Chapter Four: internal Control

4.1 Introduction
4.2 The Meaning Of Internal Control
4.3 Means Of Achieving Internal Control
4.4 The Control Environment
4.5 Risk Assessment
4.6 Control Activities

4.7 Limitations Of Internal Control

4.8 The Auditors' Consideration Of Internal Control

1
 4.1 Introduction
three major objectives:
 1st , to explain the meaning and significance of internal control
 2nd , to discuss the major components of a client's internal control structure
 3rd , to show how auditors go about obtaining an understanding of internal con-
trol to meet the requirements of the second standard of field work.
 As discussed in principles of accounting courses, internal control has attained
greatest significance in large-scale business organizations.
 Accordingly, dealing with the problem of achieving internal control in a small
business.

2
 4.2 The Meaning Of Internal Control
 D/nces of opinion have long existed about meaning & objectives of internal control.

 Many people interpret the term internal control as the steps taken by a business to
prevent fraud-both employee fraud and fraudulent financial reporting.
 Others, while acknowledging the importance of internal control for fraud preven-
tion, believe that internal control has an equal role in assuring control over manufac-
turing and other processes.
 Such d/nces in interpretation also exist in the professional publications issued by the
AICPA, the Institute of Internal Auditors, Inc—and the Research Foundation of the
Financial Executives Institute.
 1990 and then that the various professional Organizations worked together to de-
velop a consensus on the nature and scope of internal control. 3
 Cont’d …..
 As a result of a number of instances of fraudulent financial reporting in the 1970 s

and early 1980s, the major accounting organizations' sponsored the National Com-

mission on Fraudulent Financial Reporting (the Tread way Commission) to study

the causal factors that are associated with fraudulent reporting, and to make recom-

mendations to reduce its incidence.

 The Commission made a number of recommendations that directly addressed inter-

nal control.

 For ex, it emphasized the importance of a competent and involved audit committee,

an active and objective of internal audit function in preventing fraudulent practices.

4
 Cont’d ……
 It also called on the sponsoring organization to work together to integrate the

various internal control concepts and definitions to develop common criteria to

evaluate internal control.

 As result, Committee of Sponsoring Organizations (COSO) commissioned a

study for that purpose, and its report, titled Internal Control-Integrated Frame-

work, was issued in 1992.

The purposes of the study are to:

 Establish a common definition of internal control to serve needs of d/nt parties.

 Provide a standard against which business and other entities can assess their con-

trol systems and determine how to improve them.

5
 cont’d ……..
 A Process is effected by the entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achieve-

ment of objectives in the following categories:

 Effectiveness and efficiency of operations.

 Reliability of financial reporting.

 Compliance with applicable laws and regulations.

6
 The Study Defines Internal Control As:
 This definition is important to auditors b/se it is being incorporated into the State-

ments on Auditing Standards that govern the auditors' consideration of internal

control.
 COSO's definition of internal control (IC) emphasizes that internal control is a

process, or a means to an end and not an end in and of itself.

 process is effected by individuals, not merely policy manuals, documents & forms.

 By including the concept of reasonable assurance, the definition recognizes that no

IC structure can realistically provide absolute assurance that an organization's ob-

jectives will be achieved.

 Reasonable assurance recognizes that the cost of an organization's internal control
7
 Cont’d ….
 Finally, the definition of internal control is comprehensive in that it addresses
the achievement of objectives in the areas of operations, financial reporting,
and compliance with laws and regulations.
 It includes the methods by which top management delegates authority and as-
signs responsibility for such functions as selling, purchasing, accounting, and
production.
 Internal control also includes the program for preparing, verifying, and dis-
tributing to various levels of management those current reports and analyses
that enable executives to maintain control over the variety of activities and
functions that are used by a large organization.

8
 Cont’d ….
 The use of budgetary techniques, production standards, inspection labo-
ratories, time and motion studies, and employee training programs in-
volves engineers and many others far removed from accounting and fi-
nancial activities: yet all of these devices are a part of internal control.
 Although internal control is broadly defined, not all of the internal con-
trol structure policies and procedures are relevant to an audit of financial
statements.
 Generally, the internal control structure policies and procedures that are
relevant to an audit are those that pertain (relate ) to the reliability of fi-
nancial reporting.
9
 Cont’d …..
 That is, those that affects the preparation of financial information for external

reporting purposes. However, other policies and procedures may be relevant if

they affect the reliability of data that the auditors use to apply auditing proce-

dures.

 For ex, controls applicable to no financial data that the auditors use in perform-

ing analytical procedures (e.g. production statistics) may be relevant to an au-

dit.

 Also, internal control structure policies and procedures designed to safeguard

assets against loss from errors and irregularities are ordinarily relevant to an

audit.
10
4.3 Means Of Achieving Internal Control
 For purposes of financial statement audits, the policies and procedures

used by an entity to achieve internal control are referred to as the entity's

internal control structure,

 internal control structures vary significantly from one organization to the

next, Depending on such factors as the size, nature of operations, and ob-

jectives of the organization for which the structure was designed.

