Professional Documents
Culture Documents
OF I NT E R N A L C O N T R O L
PRESENTATION 2
LEARNING OBJECTIVES
• DEFINE INTERNAL CONTROL
• DISCUSS THE IMPORTANCE OF AN INTERNAL CONTROL SYSTEM
• IDENTIFY THE DIFFERENT COMPONENTS OF INTERNAL CONTROL
• DESCRIBE THE BASIC APPROACH TO PLANNING AN AUDIT BASED ON AN UNDERSTANDING OF INTERNAL
CONTROL
• DISCUSS THE TECHNIQUES THAT MAY BE USED TO DOCUMENT THE AUDITOR’S UNDERSTANDING OF AN
ENTITY’S INTERNAL CONTROL STRUCTURE
LEARNING OBJECTIVES
• DESCRIBE HOW CONTROL RISK IS ASSESSED, AND THE IMPLICATIONS OF THIS ASSESSMENT TO THE
REST OF THE FINANCIAL STATEMENT AUDIT PROCESS
• THE OBJECTIVE OF THE AUDITOR IS TO IDENTIFY AND ASSESS THE RISKS OF MATERIAL MISSTATEMENT,
WHETHER DUE TO FRAUD OR ERROR, AT THE FINANCIAL STATEMENT AND ASSERTION LEVELS, THROUGH
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT, INCLUDING THE ENTITY’S INTERNAL CONTROL,
THEREBY PROVIDING FOR DESIGNING AND IMPLEMENTING RESPONSES TO THE ASSESSED RISKS OF
MATERIAL MISSTATEMENT.
INTRODUCTION
• PSA 315 (REDRAFTED) PROVIDES THAT THE AUDITOR SHALL OBTAIN AN UNDERSTANDING OF INTERNAL
CONTROL RELEVANT TO THE AUDIT.
• IS THE PROCESS DESIGNED AND EFFECTED BY THOSE CHARGE WITH GOVERNANCE, MANAGEMENT, AND
OTHER PERSONNEL TO PROVIDE REASONABLE ASSURANCE ABOUT THE ACHIEVEMENT OF THE ENTITY’S
OBJECTIVES WITH REGARD TO RELIABILITY OF FINANCIAL REPORTING EFFECTIVENESS AND EFFICIENCY
OF OPERATIONS, AND COMPLIANCE WITH LAWS AND REGULATIONS.
• NO MATTER HOW WELL DESIGNED AND OPERATED, INTERNAL CONTROLS CAN PROVIDE ONLY
REASONABLE ASSURANCE TO MANAGEMENT AND THOSE CHARGED WITH GOVERNANCE REGARDING THE
ACHIEVEMENT OF AN ENTITY’S OBJECTIVES.
INTERNAL CONTROL IS GEARED TOWARDS THE
ACHIEVEMENT OF AN ENTITY’S OBJECTIVES
• OBJECTIVES FALL INTO THREE CATEGORIES; OPERATIONS, FINANCIAL REPORTING, AND COMPLIANCE.
• THIS CATEGORIZATION ALLOWS FOCUSING ON SEPARATE ASPECTS OF INTERNAL CONTROL.
• FOR EXAMPLE, OBJECTIVES COMMON TO VIRTUALLY ALL ENTITIES ARE ACHIEVING AND MAINTAINING A
POSITIVE REPUTATION WITHIN THE BUSINESS AND CONSUMER COMMUNITIES, PROVIDING RELIABLE
FINANCIAL STATEMENT TO STAKEHOLDERS, AND OPERATING IN COMPLIANCE WITH LAWS AND
REGULATIONS.
WHAT IS AN INTERNAL CONTROL SYSTEM?
• AN INTERNAL CONTROL SYSTEM CONSISTS OF ALL THE POLICIES AND PROCEDURES (I.E. RELATED TO
INTERNAL CONTROL PROCESSES) ADOPTED BY THE MANAGEMENT OF AN ENTITY TO ASSIST IN ACHIEVING
MANAGEMENT’S OBJECTIVE OF ENSURING, AS FAR AS PRACTICABLE, THE ORDERLY AND EFFICIENT
CONDUCT OF ITS BUSINESS, INCLUDING ADHERENCE TO MANAGEMENT POLICIES, THE SAFEGUARDING OF
ASSETS, THE PREVENTION AND DETECTION OF FRAUD AND ERROR, THE ACCURACY AND COMPLETENESS
OF THE ACCOUNTING RECORDS, AND THE TIMELY PREPARATION OF RELIABLE FINANCIAL INFORMATION.
