Auditing and Assurance Services

A Systematic Approach
Fourth Canadian Edition

CHAPTER 6
Internal Control in a
Financial Statement
Audit

Copyright © 2023 McGraw Hill Limited.

 Learning Objective 6-1

Internal Control (1 of 2)
Management has the responsibility to maintain controls that
provides reasonable assurance that adequate control exists over
the entity’s assets and records.

The Internal Control System should:

• Ensure that assets and records are safeguarded
• Generate reliable information for decision making

The auditor needs assurance about the reliability of the data

generated by the information system.

Copyright © 2023 McGraw Hill Limited.

6-2
 Learning Objective 6-1

Internal Control (2 of 2)
The auditor uses risk assessment procedures to:
• Obtain an understanding of the entity’s internal control
• Identify key controls
• Recognize the types of potential misstatements
• Design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major

factor in determining the overall audit strategy.

The auditor has the responsibility to:

1) Obtain an understanding of internal controls
2) Assess control risk

Copyright © 2023 McGraw Hill Limited.

6-3
 Learning Objective 6-2

COSO’s Internal Control –

Integrated Framework

Objectives

Reliability of Effectiveness Compliance

Financial and Efficiency with Laws and
Reporting of Operations Regulations

Copyright © 2023 McGraw Hill Limited.

6-4
 Learning Objective 6-3

Controls Relevant to the Audit

(1 of 2)

Objectives

Reliability of Effectiveness Compliance with

Financial and Efficiency of Laws and
Reporting Operations Regulations

Generally, internal controls pertaining to the preparation of financial

statements for external purposes are relevant to an audit.

Copyright © 2023 McGraw Hill Limited.

6-5
 Learning Objective 6-3

Controls Relevant to the Audit

(2 of 2)

Objectives

Reliability of Effectiveness Compliance with

Financial and Efficiency of Laws and
Reporting Operations Regulations

Controls relating to operations and compliance objectives may be

relevant when they relate to data the auditor uses to apply auditing
procedures.

Copyright © 2023 McGraw Hill Limited.

6-6
 Learning Objective 6-4

The Effect of Information Technology

on Internal Control (Table 6-1)
Benefits
 Consistent application of predefined business rules and performance of complex calculations in processing large volumes
of transactions or data
 Greater timeliness, availability, and accuracy of information
 Facilitation of data analytics for enhanced internal decision making
 Greater ability to monitor the entity’s activities, policies, and procedures on a timely basis
 Greater ability to prevent or detect circumvention of controls
 Enhanced segregation of duties through security controls in applications, databases, and operating systems

Risks
 Reliance on systems or programs that, unknown to management, inaccurately process data, process inaccurate data, or
both
 Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording
of unauthorized or nonexistent transactions or inaccurate recording of transactions
 Unauthorized changes to data in master files
 Unauthorized changes to systems or programs
 Failure to make necessary changes to systems or programs
 Inappropriate manual intervention
 Potential loss of data

Copyright © 2023 McGraw Hill Limited.

6-7
 Learning Objective 6-5

Components of Internal Control (1 of 7)

Control Environment

Entity’s Risk
Assessment Process

Control Activities

Information and
Communication

Monitoring Activities

Copyright © 2023 McGraw Hill Limited.

6-8
 Learning Objective 6-5

Components of Internal Control (2 of 7)

Control Environment The control environment is the

set of standards, processes, and
Entity’s Risk structures that provides the basis
Assessment Process for carrying out internal control
Control Activities across the organization. The
board of directors and senior
Information and management establish the tone
Communication at the top regarding the
importance of internal control and
Monitoring Activities
expected standards of conduct.

Copyright © 2023 McGraw Hill Limited.

6-9
 Learning Objective 6-5

Components of Internal Control (3 of 7)

Risk assessment involves a

Control Environment dynamic and iterative process for
identifying and analyzing risks to
Entity’s Risk
achieving the entity's objectives,
Assessment Process
thereby forming a basis for
Control Activities determining how risks should be
managed. Management considers
Information and possible changes in the external
Communication
environment and within its own
Monitoring Activities business model that may impede
its ability to achieve its
objectives.

Copyright © 2023 McGraw Hill Limited.