 Yet certain features are essential to satisfactory internal control in almost

any large-scale organization.

11
 Five Components of internal control
The internal control structures of all large organizations include five
components:
(1) The Control Environment
(2) Risk Assessment
(3) The (Accounting) Information And Communication System;
(4) Control Activities
(5) Monitoring.

12
 1. The Control Environment
 The control environment sets the tone (quality) of an organization by in-
fluencing the control consciousness of people.
 It may be viewed as the foundation for the other components of internal
control.
Control environment factors include:-
 Integrity and Ethical Values:
 Commitment to Competence:
 Board Of Directors or Audit Committee;
 Management's Philosophy and Operating Style:
 Organizational Structure:
 Human Resource Policies and Practices:
 Assignment Of Authority and Responsibility.
13
 Integrity and Ethical Values

 The effectiveness of the internal control structure depends directly upon the in-

tegrity and ethical values of the personnel who are responsible for creating,

administrating, and monitoring that structure.

 Management should establish behavioral and ethical standards that discourage

employees from engaging in dishonest, unethical, or illegal acts

 To be effective, these standards must be effectively communicated by appropri-

ating means including official policies, cods of conduct, and by instance.

 Another way to reduce the incidence of improper behavior is to remove or reduce the
temptations and incentives to engage in such behavior of preparing fraudulent financial
reporting and has placed under undue pressure to meet unrealistic performance goals

14
 Commitment to Competence

 To be considered competent, employees must possess the skills and knowledge

essential to the performance of their job.

 If employees are lacking in skills or knowledge, they may be ineffective in per-

forming their assigned duties.

 This is especially critical when the employees are involved in applying internal
control policies and procedures.

 Ideally management should be committed to hiring employees with appropriate

levels of education and experience, and providing them with adequate supervi-
sion and training.

15
Board of Directors or Audit Committee
 The control environment of an organization is significantly influenced by the ef-
fectiveness of its board of directors or the audit committee.
 Factors that bear on the effectiveness of the board or audit committee include
the extent of its independence from management, the experience and stature of
its members, the extent to which it raises and pursues difficult questions with
management, and its interaction with the internal and external auditors.
 the audit committee of the board of directors should be composed of neither
outside directors, who are neither officers nor employees of the organization.
 This enables the audit committee to be effective at overseeing the quality of the
organization's financial reports, and acting as a deterrent to management over-
ride of internal controls and to management fraud.

16
Management Philosophy and Operating Style
 Mgmts differ in both their philosophies toward F/reporting and their attitudes

toward taking business risks.

 Some mgmt is extremely aggressive in F/reporting & place great emphasis ex-

ceeding earnings projections & may be willing to undertake activities of high

risk with prospect of high return but Other may be conservative & risk averse.
 These differing philosophies and operating styles may have an impact on the

overall reliability of the financial statements.

 Internal controls in an informal organization are often implemented by face-to-
face contact between employees and management.
 A more formal organization will establish written policies, performance reports,
and exception reports to control its various activities.
17
 Organizational Structure

 Another control environment factor is entity's Organizational structure.

 A well-designed organizational structure provides a basis for planning, direct-

ing, and controlling operation.

 It divides authority, responsibilities, and duties among members of an organi-

zation by dealing with such issues as decision making and appropriate segre-

gation of duties among the various departments.

 When mgmt decision making is centralized and dominated by one individual,

that individual's moral character is extremely important to the auditors.

 When a decentralized style is used, procedures to monitor the decision making

of the many managers involved become equally important

18
 The organizational structure of an entity should separate responsibilities for
• (1) authorization of transactions,
• (2) record keeping for transactions, and
• (3) custody of assets.
 In addition to the extent possible, execution of the transaction should be segre-
gated from these other responsibilities.
 The effectiveness of such structure is usually obtained by having designated de-
partment heads who are evaluated on the major departments should be of equal
rank and should report directly to the president or to an executive vice president.

19
Responsibilities of Finance and Accounting Departments

 Finance and accounting are the two departments most directly involved in the financial af-

fairs of a business enterprise.

 The division of responsibilities between these departments illustrates the separation of the

accounting function from operations and also from the custody of assets.

 the finance departments are responsible for financial operations and custody of liquid as-

sets.

 include planning future cash requirements, establishing customer credit policies, and ar-

ranging to meet the short-and long-term financing needs of the business

 In short, it is the finance department that conducts financial activities.

 The accounting department, under the authority of the controller, is responsible for all ac-

counting functions and the design and implementation of internal control.

20
 Human Resource Policies and Procedures
 Ultimately, the effectiveness of an internal control structure is affected by the

characteristics of the organization's personnel.

