in the FS have been included.
c. Classification and understandability – financial information is appropriately presented and described,
and disclosures are clearly expressed.
d. Accuracy and valuation – financial and other information are disclosed fairly and at appropriate amounts.
STEP 2: MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK

IN ASSESSING CONTROL RISK, THE AUDITOR:

1. CONSIDERS THE ERRORS OR IRREGULARITIES THAT COULD OCCUR AND THAT COULD RESULT IN
MATERIAL MISSTATEMENTS IN THE FS
2. IDENTIFIES RELEVANT CONTROL PROCEDURES DESIGNED TO PREVENT THE ERROR OR IRREGULARITIES
3. PERFORMS TESTS OF CONTROLS ON THE CONTROL PROCEDURES TO BE RELIED ON IN DESIGNING
SUBSTANTIVE TESTS
STEP 2: MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK

Pointers when assessing control risk

Control environment
1. The existence of a satisfactory control environment is not an absolute deterrent to fraud
2. The control environment in itself does not prevent, or detect and correct, material misstatements.

Risk assessment process

3. Note how management performs the risk assessment process
4. Consider the existence of material weaknesses in internal control

Information system and communication

a. There is the possibility of inappropriate override of controls over journal entries
b. Check the resolution of incorrectly processed transactions
c. Focus on communications with the audit committee, and with regulatory authorities

Control activities
1. The auditor’s primary consideration is whether, and how, a specific control activity, prevents or detects
and corrects, material misstatements
2. Consider the risks associated with information technology (IT)

Monitoring of controls
STEP 2: MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK

THERE ARE TWO POSSIBLE RISK ASSESSMENTS PERTAINING TO CONTROL RISK:

1. HIGH CONTROL RISK ASSESSMENT – WHEN THERE IS HIGH LIKELIHOOD THAT SIGNIFICANT
MISSTATEMENTS EXIST IN THE FS BECAUSE INTERNAL CONTROLS ARE INADEQUATE AND CANNOT BE
RELIED UPON, FOR ALL OR CERTAIN AUDIT OBJECTIVES. THIS IS A RESULT FROM THE AUDITOR’S BELIEF
THAT CONTROL STRUCTURE POLICIES AND PROCEDURES HAVE NOT BEEN EFFECTIVELY DESIGNED OR
HAVE NOT OPERATED EFFECTIVELY.
STEP 2: MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK

THERE ARE TWO POSSIBLE RISK ASSESSMENTS PERTAINING TO CONTROL RISK:

2. LESS THAN HIGH CONTROL RISK ASSESSMENT – THE AUDITOR MUST BE ABLE TO IDENTIFY SPECIFIC
CONTROL STRUCTURE POLICIES AND PROCEDURES THAT ARE IN PLACE AND ARE LIKELY TO PREVENT
OR DETECT MATERIAL MISSTATEMENTS IN SPECIFIC FS ASSERTIONS, AND MUST TEST WHETHER
THOSE POLICIES AND PROCEDURES ARE DESIGNED AND OPERATING EFFECTIVELY.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
OVERALL RESPONSES THAT THE AUDITOR MAY CONSIDER INCLUDE:
1. EMPHASIZING TO THE AUDIT TEAM THE NEED TO MAINTAIN PROFESSIONAL SKEPTICISM IN GATHERING AND EVALUATING AUDIT EVIDENCE
2. ASSIGNING MORE EXPERIENCED STAFF OR THOSE WITH SPECIAL SILLS OR USING EXPERTS
3. PROVIDING MORE SUPERVISION
4. INCORPORATING ADDITIONAL ELEMENTS OF UNPREDICTABILITY IN THE SELECTION OF AUDIT PROCEDURES TO BE PERFORMED
5. MAKING GENERAL CHANGES TO THE NATURE, TIMING, OR EXTENT OF AUDIT PROCEDURES (E.G. PERFORMING SUBSTANTIVE PROCEDURES
AT THE PERIOD END INSTEAD OF AT AN INTERIM DATE, OR MODIFYING THE NATURE OF AUDIT PROCEDURES TO OBTAIN MORE PERSUASIVE
AUDIT EVIDENCE)
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
RESPONSES AT THE ASSERTION LEVEL
IF THE PRELIMINARY CONTROL RISK ASSESSMENT IS HIGH OR AT THE MAXIMUM LEVEL, THE RESPONSE AT
THE ASSERTION LEVEL WOULD BE TO ADOPT THE AUDIT APPROACH THAT RELIES PRIMARILY ON
SUBSTANTIVE TESTS (NO RELIANCE APPROACH) . ACCORDINGLY, THE AUDITOR PROCEEDS TO STEP
FIVE(DETERMINE THE NATURE, EXTENT AND TIMING OF SUBSTANTIVE TESTS) AND ONLY SUBSTANTIVE TEST
AUDIT PROGRAMS ARE PREPARED.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
RESPONSES AT THE ASSERTION LEVEL
IF THE PRELIMINARY ASSESSMENT OF CONTROL RISK IS LESS THAN HIGH (BELOW THE MAXIMUM), THE
AUDITOR ANTICIPATES USING THE RELIANCE APPROACH. ACCORDINGLY, TWO SETS OF AUDIT PROGRAMS
ARE PREPARED: TEST OF CONTROLS AUDIT PROGRAM AND SUBSTANTIVE TEST AUDIT PROGRAM.
THE AUDITOR SHOULD PERFORM TESTS OF CONTROLS TO OBTAIN SUFFICIENT APPROPRIATE AUDIT
EVIDENCE THAT THE CONTROLS WERE OPERATING EFFECTIVELY AT RELEVANT TIMES DURING THE PERIOD
UNDER AUDIT.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
TESTS OF CONTROLS
TESTS OF CONTROLS ARE USED TO TEST EITHER THE EFFECTIVENESS OF THE DESIGN OR OPERATION OF A
CLIENT’S INTERNAL CONTROL POLICY OR PROCEDURE IN SUPPORT OF A “LESS THAN HIGH” CONTROL RISK
ASSESSMENT.
TESTS ARE APPLIED ONLY TO THOSE CONTROLS ON WHICH THE AUDITOR INTENDS TO RELY WHEN DESIGNING
SUBSTANTIVE TESTS OF ACCOUNT BALANCES. AN AUDITOR WOULD NOT RELY ON, AND THEREFORE NOT TEST, A
PARTICULAR CONTROL IF THE AUDIT EFFORT REQUIRED TO TEST THE CONTROL EXCEEDED THE REDUCTION IN
YEAR-END AUDIT EFFORT THAT COULD BE ACHIEVED BY RELIANCE.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
TESTS OF CONTROLS
NATURE OF TESTS OF CONTROL
THE TEST GENERALLY CONSIST OF ONE, OR A COMBINATION OF THE FOLLOWING PROCEDURES:
1. INQUIRY OF CLIENT PERSONNEL
2. OBSERVATION OF THE APPLICATION OF POLICIES AND PROCEDURES
3. INSPECTION (I.E. EXAMINATION OF DOCUMENTS)
4. REPERFORMANCE OR RECALCULATION
THE PROCEDURES USED IN TESTING CONTROLS SHOULD BE SUFFICIENTLY COMPREHENSIVE TO SUPPORT THE CONTROL RISK
ASSESSMENT.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS

OVERALL RESPONSES
TESTS OF CONTROLS
TESTS BASED ON OBSERVATION, INQUIRY, AND EXAMINATION OF DOCUMENTS AND RECORDS OFTEN
PROVIDE SUFFICIENT EVIDENCE ABOUT THE OPERATING EFFECTIVENESS OF A CONTROL.
HOWEVER IN SOME INSTANCES THE AUDITOR ALSO MAY HAVE TO REPERFORM THE APPLICATION OF A
CONTROL TO OBTAIN ADEQUATE EVIDENCE THAT IS OPERATING EFFECTIVELY.
WHEN THE AUDITOR BELIEVES A CONTROL IS SO SIGNIFICANT THAT FURTHER EVIDENCE OF ITS
EFFECTIVENESS IS NECESSARY, IT IS APPROPRIATE TO REPERFORM ITS APPLICATION.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
EXAMPLE

• A BANK’S CONTROL DESIGNED TO ENSURE THE COMPLETENESS AND ACCURACY OF UPDATING A STANDING DATA FILE
OF INTEREST RATES MAY ENTAIL COMPARING AUTHORIZED CHANGES IN INTEREST RATES WITH THE DATE ON THE FILE
AFTER THE CHANGES HAVE BEEN INPUTTED. THAT CONTROL MAY BE SO SIGNIFICANT TO THE ACCURACY OF INTEREST
CHARGED TO LOAN CUSTOMERS THAT THE AUDITOR MAY WISH TO REPERFORM THE COMPARISON A FEW TIMES TO
GAIN ADDITIONAL EVIDENCE THAT IT IS OPERATING AS PRESCRIBED.
WHEN EXAMINING DOCUMENTATION, AN AUDITOR DOES NOT EXAMINE ALL OF THE TRANSACTIONS AND DETAILED
RECORDS RELATED TO THE CONTROLS TESTED, BUT SELECTS A SAMPLE FROM THE POPULATION OF ALL AVAILABLE
TRANSACTIONS OR RECORDS FOR THE PERIOD.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
CONTROL DEVIATIONS
WHEN PERFORMING TESTS OF CONTROLS, AN AUDITOR MAY FIND DIFFERENCES BETWEEN WHAT WAS
EXPECTED, BASED ON THE DOCUMENTATION OBTAINED AND WHAT ACTUALLY OCCURRED.
FOR EXAMPLE, A VENDOR’S INVOICE MAY HAVE BEEN PAID WITHOUT THE ACCOUNTS PAYABLE MANAGER’S
INITIALS OF APPROVAL. SUCH DIFFERENCES ARE APPROPRIATELY CALLED – EXCEPTIONS, DEVIATIONS, OR
OCCURRENCES, RATHER THAN ERRORS, BECAUSE AN EXCEPTION DOES NOT NECESSARILY MEAN THAT AN
ERROR HAD BEEN MADE IN THE ACCOUNTING RECORDS. THUS, THE FACT THAT A VENDOR’S INVOICE LACKS
APPROVING INITIALS DOES NOT NECESSARILY MEAN THAT THE INVOICE SHOULD NOT HAVE BEEN PAID.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS

TIMING OF TESTS OF CONTROLS

THE TIMING OF TESTS OF CONTROLS DEPENDS ON THE AUDITOR’S OBJECTIVE AND DETERMINES THE PERIOD
OF RELIANCE ON THOSE CONTROLS.
ANOTHER IMPORTANT TIMING MATTER IS HOW MUCH TO RELY ON TESTS OF PRIOR PERIODS AS EVIDENCE
THAT CONTROLS ARE EFFECTIVELY DESIGNED AND CONTINUE TO OPERATE EFFECTIVELY DURING THE
CURRENT AUDIT PERIOD.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
EXTENT OF TESTS OF CONTROLS
THE MORE THE AUDITOR RELIES ON THE OPERATING EFFECTIVENESS OF CONTROLS IN THE ASSESSMENT OF
RISK, THE GREATER IS THE EXTENT OF THE AUDITOR’S TEST OF CONTROLS.
AS THE RATE OF EXPECTED DEVIATION FROM A CONTROL INCREASES, THE AUDITOR INCREASES THE EXTENT
OF TESTING OF THE CONTROL.
IF THE RATE OF EXPECTED DEVIATION IS EXPECTED TO BE TOO HIGH, THE AUDITOR MAY DETERMINE THAT
TESS OF CONTROLS FOR A PARTICULAR ASSERTION MAY NOT BE EFFECTIVE.
STEP 4: REASSESS LEVEL OF CONTROL RISK

THE AUDITOR SHOULD EVALUATE WHETHER THE INTERNAL CONTROLS ARE DESIGNED AND OPERATING AS
CONTEMPLATED IN THE PRELIMINARY ASSESSMENT OF CONTROL RISK.
IF THE AUDITOR FINDS THAT THE RISK OF MATERIAL MISSTATEMENT FOR PARTICULAR AUDIT OBJECTIVES
IS HIGHER THAN ORIGINALLY EXPECTED, THE AUDITOR SHOULD RE-ASSESS THE LEVEL OF CONTROL RISK;
AND THE AUDITOR WILL HAVE TO RECONSIDER THE ASSURANCE NEEDED FROM SUBSTANTIVE TESTS.
IF THE TESTS OF CONTROLS REVEAL A DEPARTURE FROM, OR BREAKDOWN IN, PRESCRIBED CONTROLS, THE
AUDITOR SHOULD CONSIDER ITS CAUSE AND DOCUMENT THE CONCLUSIONS REACHED.
STEP 4: REASSESS LEVEL OF CONTROL RISK

DOCUMENTATION REQUIREMENTS
DOCUMENTATION REQUIREMENTS DEPEND MAINLY ON THE CONTROL RISK ASSESSMENT. IF THE
ASSESSMENT IS HIGH OR AT THE MAXIMUM LEVEL, THE UNDERSTANDING OF INTERNAL CONTROLS AND THE
CONTROL RISK ASSESSMENT MUST BE DOCUMENTED.
STEP 5: DETERMINE THE NATURE, EXTEND AND TIMING OF
SUBSTANTIVE TESTS
IRRESPECTIVE OF THE ASSESSED RISK OF MATERIAL MISSTATEMENT, THE AUDITOR SHOULD DESIGN AND
PERFORM SUBSTANTIVE PROCEDURES FOR EACH MATERIAL CLASS OF TRANSACTIONS, ACCOUNT BALANCE,
AND DISCLOSURES.
THE ASSESSED LEVEL OF CONTROL RISK FOR AN ASSERTION HAS A DIRECT EFFECT ON THE DESIGN OF
SUBSTANTIVE TESTS. THE LOWER THE ASSESSED LEVEL OF CONTROL RISK, THE LESS EVIDENCE THE
AUDITOR NEEDS FROM SUBSTANTIVE TESTS.
THE AUDITOR’S CONTROL RISK ASSESSMENT INFLUENCES THE NATURE, EXTENT, AND TIMING OF
SUBSTANTIVE PROCEDURES TO BE PERFORMED.
DEFICIENCIES OF INTERNAL CONTROL