EXAMPLES OF ECONOMIC DECISIONS MADE BY
USERS OF FINANCIAL STATEMENTS
Operations Relating to. effective and efficient use of the entity’s resources. These pertain to
effectiveness and efficiency of the entity’s operations, including performance and
profitability goals and safeguarding resources against loss. They vary based on
management’s choices about structure and performance.
Financial Relating to preparation of reliable published financial statements, including prevention
Operating of fraudulent public financial reporting. They are driven primarily by external
requirements.
Compliance Relating to the entity’s compliance with applicable laws and regulations. They are
dependent on external factors, such as environmental regulation, and tend to be similar
across all entities in some cases and across an industry in others.
COMPONENTS OF INTERNAL CONTROL
• THERE ARE FIVE INTER-RELATED COMPONENTS OF INTERNAL CONTROL
1. CONTROL ENVIRONMENT
2. RISK ASSESSMENT PROCESS
3. CONTROL ACTIVITIES
4. INFORMATION SYSTEM AND RELATED BUSINESS PROCESSES RELEVANT TO FINANCIAL REPORTING AND
COMMUNICATION
5. MONITORING OF CONTROLS
THE CONTROL ENVIRONMENT
• THE CONTROL ENVIRONMENT SETS THE TONE OF AN ORGANIZATION, INFLUENCING THE CONTROL CONSCIOUSNESS OF ITS
PEOPLE.
• IT IS THE FOUNDATION FOR ALL OTHER COMPONENTS OF INTERNAL CONTROL, PROVIDING DISCIPLINE AND STRUCTURE.
• THE PRIMARY RESPONSIBILITY FOR THE PREVENTION AND DETECTION OF FRAUD AND ERROR RESTS WITH BOTH THOSE
CHARGED WITH GOVERNANCE AND THE MANAGEMENT OF AN ENTITY.
• EFFECTIVELY CONTROLLED ENTITIES STRIVE TO HAVE COMPETENT PEOPLE, INSTILL AN ENTERPRISE-WIDE ATTITUDE OF
INTEGRITY AND CONTROL CONSCIOUSNESS, AND SET A POSITIVE TONE AT THE TOP.
• THEY ESTABLISH APPROPRIATE POLICIES AND PROCEDURES, OFTEN INCLUDING WRITTEN CODE OF CONDUCT, WHICH FOSTER
SHARED VALUES AND TEAMWORK IN PURSUIT OF THE ENTITY’S OBJECTIVES.
ELEMENTS OF THE CONTROL ENVIRONMENT
1. COMMUNICATION AND ENFORCEMENT OF INTEGRITY AND ETHICAL VALUES
2. COMMITMENT TO COMPETENCE
3. PARTICIPATION BY THOSE CHARGED WITH GOVERNANCE
4. MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
5. ORGANIZATIONAL STRUCTURE
6. ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
7. HUMAN RESOURCES AND POLICIES AND PRACTICES
THE ENTITY’S RISK ASSESSMENT PROCESS
• RISK ASSESSMENT PROCESS IS ITS PROCESS FOR IDENTIFYING AND RESPONDING TO BUSINESS RISKS
AND THE RESULTS THEREOF.
• MANAGEMENT MUST FOCUS CAREFULLY ON RISKS AT ALL LEVELS OF THE ENTITY AND TAKE THE
NECESSARY ACTIONS TO MANAGE THEM.
RISK IDENTIFICATION
• THESE EXTERNAL PARTIES INCLUDE POTENTIAL AND CURRENT SUPPLIERS, INVESTORS, CREDITORS,
SHAREHOLDERS, EMPLOYEES, CUSTOMERS, AS WELL AS PUBLIC BODIES AND NEWS MEDIA.
RISK IDENTIFICATION
Examples of Economic Decisions Made by Users of Financial Statements
External Factors Internal Factors
1. Technological developments can affect the 1. A disruption in information systems processing
nature and timing of research and development, can adversely affect the entity’s operations.
or lead to changes in procurement.
2. Changing customer needs or expectations can 2. The quality of personnel hired and methods of
affect product development, production process, training and motivation can influence the level of
customer service, pricing or warranties. control consciousness within the entity.
3. New legislation and regulation can force changes 3. A change in management responsibilities can
in operating policies and strategies. affect the way certain controls are effected.
RISK IDENTIFICATION
Examples of Economic Decisions Made by Users of Financial Statements
External Factors Internal Factors
4. National catastrophes can lead to changes in 4. The nature of the entity’s activities, and employee
operations or information systems and highlight accessibility to assets, can contribute to
the need for contingency planning. misappropriation of resources.