 Thus, management's policies and practices for hiring, training, evaluating, pro-

moting, and compensating employees have a significant effect on the effective-

ness of the control environment.

 Effective human resource policies often can mitigate other weaknesses in the

control environment.

 Effective human resource management is not a guarantee against losses from

dishonest employees and is often the most trusted employees who engineer

large embezzlements.
21
 Assignment of Authority and Responsibility

 Personnel within an organization need to have a clear understanding of their re-

sponsibilities and the rules and regulations that govern their action.

 Therefore, to enhance the control environment, management develops em-

ployee job descriptions and clearly defines authority and responsibility within

the organization.

 Policies also may be established describing appropriate business practices,

knowledge and experience of key personnel, and the use of resources.

22
 2. Risk Assessment
 When considering the F/reporting objective, these risks include the
threats to preparing financial statements in accordance with generally ac-
cepted accounting principles.
For ex, the following factors might be indicative of increased financial re-
porting risk:
 Changes in the organization's regulatory or operating environment
 Changes in personnel.
 Implementation of a new modified information system.
 Rapid growth of the organizationChanges in technology affecting
production process or information systems.
 Introduction of new lines of business, products, or processes.
 Auditors are concerned only with the levels of inherent risk and control
risk that affect the organization's ability to produce F/statements that are
in accordance with GAAPs
23
3. Accounting Information & Communication System
 Information and communication systems capture, process, and report informa-
tion to be used by parties both within and outside the organization.
 An organization's accounting information system consists of the methods and
records established to identify, assemble, analyze, classify, record, and report an
entity's transactions and to maintain accountability for the related assets.
Accordingly, an accounting information system should:
 Identify and record all valid transactions.
 Describe transactions on a timely basis in detail to permit proper classifica-
tion for F/reporting.
 Measure value of transactions in a manner that permits recording their
proper monetary value
 Determine the time period in which transactions occurred
 Present properly the transactions and related disclosures in the F/state-
ments.

24
 Conted …….
 In addition to the typical system of journal, ledgers, and other record keeping

devices, an accounting information system should include a chart of accounts

and manual of accounting policies and procedures as aids for communication

of polices.
 A chart of accounts is a classified listing of all accounts in use accompanied by

detailed descriptions of the purpose and content of each.

 chart accounts and manual of accounting policies and procedures should pro-

vide clear guidance that will allow proper and uniform handling of transac-

tions.
 Personnel that process information should understand how their activities re-
late to the work of others, and the importance of reporting exceptions and
other unusual items to an appropriate level of management. 25
 4. Control Activities
 Control activities are policies and procedures that help to ensure
the management directives are carried out.
 Those policies and procedures help to ensure that the actions are
taken to address the risks that face the organization.
 While there are many different types control activities performed
in an organization, only the following type are generally relevant
to an audit of the organization's financial statements:
 Performance reviews.
Information processing.
Physical controls.
Segregation of duties.

26
 Performance Reviews
These controls include:
 reviews of actual performance as compared to budgets, and
forecasts
 prior period performance; relating different sets of data to one
another;
 performing overall reviews of performance reviews
 provide management with an overall indication whether person-
nel at various levels are effectively pursuing the objectives of
the organization.
 By investigating the reasons for unexpected performance, man-
agement may make timely changes in strategies and plans, or
take other appropriate corrective action.

27
 Information Processing
 A variety of control activities are performed to check the accu-
racy, completeness, and authorization of transactions.
 The two broad categories of information processing controls in-
clude general controls, which apply to all information-processing
activities, and application controls, which apply only to a single
application.
 For example, general controls include those that restrict access to
the entire accounting information system.
 To understand the nature of application controls. Consider the
controls over payroll that help to ensure that (1) only authorized
payroll transactions are processed, and (2) authorized payroll
transactions are processed completely and accurately

28
 Contd’ …………
 An important aspect of information processing controls is the
proper authorization of all types of transactions. Authoriza-
tion of transactions may be either general or specific.
 General authorization occurs when management establishes
criteria for acceptance of a certain type of transaction.
 For example, top management may establish general price
lists and credit policies for new customers.
Transactions with customers that meet these criteria can then be
approved by the credit department.
 Specific authorization occurs when transactions are autho-
rized on an individual basis.

29
 An internal control device of wide applicability is the use of serial numbers on

documents. Serial number of provide control over the number of documents is-

sued.

 Checks, tickets, sales invoices, purchase order, stock certificates, and many

other business papers can be controlled by using serial numbers

 For some documents such as checks, it may be desirable to account for the se-

quence used by a monthly or weekly inspection of the documents issued.

 For other documents, as in the case of serially numbered admission tickets, con-

trol may be achieve by noting the last serial number issued each day, and

thereby computing the total value of tickets issued during the day
30
 Physical Control

 These control activities include the physical over both records

and other assets.
 Safeguarding of records may include maintaining control at all
times over issued pre-numbered documents, as well as other jour-
nals and ledgers, and restricting access to computer programs and
data files.
 Only individuals who are authorized should be allowed access to
the company's assets.
 Direct Physical access to assets may be controlled through the use
of safes, locks, fences, and guards
 Periodic comparisons should be made between accounting
records and the physical assets on hand.