6-10
 Learning Objective 6-5

Components of Internal Control (4 of 7)

Control Environment Control activities are the actions

established by policies and
Entity’s Risk procedures to help ensure that
Assessment Process management directives to
mitigate risks to the achievement
Control Activities
of objectives are carried out.
Information and Control activities are performed at
Communication all levels of the entity and at
various stages within business
Monitoring Activities processes, and over the
technology environment.

Copyright © 2023 McGraw Hill Limited.

6-11
 Learning Objective 6-5

Components of Internal Control (5 of 7)

Information is necessary for the entity
to carry out internal control
Control Environment responsibilities in support of
achievement of its objectives.
Entity’s Risk
Assessment Process Communication occurs both internally
and externally and provides the
Control Activities organization with the information
needed to carry out day-to-day internal
Information and
control activities. Communication
Communication
enables personnel to understand
Monitoring Activities internal control responsibilities and their
importance to the achievement of
objectives and allows for upward flow of
operating information to management.

Copyright © 2023 McGraw Hill Limited.

6-12
 Learning Objective 6-5

Components of Internal Control (6 of 7)

Ongoing evaluations, separate

Control Environment evaluations, or some
combination of the two are used
Entity’s Risk to ascertain whether each of the
Assessment Process five components of internal
Control Activities control, including controls to
effect the principles within each
Information and component, are present and
Communication functioning. Findings are
evaluated and deficiencies are
Monitoring Activities
communicated in a timely
manner, with serious matters
reported to senior management
and to the board.
Copyright © 2023 McGraw Hill Limited.
6-13
 Learning Objective 6-5

Components of Internal Control (7 of 7)

(Figure 6-1)

Copyright © 2023 McGraw Hill Limited.

6-14
 Learning Objective 6-5

Control Environment
Principle 1: The organization demonstrates a commitment to integrity
and ethical values.

Principle 2: The board of directors demonstrates independence from

management and exercises oversight of the development
and performance of internal control.

Principle 3: Management establishes, with board oversight,

structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.

Principle 4: The organization demonstrates a commitment to attract,

develop, and retain competent individuals in alignment
with objectives.

Principle 5: The organization holds individuals accountable for their

internal control responsibilities in the pursuit of
objectives.
Copyright © 2023 McGraw Hill Limited.
6-15
 Learning Objective 6-5

The Entity’s Risk Assessment Process

The risk assessment process identifies and responds to
business risks in relation to achieving business objectives

Principle 6: The organization specifies objectives with sufficient clarity

to enable the identification and assessment of risks
relating to objectives.

Principle 7: The organization identifies risks to the achievement of its

objectives across the entity and analyzes risks as a basis
for determining how the risks should be managed.

Principle 8: The organization considers the potential for fraud in

assessing risks to the achievement of objectives.

Principle 9: The organization identifies and assesses changes that

could significantly impact the system of internal control.

Copyright © 2023 McGraw Hill Limited.

6-16
 Learning Objective 6-5

Control Activities
Principle 10: The organization selects and develops control activities
that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
- Performance Reviews
- Physical Controls
- Segregation of Duties
- Information Processing Controls

Principle 11: The organization selects and develops general control

activities over technology to support the achievement
of objectives.

Principle 12: The organization deploys control activities through

policies that establish what is expected and procedures
that put policies into action.

Copyright © 2023 McGraw Hill Limited.

6-17
 Learning Objective 6-5

Information and Communication

Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning
of internal control.
- Identify and record all valid transactions
- Classify transactions properly
- Measure the value of transactions properly
- Record transactions in the proper period
- Properly present transactions and disclosures

Principle 14: The organization internally communicates information,

including objectives and responsibilities for internal
control, necessary to support the functioning of internal
control.

Principle 15: The organization communicates with external parties

regarding matters affecting the functioning of internal
control.

Copyright © 2023 McGraw Hill Limited.

6-18
 Learning Objective 06-5

Monitoring of Controls

Monitoring of controls is a process that assesses the quality of

internal control performance over time.

Principle 16: The organization selects, develops, and performs

ongoing and/or separate evaluations to ascertain
whether the components of internal control are present
and functioning.

Principle 17: The organization evaluates and communicates internal

control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.

Copyright © 2023 McGraw Hill Limited.

6-19
 Learning Objective 6-6

Planning an Audit Strategy

Audit Risk Model

AR = IR × CR × DR

In applying the audit risk model, the auditor must

assess control risk. The figure on the next slide
presents a flowchart of the auditor’s decision
process when considering internal control in
planning an audit.