• INFORMATION DEVELOPED FROM INTERNAL AND EXTERNAL SOURCES, BOTH FINANCIAL AND NON-
FINANCIAL, IS RELEVANT TO ALL OBJECTIVES CATEGORIES.
INFORMATION QUALITY
• MODERN SYSTEMS OFTEN PROVIDE ON-LINE QUERY ABILITY, SO THAT THE FRESHEST INFORMATION IS
AVAILABLE ON REQUEST.
• IT IS CRITICAL THAT REPORTS CONTAIN ENOUGH APPROPRIATE DATA TO SUPPORT EFFECTIVE CONTROL.
INFORMATION QUALITY
• GUIDE OPERATIONS – QUALITY OF INFORMATION
1. CONTENTS IS APPROPRIATE –IS THE NEEDED INFORMATION THERE?
2. INFORMATION IS TIMELY – IS IT THERE WHEN REQUIRED?
3. INFORMATION IS CURRENT – IS IT THE LATEST AVAILABLE?
4. INFORMATION IS ACCURATE – ARE THE DATA CORRECT?
5. INFORMATION IS ACCESSIBLE – CAN IT BE OBTAINED EASILY BY APPROPRIATE PARTIES?
INFORMATION QUALITY
• ALL OF THESE QUESTIONS MUST BE ADDRESSED BY THE SYSTEM DESIGN. IF NOT, IT IS PROBABLE THAT
THE SYSTEM WILL NOT PROVIDE THE INFORMATION THAT MANAGEMENT AND OTHER PERSONNEL
REQUIRE.
• BECAUSE HAVING THE RIGHT INFORMATION, ON TIME, AT THE RIGHT PLACE IS ESSENTIAL TO EFFECTING
CONTROL, AN INFORMATION SYSTEM, WHILE ITSELF A COMPONENT OF INTERNAL CONTROL, ALSO MUST
BE CONTROLLED.
COMMUNICATION
• INVOLVES PROVIDING AN UNDERSTANDING OF INDIVIDUAL ROLES AND RESPONSIBILITIES PERTAINING
TO INTERNAL CONTROL OVER FINANCIAL REPORTING.
• IT INCLUDES THE EXTENT TO WHICH PERSONNEL UNDERSTAND HOW THEIR ACTIVITIES IN THE FINANCIAL
REPORTING INFORMATION SYSTEM RELATE TO THE WORK OF OTHERS AND THE MEANS OF REPORTING
EXCEPTIONS TO AN APPROPRIATE HIGHER LEVEL WITHIN THE ENTITY.
• OPEN COMMUNICATION CHANNELS HELP ENSURE THAT EXCEPTIONS ARE REPORTED AND ACTED ON.
• COMMUNICATION TAKE SUCH FORMS AS POLICY MANUALS, ACCOUNTING AND FINANCIAL REPORTING
MANUALS, MEMORANDA, MANAGEMENT COMMITTEE OR DEPARTMENTAL, SUPERVISORY MEETINGS.
CONTROL ACTIVITIES
• ARE POLICIES AND PROCEDURES, WHICH ARE THE ACTIONS OF PEOPLE TO IMPLEMENT THE POLICIES, TO
HELP ENSURE THAT MANAGEMENT DIRECTIVES IDENTIFIED AS NECESSARY TO ADDRESS RISKS ARE
CARRIED OUT.
• CONTROL ACTIVITIES OCCUR THROUGHOUT THE ORGANIZATION, AT ALL LEVELS AND IN ALL FUNCTIONS.
• CONTROL ACTIVITIES INCLUDE APPROVALS, AUTHORIZATIONS, VERIFICATIONS, RECONCILIATION,
REVIEWS OF OPERATING ASSETS, SECURITY OF ASSETS AND SEGREGATING OF DUTIES.
CONTROL ACTIVITIES
1. PERFORMANCE REVIEWS.
• REVIEWS AND ANALYSES OF ACTUAL PERFORMANCE VERSUS BUDGETS, FORECASTS, AND PRIOR PERIOD
PERFORMANCE;
• RELATING DIFFERENT SETS OF DATA – OPERATIONAL OR FINANCIAL – TO ONE ANOTHER, TOGETHER WITH
ANALYSES OF THE RELATIONSHIPS AND INVESTIGATIVE AND CORRECTIVE ACTIONS;
• COMPARING INTERNAL DATA WITH EXTERNAL SOURCES OF INFORMATION
• REVIEW OF FUNCTIONAL OR ACTIVITY PERFORMANCE, SUCH AS A BANK’S CONSUMER LOAN MANAGER’S
REVIEW OF REPORTS BY BRANCH, AND LOAN TYPE FOR LOAN APPROVALS AND COLLECTIONS.