31
 Segregation of Duties
 no one dept. or person should handle all aspects of a transaction
from beginning end.
 no one individual should perform more than one functions (autho-
rizing transactions, recording transactions, and maintaining cus-
tody over asset)
 Top management may authorize the sale of merchandise at speci-
fied credit terms to customers who meet certain requirements.
 credit dept may approve the sales transactions by ascertaining that
the extension of credit and terms of sale are in compliance with
company policies.
 once the sale is approved, the shipping dept executes the transac-
tion by obtaining custody of the merchandise from the inventory
stores dept and shipping it to the customer.
 Accounting dept uses copies of documentation created by the
sales, credit, and shipping departments as a basis for recording the
transaction and billing the customer.
32
4.7 Limitations Of Internal Control
 Internal control can do to protect against both errors and irregular-
ities and ensure the reliability of accounting data.
 Still, there is existence of inherent limitations in any internal con-
trol structure, Mistakes may be made in the performance of inter-
nal control policies and procedures
 as a result there is misunderstanding of instructions, mistakes of
Judgment, carelessness, distraction, or fatigue,
 Finally, control activities dependent upon separation of duties may
be circumvented by collusion among employees.
 The extent of the internal controls adopted by a business also is
limited by cost considerations.
 It is not feasible from a cost standpoint to establish a control struc-
ture that provides absolute protection from fraud and waste; rea-
sonable assurance in this regard is the best that generally can be
achieved. 33
4.8 The Auditors' Consideration Of Internal Control
 The second standard of fieldwork states: A Sufficient understanding of the in-
ternal control structure is to be obtained to plan the audit and to determine the
nature, timing, and extent of the tests to be performed.
 The auditors' understanding of their clients' internal control provides a basis
both to
 (1) Plan the audit, and (2) assess control risk
 In planning an audit it is essential that the auditors have a sufficient under-
standing of the client's internal control structure.
 This encompasses both and understanding of the design of the policies, proce-
dures, and records, and knowledge of whether they have been placed in opera-
tion by the client.

34
 Cont’d …
 The auditors' consideration of the internal control also provides a basis for their assess-
ment of Control Risk - the risk that material misstatements will not be prevented or de-
tected by the client's internal control structure.
 If the auditors determine that the client's internal control is effective, they will assess con-
trol risk to be low.
 They can then accept a higher level of detection risk, and substantive testing can be de-
creased. Conversely, If internal controls are weak, control risk is high and the auditors
must increase the scope of their substantive tests to limit the level of detection risk.
 Therefore, the auditors' the auditor's understanding of internal control is a major factor in
determining the nature, timing, and extent of substantive testing necessary to verify the
financial statement assertion.

35
Obtaining and Understanding of the Internal Control Structure

 In every audit the auditors must obtain an understanding of the internal control

structure sufficient to plan the audit.

In planning the audit, the knowledge is used to:

 1. Identify types of potential misstatements.

 2. Consider factors that affect the risk of material misstatement.

 3. Design substantive tests.

 In making a judgment about the necessary understanding of the internal control

structure, the auditors consider knowledge related to the above three factors

36
 Cont’d …….
 Auditors also consider their assessment of inherent risk,
judgments about materiality and the nature of the entity's op-
erations.

 In any case the auditors' understanding of the internal

control structure must encompass the:
 control environment,
 risk assessment,
 the accounting information and communications system,
 control activities, and monitoring.

37
 The Control Environment

 The auditors must obtain sufficient knowledge to understand

management's attitudes, awareness, and actions concerning

the control environment.

Risk Assessment:
 auditors must obtain sufficient knowledge of the risk assessment process

to understand how management considers risks relevant to financial re-

porting objectives, estimates their significance, assesses the likelihood

of their occurrence, and decides on actions to address those risks.

38
 The Accounting Information and Communication System:
 To understand the accounting information system, the auditors must first under-
stand the major type of transaction engaged in by the entity.
 Next, the auditors must become familiar with the treatment of those transac-
tions. Including how they are initiated, the related accounting records, and the
manner in which the transactions are processed.
 Finally, auditors must understand the F/reporting process used to prepare F/
statements, including the approaches used to develop accounting estimates.
 In obtaining an understanding of the client's accounting information system and
the related control activities, auditors generally find it useful to divide the
overall system into its major transaction cycles.
 term transaction cycle refers to the polices and the sequence of procedures for
processing a particular type of transaction.
39
For ex, the accounting system in a manufacturing business might be subdivided into
the following major transaction cycles:

 1. Revenue (or sales and collections) cycle- including procedures and policies
for obtaining orders from customers, approving credit, shipping merchandise,
preparing sales invoices (billing ) recording revenue and accounts receivable,
and handling and recording cash receipts.
 2. Acquisition (or purchases and disbursements) Cycle- including procedures
and policies for initiating purchases of inventory, other assets, and services;
placing purchase orders, inspecting good upon receipt, and preparing receiving
reports; recording liabilities to vendors; authorizing payment; and making and
recording cash disbursements.
 3. Conversion (production ) cycle - including procedures and policies for string
materials, placing materials in to production, assigning productions costs to in-
ventories and accounting for the cost of good sold. 40
Cont’d …
 4. Payroll cycle - including procedures and policies for hiring terminating,

and determining pay rates; timekeeping; computing gross payroll, payroll

taxes, and amount withheld from gross pay; maintaining payroll records

and preparing and distributing paychecks.

 5. Financing cycle - including procedures and policies for authorizing, ex-

ecuting, and recording transactions involving bank loans, leases, bonds

payable, and capital stock.

 6. Investing cycle - including procedures and policies for authorizing, exe-

cuting, and recording transactions involving investments in fixed assets

and securities.
41
 Monitoring
 Finally, the auditors should obtain a sufficient understanding of the entity's

monitoring methods relating to financial reporting to understand how those ac-

tivities are used to initiate actions to address inadequate performance.

 The auditors will also consider how the work of the internal auditors contrib-

utes to the internal control structure.

Sources of Information about Internal control:

 Auditors obtain information about internal control by inquiry of appropriate

client personnel, inspecting various entity documents and records, and observ-

ing control activities and operations as they are performed.

42
 Auditors may ascertain the duties and responsibilities of client personnel by inspecting or-

ganization charts and job descriptions, and interviewing client personnel.

 Many clients have procedures manuals and flowcharts describing the approved practices

to be followed in all phases of operations.

 Another excellent source of information is in the reports, working papers, and audit pro-

grams of the client's internal auditing staff.

 The auditors' understanding of the internal control structure encompasses not only the de-

sign of the policies and procedures, but also whether they have been placed in operation.

 The term placed in operation means that the policy or procedure actually exists and is in

use; that is, it does not just exist in theory or on paper.

43
• While obtaining understanding of internal control, the auditors may also obtain

evidence about the operating effectiveness of various controls.

 Operating effectiveness deals with:

– (1) how a control is applied,

– (2) the consistency with which it is applied, and

– (3) who applies the control.

44
 The distinction between knowing that a control has been placed in operation

and obtaining evidence on its operating effectiveness is important.

 To properly plan the audit, auditors are required to determine that the major

controls have been placed in operation they are not required to evaluate their

operating effectiveness.

 However, if the auditors wish to assess control risk at a level lower than the

maximum, they must have evidence of the operating effectiveness of the con-

trols.

45
Document the Understanding of the Internal Control Structure

 As the independent auditors obtain a working knowledge of the internal con-

trol structure to plan the audit, they must document the information in their
working papers.
 The from and extent of this documentation is affected by the size and complex-
ity of the client, as well as the nature of the client's internal control structure.
 The documentation usually takes the from of internal control questionnaires,
written narratives, or flowcharts.

46
 Internal Control Questionnaire:
• The traditional method of describing an internal control structure is to fill in a standardized inter-

nal control questionnaire.

• The questionnaire usually contains a separate section for each major transaction cycle enabling the

work of completing the questionnaire to be divided conveniently among several audit staff mem-

bers.

• Most internal control questionnaires are designed so that a "no" answer to a question indicates a

weakness in internal control.

• In addition, questionnaires may provide for a distinction between major and minor control weak-

nesses, indication of the sources of information used in answering questions, and explanatory com-

ments regarding control deficiencies.

47
• A disadvantage of standardized internal control questionnaires is their lack of flexibility.

• They often contain many questions that are "not applicable" to specific systems, particu-

larly systems for small companies.

• Also the situation in which internal control strength compensates for a weakness in the

structure may not be obvious form examining a completed questionnaire.

• An internal control questionnaire is intended as a means for the auditors to document

their understanding of internal control.

• If completion of the questionnaire is regarded as an end in itself, there may be a ten-

dency for the auditors to fill in the "yes" and "no" answers in a mechanical manner,

without any real understanding or study of the transaction cycle.

• For this reason, some public accounting firms prefer to use written narratives or flow-

charts in lieu of, or in conjunction with, questionnaires. 48

• Written Narrative of Internal Control: Written narratives are memoranda that de-
scribe the flow of transaction cycles, identifying the employees performing various
tasks, documents prepared, records maintained, and the division of duties.
• Flowcharts of Internal Control: Many CPA firms consider systems flowcharts to be
more effective than questionnaires or narrative descriptions in documenting their under-
standing of a client's accounting information system and the related control activities.
• A systems flowchart: is a diagram- a symbolic representation of a system or a series of
procedures with each procedure shown in sequence.
 To the experienced reader a flowchart conveys a clear image of the system, showing the
nature and sequence of procedures, division of responsibilities, sources and distribution
of documents, and types and location of accounting records and files.