Copyright © 2023 McGraw Hill Limited.

6-20
 Learning Objective 6-6

FIGURE 6-2 Flowchart of the Auditor’s Consideration

of Internal Control and Its Relation to Substantive
Procedures

Copyright © 2023 McGraw Hill Limited.

6-21
 Learning Objective 6-6

Substantive Strategy
After obtaining an understanding of internal control, an auditor
may choose to follow a substantive strategy and set control risk
at high for some or all assertions because of one or all of the
following factors:

Testing the
Controls do Controls are
effectiveness
not pertain to assessed as
of controls is
an assertion ineffective
inefficient

Copyright © 2023 McGraw Hill Limited.

6-22
 Learning Objective 6-6

Reliance Strategy*

Obtain Understanding
of Internal Control

Plan to Rely on Internal

Control and Assess
Control Risk at a Lower
Level
*also referred to as the combined approach

Copyright © 2023 McGraw Hill Limited.

6-23
 Learning Objective 6-6

TABLE 6-4 Assertions about Classes of Transactions

and Events and Related Control Procedures

Assertion Control Activities

 Segregation of duties
 Prenumbered documents that are accounted for
Occurrence
 Daily or monthly reconciliation of subsidiary records with
independent review
 Prenumbered documents that are accounted for
 Segregation of duties
Completeness
 Daily or monthly reconciliation of subsidiary records with
independent review
 General and specific authorization of transactions at important
Authorization
control points
 Internal verification of amounts and calculations
Accuracy  Monthly reconciliation of subsidiary records by an independent
person
 Procedures for prompt recording of transactions
Cutoff
 Internal review and verification
Classification  Chart of accounts
Presentation  Internal review and verification

Copyright © 2023 McGraw Hill Limited.

6-24
 Learning Objective 6-7

Obtain an Understanding of
Internal Control (1 of 2)
The auditor should obtain an understanding of each
of the five components of internal control in order to
plan the audit. This knowledge is used to:

Pinpoint the
Identify types of
factors that affect
potential
the risk of material
misstatement
misstatement

Design tests of
controls and
substantive
procedures

Copyright © 2023 McGraw Hill Limited.

6-25
 Learning Objective 6-7

Obtaining an IT Specialist
The auditor may determine that the
engagement team needs an IT specialist.

Evaluate the nature

and complexity of the
entity’s IT systems

Determine whether
the engagement
team needs an IT
specialist

Copyright © 2023 McGraw Hill Limited.

6-26
 Learning Objective 6-7

Obtain an Understanding of
Internal Control (2 of 2)

1. Understand the control environment.

2. Understand the entity’s risk assessment process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.

Copyright © 2023 McGraw Hill Limited.

6-27
 Learning Objective 6-7

Knowledge Assessment

What is meant by the concept of reasonable assurance in

terms of internal control? What are the inherent limitations of
internal control?

Copyright © 2023 McGraw Hill Limited.

6-28
 Learning Objective 06-8

Documenting the Understanding

of Internal Control

Procedures Manuals
and Organizational Flowcharts
Charts

Internal Control
Narrative Description
Questionnaires

Copyright © 2023 McGraw Hill Limited.

6-29
 Learning Objective 6-8

Example Information & Documentation

(Exhibit 6-1) excerpt
CONTROL ENVIRONMENT QUESTIONNAIRE
Entity: EarthWear Clothiers Balance Sheet Date: 12/31/2025
Completed by: SAA Date: 9/30/25 Reviewed by: DRM Date: 10/15/25
COMMUNICATION AND ENFORCEMENT OF INTEGRITY AND ETHICAL VALUES
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer,
and monitor them. Integrity and ethical values are essential elements of the control environment, affecting the design,
administration, and monitoring of other components. Integrity and ethical behaviour are the product of the entity’s
ethical and behavioral standards, how they are communicated, and how they are reinforced in practice.
Yes, No, N/A Comments

Have appropriate entity policies regarding matters

such as acceptable business practices, conflicts of The permanent work papers contain a copy of
Yes
interest, and codes of conduct been established, EarthWear’s conflict-of-interest policy.
and are they adequately communicated?

Does management demonstrate the appropriate EarthWear’s management maintains high moral and
“tone at the top,” including explicit moral Yes ethical standards and expects employees to act
guidance about what is right or wrong? accordingly.