CONTROL ACTIVITIES
2. INFORMATION PROCESSING.
• THESE CONTROLS ARE PERFORMED TO CHECK ACCURACY, COMPLETENESS, AND AUTHORIZATION OF
TRANSACTIONS. THE TWO BROAD GROUPINGS OF INFORMATION SYSTEMS CONTROL ACTIVITIES ARE GENERAL
IT-CONTROLS AND APPLICATION CONTROLS.
General IT Controls
Description Policies and procedures that relate to many applications and
support the effective functioning of application controls by
helping to ensure the continued proper operation of information
systems.
Examples Controls over data center and network operations, system
software acquisition, change and maintenance; access security;
and application system security acquisition, development and
maintenance.
CONTROL ACTIVITIES
2. INFORMATION PROCESSING.
• THESE CONTROLS ARE PERFORMED TO CHECK ACCURACY, COMPLETENESS, AND AUTHORIZATION OF
TRANSACTIONS. THE TWO BROAD GROUPINGS OF INFORMATION SYSTEMS CONTROL ACTIVITIES ARE GENERAL
IT-CONTROLS AND APPLICATION CONTROLS.
Application of controls
Description Controls that apply to the processing of individual applications.
Theses controls help ensure that transactions occurred, are
authorized, and are completely and accurately recorded and
processed.
Examples Checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such
as edit checks of input data and numerical sequence of checks,
and manual follow-up of exception reports.
CONTROL ACTIVITIES
3. PHYSICAL CONTROLS - THESE ACTIVITIES ENCOMPASS THE PHYSICAL SECURITY OF ASSETS, INCLUDING
ADEQUATE SAFEGUARDS SUCH AS:
• SECURED FACILITIES OVER ACCESS TO ASSETS AND RECORDS;
• AUTHORIZATION FOR ACCESS TO COMPUTER PROGRAMS AND DATA FILES;
• PERIODIC COUNTING AND COMPARISON WITH AMOUNTS SHOWN ON CONTROL RECORDS (FOR EXAMPLE COMPARING
THE RESULTS OF CASH, SECURITY AND INVENTORY COUNTS WITH ACCOUNTING RECORDS).
CONTROL ACTIVITIES
4. SEGREGATION OF DUTIES.
• ASSIGNING DIFFERENT PEOPLE THE RESPONSIBILITIES OF AUTHORIZATION, RECORDING TRANSACTIONS, AND
MAINTAINING CUSTODY OF ASSETS IS INTENDED TO REDUCE THE OPPORTUNITIES TO ALLOW ANY PERSON TO
BE IN A POSITION TO BOTH PERPETUATE AND CONCEAL ERRORS OR FRAUD IN THE NORMAL COURSE OF THE
PERSON’S DUTIES.
POLICIES AND PROCEDURES
• CONTROL ACTIVITIES USUALLY INVOLVE TWO ELEMENTS: A POLICY ESTABLISHING WHAT SHOULD BE
DONE AND, SERVING AS A BASIS FOR THE SECOND ELEMENT, PROCEDURES TO IMPLEMENT THE POLICY.
• UNWRITTEN POLICIES CAN BE EFFECTIVE WHERE THE POLICY IS A LONG-STANDING AND WELL-
UNDERSTOOD PRACTICE, AND IN SMALLER ORGANIZATIONS WHERE COMMUNICATION CHANNELS
INVOLVE ONLY LIMITED MANAGEMENT LAYERS AND CLOSE INTERACTION AND SUPERVISION OF
PERSONNEL.
EVALUATION OF CONTROL ACTIVITIES
• AN EVALUATOR (E.G. INTERNAL AUDITOR OR EXTERNAL AUDITOR) WILL CONSIDER NOT ONLY WHETHER
ESTABLISHED CONTROL ACTIVITIES ARE RELEVANT TO THE RISK-ASSESSMENT PROCESS, BUT ALSO
WHETHER THEY ARE BEING APPLIED PROPERLY.
MONITORING OF CONTROLS
• IS A PROCESS TO ASSESS THE QUALITY OF INTERNAL CONTROL PERFORMANCE OVER TIME. IT INVOLVES
ASSESSING THE DESIGN AND OPERATION OF CONTROLS ON A TIMELY BASIS AND TAKING NECESSARY
CORRECTIVE ACTIONS. MONITORING IS DONE TO ENSURE THAT CONTROLS CONTINUE TO OPERATE
EFFECTIVELY .