49
• Flowcharts usually begin in the upper let- hand corner; directional flow lines
then indicate the sequence of activity.
• The normal flow of activity is from top to bottom and from left to right.
• The advantage of a flowchart over a questionnaire or a narrative is that a flow-
chart provides a clearer, more specific portrayal of the client's system.
• There is less opportunity for misunderstanding, blank spots, or ambiguous
statements when one uses lines and symbols rather than words to describe in-
ternal control.
• Furthermore, in each successive annual audit, updating a flowchart is a simple
process requiring only that the auditors add or change a few lines and symbols.

50
• A flowchart may not provide so clear a signal that a particular internal Control is absent or is not being properly

enforced.

• For that reason, some CPA firms use both flowcharts and questionnaires to describe internal control. The flowchart

clearly depicts the system, while the questionnaire serves to remind the auditors of controls that should be present

in the system

• Walk -Through Test: After describing internal control in their working papers, the auditors will generally verify

that the system has been placed in operation by performing a walk- through of each transaction cycle.

• walk-through refers to tracing several transactions (perhaps only one or two) through each step in the cycle.

• To perform a walk-through of the sales and collection cycle, for example, the auditors might begin by selecting

several sales orders and following the related transactions through the client's sequence of procedures.

• The auditors would determine whether such procedures as credit approval, shipment of merchandise, preparation

of sales invoices, recording of the accounts receivable, and processing of the customers' remittances were per -

formed by appropriate client personnel and in the sequence indicated in the audit working papers.

• If the auditors find that the system functions differently from the working paper description. they will amend the

working papers to describe the actual system.

51
 Assess Control Risk

 Assessing control risk involves evaluating the effectiveness of a client's internal

control policies and procedures in preventing or detecting material misstatements
in the financial statements.
 the independent auditors' work involves gathering and evaluating evidence about
the major financial statement assertions - existence or occurrence; completeness;
rights and obligations; valuation or allocation; and presentation and disclosure.
 Therefore, the auditor's asses control risk in terms of these five assertions.
 It may be summarized as the following steps: (a) determine the planned assessed
level of control risk, (b) design and perform additional tests of controls, (c) re-
assess control risk and modify planned substantive tests, and (d) document the
assessed level of control risk.
52
Determine the Planned Assessed Level of Control Risk

 After documenting their understanding of internal controls, the auditors will determine a
planned assessed level of control risk for the various financial statement assertions.
 For assertions with weaker internal controls, the auditors may simply plan to assess con-
trol risk at the maximum level, and no tests of the related controls need to be performed.
 For financial statement assertions that appear to have more effective controls, the audi-
tors may plan to assess control risk at a lower level.
 To assess control risk at less than the maximum level for a particular assertion, the audi-
tors must:
 Identify those internal control structure policies and procedures that are likely to prevent
or detect material misstatements of the assertion.
 Perform tests of controls to evaluate the effectiveness of such policies and procedures.

53
• The auditors' planned assessed level of control risk is used to develop the initial audit
program of substantive testing.
• For assertions with a high planned assessed level of control risk, the auditors will plan
substantial substantive procedures. Planned substantive procedures can be restricted or
eliminated for assertions with a low planned assessed level of control risk.
• Therefore, in making decisions about the planned assessed levels of control risk, the audi-
tors must consider the trade-off between tests of controls and substantive testing.
• Tests of controls allow the auditors to reduce their assessments of control risk, which, in
turn, allows them to reduce the time spent performing substantive procedures.
• For each test of control, the auditors must ask themselves, "Is the time required to per-
form the test justified in terms of its resulting decrease in the scope of substantive test-
ing?"

54
• Design and Perform Additional Tests of Controls: The auditors may have
gathered some evidence about the effectiveness of certain policies and proce-
dures while they obtained an understanding of the client's internal control struc-
ture. In some audits, especially those involving small clients, these preliminary
tests of controls may be adequate to support the auditors' planned assessed level
of control risk. In these cases the auditors need not perform additional tests of
controls and may proceed directly to documenting their assessed level of con-
trol risk and completing the planned substantive tests. However, for many au-
dits additional tests of controls are necessary to support the auditors' assessed
level of control risk. The auditors will use their understanding of the internal
control structure to design these additional tests of controls.

55
• The audit procedures used to test the effectiveness of internal
control policies and procedures include:
 (1) inquiries of appropriate client personnel,
 (2) inspection of documents and reports,

 (3) observation of the application of accounting policies or procedures, and

 (4) re-performance of the policy or procedure.

• Tests of controls focus on the performance of policies and proce-

dures rather than on the accuracy of financial statement amounts.