EarthWear’s management maintains a high degree of

Are everyday dealings with customers, suppliers,
integrity in dealing with customers, suppliers,
employees, and other parties based on honesty Yes
employees, and other parties; it requires employees and
and fairness?
agents to act accordingly.

Does management determine to an adequate The job descriptions specify the knowledge and skills
extent the knowledge and skills needed to perform Yes needed. The Human Resources Department uses this
particular jobs? information in hiring, training, and promotion decisions.

Does evidence exist that employees have the

Our prior experiences with EarthWear personnel indicate
requisite knowledge and skills to perform their Yes
that they have the necessary knowledge and skills.
job?

Copyright © 2023 McGraw Hill Limited.

6-30
 Learning Objective 6-8

The Effect of Entity Size on

Internal Control

While the basic concepts of the five

components should be present in all entities,
they are likely to be less formal in a small or
midsize entity than in a large entity.

Copyright © 2023 McGraw Hill Limited.

6-31
 Learning Objective 6-8

The Limitation of an Entity’s

Internal Control
Management
Override of
Internal Control

Human Errors or
Mistakes

Collusion

Copyright © 2023 McGraw Hill Limited.

6-32
 Learning Objective 6-8

FIGURE 6-4 Primary Internal Control Weakness

Observed by CFE

Copyright © 2023 McGraw Hill Limited.

6-33
 Learning Objective 6-9

Assessing Control Risk

Identify specific
controls that
will be relied
upon

Perform tests of
controls

Conclude on the
achieved level of
control risk

Copyright © 2023 McGraw Hill Limited.

6-34
 Learning Objective 6-10

Performing Tests of Controls

Inspection of
Inquiry of appropriate documents indicating
entity personnel the performance of the
control

Observation of the Reperformance of the

application of the application of the
control control by the auditor

Copyright © 2023 McGraw Hill Limited.

6-35
 Learning Objective 6-10

Documenting the Achieved Level

of Control Risk
The auditor’s assessment of control risk and the basis
for the achieved level can be documented using a
structured working paper, an internal control
questionnaire, or a memorandum.

Let’s look at an example from EarthWear

Clothiers to see how the control risk for two
accounts that differ in terms of their nature,
size, and complexity is documented.

Copyright © 2023 McGraw Hill Limited.

6-36
 Learning Objective 6-10

An Example of Assessing Control Risks

and Its Effects (Table 6-5)

EarthWear Extent of Understanding Planned Substantive

Account Characteristics Control Risk Assessment
Account Balance Needed to Plan the Audit Procedures
Inventory  Material balance  Entity control environment  Control risk is assessed Substantive procedures
($122,337,000)  Numerous factors to be low because tests will include
transactions from a  Entity risk assessment of controls conducted on
large product base process  Physical
relevant controls in the
 Significant inherent  Monitoring activities examination of
purchasing and
risk related to  Significant classes of inventory
inventory cycles were
overstock and out-of- transactions
consistent with the  Information
style products  Inventory pricing policies
  planned assessment of technology–assisted
Complex computer Initiation, processing, and
processing recording of transactions control risk. audit techniques to
 Control procedures to be audit the inventory
relied upon compilation
Prepaid  Significant balance  Entity control environment  Control risk is assessed  Substantive
advertising  Few transactions factors at low because there are procedures will
($11,458,000)  Little or no inherent  Nature of the account few transactions; it recalculate the
risk balance would be most efficient amortization of the
 Simple accounting  Monitoring activities to audit this account advertising
procedures substantively since there expenditures
are so few transactions.
Hence a substantive
strategy is selected.

Copyright © 2023 McGraw Hill Limited.

6-37
 Learning Objective 6-10

Knowledge Assessment

Which of the following audit techniques would most likely

provide an auditor with the least assurance about the
effectiveness of the operation of a control?

A. Inquiry of entity personnel

B. Reperformance of the control by the auditor
C. Observation of entity personnel
D. Walkthrough

Copyright © 2023 McGraw Hill Limited.

6-38
 Learning Objective 06-10

Knowledge Assessment

Which of the following audit techniques would most likely

provide an auditor with the least assurance about the
effectiveness of the operation of a control?

A. Inquiry of entity personnel

B. Reperformance of the control by the auditor
C. Observation of entity personnel
D. Walkthrough

Copyright © 2023 McGraw Hill Limited.