THE NEED TO MONITOR CONTROLS
• INTERNAL CONTROL SYSTEMS CHANGE OVERTIME. ACCORDINGLY, MANAGEMENT NEEDS TO DETERMINE
WHETHER THE INTERNAL CONTROL SYSTEM CONTINUES TO BE RELEVANT AND ABLE TO ADDRESS NEW
RISKS.
• THE PROCESS INVOLVES ASSESSMENT BY APPROPRIATE PERSONNEL OF THE DESIGN AND OPERATION OF
CONTROLS ON A SUITABLY TIME BASIS, AND THE TAKING OF NECESSARY ACTIONS.
• EXAMPLE
ARRIVAL OF NEW PERSONNEL, THE VARYING EFFECTIVENESS OF TRAINING AND SUPERVISION, TIME
AND RESOURCES CONSTRAINTS, NEW PHASING OF WORKING ENVIRONMENT
METHODS FOR MONITORING CONTROLS
• MONITORING CAN BE DONE IN TWO WAYS: THROUGH ON GOING ACTIVITIES OR SEPARATE EVALUATIONS.
Monitoring of Controls – Issues to consider
Ongoing Monitoring
1. Extent to which personnel, in carrying out their regular activities obtain evidence as to whether the system
of internal control continues to function.
2. Extent to which communications from external parties corroborate internally generated information or
• indicate problems.
3. Periodic comparison of accounts recorded by the accounting system with physical assets.
4. Responsiveness to internal and external auditor recommendations on means to strengthen internal
controls.
5. Whether personnel are asked periodically to state whether they understand and comply with the entity’s
code of conduct and regularly perform critical control activities.
6. Effectiveness of internal audit activities.
METHODS FOR MONITORING CONTROLS
• MONITORING CAN BE DONE IN TWO WAYS: THROUGH ON GOING ACTIVITIES OR SEPARATE EVALUATIONS.
Monitoring of Controls – Issues to consider
Separate Evaluations
1. Scope and frequency of separate evaluations of the internal control systems.
2. Appropriateness of the evaluating process.
3. Whether the methodology for evaluating a system is logical and appropriate.
•
4. Appropriateness of the level of documentation.
Reporting Deficiencies
1. Existence of mechanism for capturing and reporting identified internal control deficiencies.
2. Appropriateness of reporting protocols and of follow-up actions.
INHERENT LIMITATIONS OF INTERNAL CONTROL
1. MANAGEMENT’S USUAL REQUIREMENT THAT A CONTROL BE COST EFFECTIVE, I.E. THAT THE COST OF A
CONTROL PROCEDURE NOT BE DISPROPORTIONATE TO THE POTENTIAL LOSS DUE TO FRAUD OR ERROR;
2. THE FACT THAT MOST CONTROLS TEND TO BE DIRECTED AT ANTICIPATED TYPES OF TRANSACTIONS
AND NOT AT UNUSUAL TRANSACTIONS; THE POTENTIAL FOR HUMAN ERROR DUE TO CARELESSNESS,
DISTRACTION, MISTAKES OF JUDGMENT OR THE MISUNDERSTANDING OF INSTRUCTIONS;
INHERENT LIMITATIONS OF INTERNAL CONTROL
3. THE POSSIBILITY OF CIRCUMVENTION OF CONTROLS THROUGH WITH PARTIES OUTSIDE THE ENTITY
OR WITH EMPLOYEES OF THE ENTITY
4. THE POSSIBILITY THAT A PERSON REASONABLE FOR EXERCISING CONTROL COULD ABUSE THAT
RESPONSIBILITY, FOR EXAMPLE, A MEMBER OF MANAGEMENT OVERRIDING A CONTROL;
5. THE POSSIBILITY THAT PROCEDURES MAY BECOME INADEQUATE DUE TO CHANGES IN CONDITION AND
COMPLIANCE WITH PROCEDURES MAY DETERIORATE.
RELEVANCE OF CONTROLS TO THE AUDIT
• THE DESIGN AND THE MANNER INTERNAL CONTROLS IS IMPLEMENTED VARIES WITH AN ENTITY’S SIZE
AND COMPLEXITY.
• SPECIFICALLY, SMALLER ENTITIES MAY USE LESS FORMAL MEANS AND SIMPLER PROCESSES AND
PROCEDURES TO ACHIEVE THEIR OBJECTIVES.
• FOR VERY SMALL ENTITIES, THE OWNER MANAGER MAY PERFORM FUNCTIONS WHICH IN A LARGER
ENTITY WOULD BE REGARDED AS BELONGING TO SEVERAL OF THE COMPONENTS OF INTERNAL
CONTROL.