56
 To illustrate this distinction, assume that the client has implemented the control of re-
quiring a second person to review the quantities, prices, extensions, and footing of
each sales invoice.
 The purpose of this control is to prevent material errors in the billing of customers and
the recording of sales transactions. A substantive test of financial statement amounts
might involve selecting a sample of recorded sales transactions to determine that they
have been properly recorded and included in the year's total sales.
 To test the effectiveness of this control, the auditors may make inquiries of client per-
sonnel and observe application of the procedure.
 They might also select a sample of, say, 30 sales invoices prepared throughout the
year. They would inspect the invoice copy for the initials of the reviewer, and re-per-
form the procedure by comparing the quantities to those listed on the related shipping
documents, comparing unit prices to the client's price lists, and verifying the exten-
sions and footings.
 The results of this test provide the auditors with evidence as to the existence and valua-
tion of the recorded sales and accounts receivable.

57
 If numerous deviations from the control procedure are found, the auditors will expand

their substantive procedures with respect to existence and valuation of accounts receiv-

able and sales transactions.

 The control described above leaves documentary evidence of performance, the reviewer's

initials that allow it to be tested by sampling.

 Controls that do not leave documentary evidence of performance must be tested entirely

through observation by the auditors and inquiry of client personnel.

 Segregation of duties, for example, is tested by observing the client's employees as they

perform their duties, and inquiring as to who performed those duties throughout the pe-

riod under audit.

 The auditors also should determine whether employees performed incompatible func-

tions when other employees were absent from work on sick leave or vacation.
58
 Reassess Control Risk and Modify Planned Substantive Tests: After
the auditors have completed the tests of controls, they are in a posi-
tion to reassess control risk based on the results of the tests. The re-
sults of the tests of controls may reveal that the level of control risk is
actually higher than the planned level. If this is the case, modifica-
tions must be made in the nature, timing, and extent of the planned
substantive tests in the audit program. For example, the auditors may
decide to increase the extent of their substantive testing, or perform
certain substantive tests at year-end rather than at an interim date.

59
• Document the Assessed Level of Control Risk: The auditors as-
sessed level of control risk will have identified the financial
statement assertions with maximum control risk, and those asser-
tions for which control risk is considered to be less than the max-
imum level.
• The auditors must document these conclusions in their working
papers. They must also describe the basis for all assessments that
are at less than the maximum level.
• A working paper is often used to summarize the auditors' assess-
ments of control risk and the resulting modifications in substan-
tive tests.
• Notice that the extensions and limitations of audit procedures are
described in detail to facilitate completion of the final version of
the audit program.
• The auditors' consideration of internal control is very complex. 60
Consideration of the Work of Internal Auditors
• Many of the audit procedures performed by internal auditors are similar in nature to those employed by independent
auditors. This raises the question of how the work of the internal auditors affects the independent auditors' work. The
Auditing Standards Board has addressed this issue in SAS No. 65 (AU 322), "The Auditor's Consideration of the In-
ternal Audit Function in an Audit of Financial Statements."
• Because the internal audit function is an important aspect of the client's monitoring system, the independent auditors
consider the existence and quality of the function in their assessment of the client's internal control structure.
Through its contribution to internal control, the work of the internal auditors may reduce the amount of audit testing
performed by the independent auditors.
• The independent auditors begin by obtaining an understanding of the work of the internal auditors to determine its
relevance to the audit. They make inquiries about such matters as the internal auditors' activities and audit plans. If
the independent auditors conclude that the internal auditors' work is relevant and that it would be efficient to con-
sider it, they assess the competence and objectivity of the internal audit staff, and evaluate the quality of their work.
• In evaluating the competence of the internal auditors, the independent auditors consider the educational level, pro-
fessional experience, and professional certifications of the internal audit

61
• staff. They also investigate the internal auditors' policies, programs, procedures, working

papers, and reports, and the extent to which the internal auditors' activities are supervised

and reviewed. Objectivity is evaluated by considering the organizational status of the direc-

tor of internal audit, including whether the director reports to an officer of sufficient status

to ensure broad audit coverage, and has direct access to the audit committee of the board of

directors. The internal auditors' policies for assigning independent staff to audit areas are

also reviewed.
• If, after assessing competence and objectivity, the independent auditors intend to use the in-
ternal auditors' work, they will evaluate and test their work. The evaluation includes a re-
view of the scope of the internal auditors' work, and the quality of their programs and re-
ports. This investigation and evaluation provides the independent auditors with a sound
basis for determining the extent to which the work of the internal auditors allows them to
limit their own audit procedures.