PSA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANAGEMENT, PROVIDE GUIDANCE ON HOW TO COMMUNICATE SIGNIFICANT INTERNAL CONTROL
DEFICIENCIES NOTED IN AN AUDIT OF FS. A DEFICIENCY IN INTERNAL CONTROL EXISTS WHEN:
A. A CONTROL IS DESIGNED, IMPLEMENTED OR OPERATED IN SUCH A WAY THAT IT IS UNABLE TO
PREVENT, OR DETECT AND CORRECT, MISSTATEMENTS IN THE FS ON A TIMELY BASIS;
B. A CONTROL NECESSARY TO PREVENT, OR DETECT AND CORRECT, MISSTATEMENTS IN THE FS ON A
TIMELY BASIS IS MISSING
DEFICIENCIES OF INTERNAL CONTROL

A SIGNIFICANT DEFICIENCY IN INTERNAL CONTROL IS A DEFICIENCY OR COMBINATION OF DEFICIENCIES IN

INTERNAL CONTROL THAT, IN THE AUDITOR’S PROFESSIONAL JUDGMENT, IS OF SUFFICIENT IMPORTANCE TO
MERIT THE ATTENTION OF THOSE CHARGED WITH GOVERNANCE.
THE AUDITOR SHALL COMMUNICATE IN WRITING SIGNIFICANT DEFICIENCIES IN INTERNAL CONTROL
IDENTIFIED DURING THE AUDIT TO THOSE CHARGED WITH GOVERNANCE ON A TIMELY BASIS.
DEFICIENCIES OF INTERNAL CONTROL
THE AUDITOR SHALL INCLUDE IN THE WRITTEN COMMUNICATION OF SIGNIFICANT DEFICIENCIES IN INTERNAL
CONTROL:
a. A DESCRIPTION OF THE DEFICIENCIES AND AN EXPLANATION OF THEIR POTENTIAL EFFECTS; AND
b. SUFFICIENT INFORMATION TO ENABLE THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT TO
UNDERSTAND THE CONTEXT OF THE COMMUNICATION. IN PARTICULAR, THE AUDITOR SHALL EXPLAIN THAT:
1. THE PURPOSE OF THE AUDIT WAS FOR THE AUDITOR TO EXPRESS AN OPINION ON THE FS
2. THE AUDIT INCLUDED CONSIDERATION OF INTERNAL CONTROL RELEVANT TO THE PREPARATION OF THE FS IN ORDER
TO DESIGN AUDIT PROCEDURES THAT ARE APPROPRIATE IN THE CIRCUMSTANCES, BUT NOT FOR THE PURPOSE OF
EXPRESSING AN OPINION ON THE EFFECTIVENESS OF INTERNAL CONTROL AND
3. THE MATTERS BEING REPORTED ARE LIMITED TO THOSE DEFICIENCIES THAT THE AUDITOR HAS IDENTIFIED DURING
THE AUDIT AND THAT THE AUDITOR HAS CONCLUDED ARE OF SUFFICIENT IMPORTANCE TO MERIT BEING REPORTED TO
THOSE CHARGED WITH GOVERNANCE.
EWRM – INTEGRATED FRAMEWORK

• EWRM ENCOMPASSES: ALIGNING RISK APPETITE AND STRATEGY, ENHANCING RISK RESPONSE
DECISIONS, REDUCING OPERATIONAL SURPRISES AND LOSSES, IDENTIFYING AND MANAGING MULTIPLE
AND CROSS-ENTERPRISE RISKS, SEIZING OPPORTUNITIES, AND IMPROVING DEPLOYMENT OF CAPITAL.
EWRM – INTEGRATED FRAMEWORK
• THE 'COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION' ('COSO') IS A JOINT
INITIATIVE TO COMBAT CORPORATE FRAUD.

• THE COSO MODEL DEFINES INTERNAL CONTROL AS “A PROCESS EFFECTED BY AN ENTITY’S BOARD OF
DIRECTORS, MANAGEMENT AND OTHER PERSONNEL DESIGNED TO PROVIDE REASONABLE ASSURANCE OF
THE ACHIEVEMENT OF OBJECTIVES IN THE FOLLOWING CATEGORIES:
• OPERATIONAL EFFECTIVENESS AND EFFICIENCY
• FINANCIAL REPORTING RELIABILITY
• APPLICABLE LAWS AND REGULATIONS COMPLIANCE