RELEVANCE OF CONTROLS TO THE AUDIT
• AUDITORS SHOULD CONSIDER THAT CONTROLS THAT ARE RELEVANT TO AN AUDIT PERTAIN TO THE
ENTITY’S OBJECTIVE OF PREPARING FINANCIAL STATEMENTS FOR EXTERNAL PURPOSES THAT ARE
PRESENTED FAIRLY, IN ALL MATERIAL RESPECTS, IN ACCORDANCE WITH THE APPLICABLE FINANCIAL
REPORTING FRAMEWORK AND THE MANAGEMENT OF RISK THAT MAY GIVE RISE TO A MATERIAL
MISSTATEMENT IN THOSE FINANCIAL STATEMENTS.
Assertions about classes of transactions and events for the period under audit
a. Occurrence – transactions and events that have been recorded have occurred and pertain to the entity
b. Completeness – all transactions and events that should have been recorded have been recorded.
c. Accuracy – amounts and other data relating to recorded transactions and events have been recorded
appropriately.
d. Cutoff – transactions and events have been recorded in the correct accounting period
e. Classification – transactions and events have been recorded in the proper accounts.
STEP 1: OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL STRUCTURE
Control activities
1. The auditor’s primary consideration is whether, and how, a specific control activity, prevents or detects
and corrects, material misstatements
2. Consider the risks associated with information technology (IT)
Monitoring of controls
STEP 2: MAKE A PRELIMINARY ASSESSMENT OF CONTROL RISK
OVERALL RESPONSES
OVERALL RESPONSES THAT THE AUDITOR MAY CONSIDER INCLUDE:
1. EMPHASIZING TO THE AUDIT TEAM THE NEED TO MAINTAIN PROFESSIONAL SKEPTICISM IN GATHERING AND EVALUATING AUDIT EVIDENCE
2. ASSIGNING MORE EXPERIENCED STAFF OR THOSE WITH SPECIAL SILLS OR USING EXPERTS
3. PROVIDING MORE SUPERVISION
4. INCORPORATING ADDITIONAL ELEMENTS OF UNPREDICTABILITY IN THE SELECTION OF AUDIT PROCEDURES TO BE PERFORMED
5. MAKING GENERAL CHANGES TO THE NATURE, TIMING, OR EXTENT OF AUDIT PROCEDURES (E.G. PERFORMING SUBSTANTIVE PROCEDURES
AT THE PERIOD END INSTEAD OF AT AN INTERIM DATE, OR MODIFYING THE NATURE OF AUDIT PROCEDURES TO OBTAIN MORE PERSUASIVE
AUDIT EVIDENCE)
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
OVERALL RESPONSES
RESPONSES AT THE ASSERTION LEVEL
IF THE PRELIMINARY CONTROL RISK ASSESSMENT IS HIGH OR AT THE MAXIMUM LEVEL, THE RESPONSE AT
THE ASSERTION LEVEL WOULD BE TO ADOPT THE AUDIT APPROACH THAT RELIES PRIMARILY ON
SUBSTANTIVE TESTS (NO RELIANCE APPROACH) . ACCORDINGLY, THE AUDITOR PROCEEDS TO STEP
FIVE(DETERMINE THE NATURE, EXTENT AND TIMING OF SUBSTANTIVE TESTS) AND ONLY SUBSTANTIVE TEST
AUDIT PROGRAMS ARE PREPARED.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
OVERALL RESPONSES
RESPONSES AT THE ASSERTION LEVEL
IF THE PRELIMINARY ASSESSMENT OF CONTROL RISK IS LESS THAN HIGH (BELOW THE MAXIMUM), THE
AUDITOR ANTICIPATES USING THE RELIANCE APPROACH. ACCORDINGLY, TWO SETS OF AUDIT PROGRAMS
ARE PREPARED: TEST OF CONTROLS AUDIT PROGRAM AND SUBSTANTIVE TEST AUDIT PROGRAM.
THE AUDITOR SHOULD PERFORM TESTS OF CONTROLS TO OBTAIN SUFFICIENT APPROPRIATE AUDIT
EVIDENCE THAT THE CONTROLS WERE OPERATING EFFECTIVELY AT RELEVANT TIMES DURING THE PERIOD
UNDER AUDIT.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
OVERALL RESPONSES
TESTS OF CONTROLS
TESTS OF CONTROLS ARE USED TO TEST EITHER THE EFFECTIVENESS OF THE DESIGN OR OPERATION OF A
CLIENT’S INTERNAL CONTROL POLICY OR PROCEDURE IN SUPPORT OF A “LESS THAN HIGH” CONTROL RISK
ASSESSMENT.