62
• In addition to reducing the extent of the independent auditors' substantive
procedures, the internal auditors' work may affect the independent auditors'
procedures when obtaining an understanding of the client's internal control
structure and assessing risk. For example, the independent auditors may use
the internal auditors' documentation of the internal control structure. The in-
ternal auditors also may provide direct assistance to the independent auditors
in preparing working papers and performing certain audit procedures. How-
ever, the independent auditors should not over rely on the internal auditors'
work; they must obtain sufficient, competent, evidential matter to support
their opinion on the financial statements. Regardless of the extent of the inter-
nal auditors' work, the independent auditors must perform direct testing of
those financial statement assertions with a high risk of material misstatement.
Judgments about assessments of inherent and control risks, the materiality of
misstatements, the sufficiency of tests performed, and other matters affecting
the opinion must be those of the independent auditors. Also, the independent
auditors should be directly involved in evaluating audit evidence that requires
significant subjective judgment.

63
 Communication of Control Structure Related Matters

• Establishing and maintaining an effective internal control structure is an important respon-

sibility of management. However, the auditors may provide assistance by communicating

significant deficiencies in the internal control structure identified by their procedures,

along with the auditors' recommendations for corrective action. This is a service in addi-

tion to issuance of the audit report. SAS 60 (AU 325), "Communication of Internal Control

Structure Related Matters Noted in an Audit" uses the term reportable conditions to refer to

those matters that must be communicated by the auditors to the audit committee of the

board of directors (or an individual or group with equivalent responsibility if no audit

committee exists).
• A reportable condition is a significant deficiency in the design or operation of the internal control that

could adversely affect the organization's ability to record, process, summarize, and report financial

data. Reportable conditions may be communicated orally, but they are usually set forth in a letter.
64
• A reportable condition may be of such magnitude as to be considered a material weakness in internal

control; that is, a condition that results in more than a relatively low risk of material misstatement of

the financial statements. While the auditors are not required to identify those reportable conditions that

are material weaknesses, they may do so if requested by the client. A written communication may indi-

cate that the auditors found no material weaknesses, but one should never be issued that states that the

auditors identified no reportable conditions.

• Auditors often communicate operational suggestions and less significant weaknesses in greater detail

to management in a report called a management letter. This report serves as a valuable reference doc-

ument for management and may also serve to minimize the auditors' legal liability in the event of a de-

falcation or other loss resulting from a weakness in internal control. Many auditing firms place great

emphasis upon providing clients with a thorough and carefully considered management letter. These

firms recognize that such a report can be a valuable and constructive contribution to the efficiency and

effectiveness of the client's operations. The quality of the auditors' recommendations reflects their pro-

fessional expertise and creative ability and the thoroughness of their investigation. 65
• Internal Control in the Small Company
• The preceding discussion of internal control and its consideration by the independent auditors has been
presented in terms of large corporations. In the large concern excellent internal control may be achieved
by extensive segregation of duties so that no one person handles a transaction completely from begin-
ning to end. In the very small concern, with only one or two office employees, there is little or no op-
portunity for division of duties and responsibilities. Consequently, internal control tends to be weak, if
not completely absent, unless the owner/manager recognizes the importance of internal control and par-
ticipates in key activities.
• Because of the absence of strong internal control in small concerns, the independent auditors must rely
much more on substantive tests of account balances and transactions than is required in larger organiza-
tions. Although it is well to recognize that internal control can seldom be strong in a small business,
this limitation is no justification for ignoring available forms of control. Auditors can make a valuable
contribution to small client companies by encouraging the installation of such control procedures as are
practicable in the circumstances.

66
• The following specific practices are almost always capable of use in even the smallest business:
• Record all cash receipts immediately.
– For over- the- counter collections, use cash registers easily visible to customers. Records register readings daily.
– Prepare a list of all mail remittances immediately upon opening the mail and retain this list for subsequent comparison with bank
deposit tickets and entries in the cash receipts journal.

• Deposit all cash receipts intact daily.

• Make all payments by serially numbered checks, with the exception of small disbursements from petty cash.
• Reconcile bank accounts monthly and retain copies of the reconciliation's in the files.
• Use serially numbered sales invoices, purchase orders, and receiving reports.
• Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and re-
ceiving reports.
• Balance subsidiary ledger with control accounts at regular intervals, and prepare and mail customers' statements
monthly.
• Prepare comparative financial statements monthly in sufficient detail to disclose significant variations in any cate-
gory of revenue or expense.

67
• Adherence to these basic control practices significantly reduces the risk of material er-
ror or major defalcation going undetected.
• If the size of the business permits a segregation of the duties of cash handling and
record keeping, a fair degree of control can be achieved.
• If it is necessary that one employee serve as both accounting clerk and cashier, then ac-
tive participation by the owner in certain key functions is necessary to guard against the
concealment of fraud or errors.
• In a few minutes each day the owner, even though not trained in accounting, can create
a significant amount of internal control by personally (1) reading daily cash register to-
tals, (2) reconciling the bank account monthly, (3) signing all checks and canceling the
supporting documents, (4) approving all general journal entries, and (5) critically re-
viewing comparative monthly statements of revenue and expense

68