TESTS ARE APPLIED ONLY TO THOSE CONTROLS ON WHICH THE AUDITOR INTENDS TO RELY WHEN DESIGNING
SUBSTANTIVE TESTS OF ACCOUNT BALANCES. AN AUDITOR WOULD NOT RELY ON, AND THEREFORE NOT TEST, A
PARTICULAR CONTROL IF THE AUDIT EFFORT REQUIRED TO TEST THE CONTROL EXCEEDED THE REDUCTION IN
YEAR-END AUDIT EFFORT THAT COULD BE ACHIEVED BY RELIANCE.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
OVERALL RESPONSES
TESTS OF CONTROLS
NATURE OF TESTS OF CONTROL
THE TEST GENERALLY CONSIST OF ONE, OR A COMBINATION OF THE FOLLOWING PROCEDURES:
1. INQUIRY OF CLIENT PERSONNEL
2. OBSERVATION OF THE APPLICATION OF POLICIES AND PROCEDURES
3. INSPECTION (I.E. EXAMINATION OF DOCUMENTS)
4. REPERFORMANCE OR RECALCULATION
THE PROCEDURES USED IN TESTING CONTROLS SHOULD BE SUFFICIENTLY COMPREHENSIVE TO SUPPORT THE CONTROL RISK
ASSESSMENT.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS
OVERALL RESPONSES
TESTS OF CONTROLS
TESTS BASED ON OBSERVATION, INQUIRY, AND EXAMINATION OF DOCUMENTS AND RECORDS OFTEN
PROVIDE SUFFICIENT EVIDENCE ABOUT THE OPERATING EFFECTIVENESS OF A CONTROL.
HOWEVER IN SOME INSTANCES THE AUDITOR ALSO MAY HAVE TO REPERFORM THE APPLICATION OF A
CONTROL TO OBTAIN ADEQUATE EVIDENCE THAT IS OPERATING EFFECTIVELY.
WHEN THE AUDITOR BELIEVES A CONTROL IS SO SIGNIFICANT THAT FURTHER EVIDENCE OF ITS
EFFECTIVENESS IS NECESSARY, IT IS APPROPRIATE TO REPERFORM ITS APPLICATION.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
EXAMPLE
• A BANK’S CONTROL DESIGNED TO ENSURE THE COMPLETENESS AND ACCURACY OF UPDATING A STANDING DATA FILE
OF INTEREST RATES MAY ENTAIL COMPARING AUTHORIZED CHANGES IN INTEREST RATES WITH THE DATE ON THE FILE
AFTER THE CHANGES HAVE BEEN INPUTTED. THAT CONTROL MAY BE SO SIGNIFICANT TO THE ACCURACY OF INTEREST
CHARGED TO LOAN CUSTOMERS THAT THE AUDITOR MAY WISH TO REPERFORM THE COMPARISON A FEW TIMES TO
GAIN ADDITIONAL EVIDENCE THAT IT IS OPERATING AS PRESCRIBED.
WHEN EXAMINING DOCUMENTATION, AN AUDITOR DOES NOT EXAMINE ALL OF THE TRANSACTIONS AND DETAILED
RECORDS RELATED TO THE CONTROLS TESTED, BUT SELECTS A SAMPLE FROM THE POPULATION OF ALL AVAILABLE
TRANSACTIONS OR RECORDS FOR THE PERIOD.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
CONTROL DEVIATIONS
WHEN PERFORMING TESTS OF CONTROLS, AN AUDITOR MAY FIND DIFFERENCES BETWEEN WHAT WAS
EXPECTED, BASED ON THE DOCUMENTATION OBTAINED AND WHAT ACTUALLY OCCURRED.
FOR EXAMPLE, A VENDOR’S INVOICE MAY HAVE BEEN PAID WITHOUT THE ACCOUNTS PAYABLE MANAGER’S
INITIALS OF APPROVAL. SUCH DIFFERENCES ARE APPROPRIATELY CALLED – EXCEPTIONS, DEVIATIONS, OR
OCCURRENCES, RATHER THAN ERRORS, BECAUSE AN EXCEPTION DOES NOT NECESSARILY MEAN THAT AN
ERROR HAD BEEN MADE IN THE ACCOUNTING RECORDS. THUS, THE FACT THAT A VENDOR’S INVOICE LACKS
APPROVING INITIALS DOES NOT NECESSARILY MEAN THAT THE INVOICE SHOULD NOT HAVE BEEN PAID.
STEP 3: DETERMINE THE APPROPRIATE RESPONSE TO THE
ASSESSED RISKS
THE AUDITOR SHOULD EVALUATE WHETHER THE INTERNAL CONTROLS ARE DESIGNED AND OPERATING AS
CONTEMPLATED IN THE PRELIMINARY ASSESSMENT OF CONTROL RISK.
IF THE AUDITOR FINDS THAT THE RISK OF MATERIAL MISSTATEMENT FOR PARTICULAR AUDIT OBJECTIVES
IS HIGHER THAN ORIGINALLY EXPECTED, THE AUDITOR SHOULD RE-ASSESS THE LEVEL OF CONTROL RISK;
AND THE AUDITOR WILL HAVE TO RECONSIDER THE ASSURANCE NEEDED FROM SUBSTANTIVE TESTS.
IF THE TESTS OF CONTROLS REVEAL A DEPARTURE FROM, OR BREAKDOWN IN, PRESCRIBED CONTROLS, THE
AUDITOR SHOULD CONSIDER ITS CAUSE AND DOCUMENT THE CONCLUSIONS REACHED.
STEP 4: REASSESS LEVEL OF CONTROL RISK
DOCUMENTATION REQUIREMENTS
DOCUMENTATION REQUIREMENTS DEPEND MAINLY ON THE CONTROL RISK ASSESSMENT. IF THE
ASSESSMENT IS HIGH OR AT THE MAXIMUM LEVEL, THE UNDERSTANDING OF INTERNAL CONTROLS AND THE
CONTROL RISK ASSESSMENT MUST BE DOCUMENTED.
STEP 5: DETERMINE THE NATURE, EXTEND AND TIMING OF
SUBSTANTIVE TESTS
IRRESPECTIVE OF THE ASSESSED RISK OF MATERIAL MISSTATEMENT, THE AUDITOR SHOULD DESIGN AND
PERFORM SUBSTANTIVE PROCEDURES FOR EACH MATERIAL CLASS OF TRANSACTIONS, ACCOUNT BALANCE,
AND DISCLOSURES.
THE ASSESSED LEVEL OF CONTROL RISK FOR AN ASSERTION HAS A DIRECT EFFECT ON THE DESIGN OF
SUBSTANTIVE TESTS. THE LOWER THE ASSESSED LEVEL OF CONTROL RISK, THE LESS EVIDENCE THE
AUDITOR NEEDS FROM SUBSTANTIVE TESTS.
THE AUDITOR’S CONTROL RISK ASSESSMENT INFLUENCES THE NATURE, EXTENT, AND TIMING OF
SUBSTANTIVE PROCEDURES TO BE PERFORMED.
DEFICIENCIES OF INTERNAL CONTROL
PSA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANAGEMENT, PROVIDE GUIDANCE ON HOW TO COMMUNICATE SIGNIFICANT INTERNAL CONTROL
DEFICIENCIES NOTED IN AN AUDIT OF FS. A DEFICIENCY IN INTERNAL CONTROL EXISTS WHEN:
A. A CONTROL IS DESIGNED, IMPLEMENTED OR OPERATED IN SUCH A WAY THAT IT IS UNABLE TO
PREVENT, OR DETECT AND CORRECT, MISSTATEMENTS IN THE FS ON A TIMELY BASIS;
B. A CONTROL NECESSARY TO PREVENT, OR DETECT AND CORRECT, MISSTATEMENTS IN THE FS ON A
TIMELY BASIS IS MISSING
DEFICIENCIES OF INTERNAL CONTROL
• EWRM ENCOMPASSES: ALIGNING RISK APPETITE AND STRATEGY, ENHANCING RISK RESPONSE
DECISIONS, REDUCING OPERATIONAL SURPRISES AND LOSSES, IDENTIFYING AND MANAGING MULTIPLE
AND CROSS-ENTERPRISE RISKS, SEIZING OPPORTUNITIES, AND IMPROVING DEPLOYMENT OF CAPITAL.
EWRM – INTEGRATED FRAMEWORK
• THE 'COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION' ('COSO') IS A JOINT
INITIATIVE TO COMBAT CORPORATE FRAUD.
• THE COSO MODEL DEFINES INTERNAL CONTROL AS “A PROCESS EFFECTED BY AN ENTITY’S BOARD OF
DIRECTORS, MANAGEMENT AND OTHER PERSONNEL DESIGNED TO PROVIDE REASONABLE ASSURANCE OF
THE ACHIEVEMENT OF OBJECTIVES IN THE FOLLOWING CATEGORIES:
• OPERATIONAL EFFECTIVENESS AND EFFICIENCY
• FINANCIAL REPORTING RELIABILITY
• APPLICABLE LAWS AND REGULATIONS COMPLIANCE