6-39
 Learning Objective 6-11

Performing Substantive Procedures

(Table 6-6)
Low-Detection-Risk Strategy—Entity 1
Audit tests for all significant audit assertions using the
following types of audit procedures:
 Physical examination (conducted at year-end)
Nature
 Review of external documents
 Confirmation
 Reperformance
Timing All significant work completed at year-end
Extent Extensive testing of significant accounts or transactions
High-Detection-Risk Strategy—Entity 2
Corroborative audit tests using the following types of audit
tests:

Nature  Physical examination (conducted at an interim date)

 Analytical procedures
 Substantive tests of transactions and balances
Timing Interim and year-end
Extent Limited testing of accounts or transactions

Copyright © 2023 McGraw Hill Limited.

6-40
 Learning Objective 6-12

Timing of Audit Procedures

Interim

Year End

Let’s look at the EarthWear Clothiers example

again to see the timing of its audit procedures.

Copyright © 2023 McGraw Hill Limited.

6-41
 Learning Objective 6-12

FIGURE 6-5 A Timeline for Planning and Performing

the Audit of EarthWear Clothiers

Copyright © 2023 McGraw Hill Limited.

6-42
 Learning Objective 6-12

Interim Audit Procedures

Interim • Assertion being tested not significant

Tests of • Control has been effective in prior audits
• Efficient use of staff time
Controls

• Control environment
• Availability of information at a later date
• The purpose of the substantive procedure
Interim • The assessed risk of material misstatement
Substantive • The nature of the transactions or balances
and relevant assertions
Procedures • The ability of the auditor to perform
appropriate procedures to cover the
remaining period

Copyright © 2023 McGraw Hill Limited.

6-43
 Learning Objective 6-13

Auditing Accounting Applications Processed

by Service Organizations (1 of 2)

In some instances, an entity may have some or all of its

accounting transactions processed by an outside service
organization.

Because the entity’s

transactions are subjected to
the controls of the service It is not uncommon for
service organizations to
organization, one of the
have an auditor issue
auditor’s concerns is the one of two types of
internal control system in reports on their
place at the service operations.
organization.

Copyright © 2023 McGraw Hill Limited.

6-44
 Learning Objective 6-13

Auditing Accounting Applications Processed

by Service Organizations (2 of 2)

Type 1 Report
Describes the service organization’s
controls and assesses whether they are
suitably designed to achieve specified An auditor may
internal control objectives reduce control
risk below high
only on the basis
Type 2 Report of a service
Goes further by providing assurance on auditor’s Type 2
the operating effectiveness of the service report.
organization’s controls based on the
auditor’s tests of controls

Copyright © 2023 McGraw Hill Limited.

6-45
 Learning Objective 06-14

Communication of Internal Control-

Related Matters
Exists when the design or operation of a control
does not allow management or employees, in the
Control
normal course of performing their assigned
Deficiency function, to prevent, or detect and correct,
misstatements on a timely basis

A deficiency, or a combination of deficiencies, in

Significant internal control that is less severe than a material
Deficiency weakness but is important enough to merit
attention by those charged with governance

A deficiency, or combination of deficiencies, in

internal control, such that there is a reasonable
Material
possibility that a material misstatement of the
Weakness entity’s financial statements will not be prevented,
or detected and corrected, on a timely basis

Copyright © 2023 McGraw Hill Limited.

6-46
 Learning Objective 6-14

Examples of Reportable Conditions

(Table 6-7)
Deficiencies in the Design of Controls
 Inadequate design of internal control over the preparation of the financial statements being audited
 Inadequate design of internal control over a significant account or process
 Inadequate documentation of the components of internal control
 Insufficient control consciousness within the organization, for example, the tone at the top and the control
environment
 Absent or inadequate segregation of duties within a significant account or process
 Absent or inadequate controls over the safeguarding of assets
 Inadequate design of information technology (IT) general and application controls
 Inadequate design of monitoring controls
 The absence of an internal process to report deficiencies in internal control to management on a timely basis
Failures in the Operation of Internal Control
 Failure in the operation of effectively designed controls over a significant account or process
 Failure of the information and communication component of internal control to provide complete and accurate output
because of deficiencies in timeliness, completeness, or accuracy
 Failure of controls designed to safeguard assets from loss, damage, or misappropriation
 Failure to perform reconciliations of significant accounts
 Undue bias or lack of objectivity by those responsible for accounting decisions
 Misrepresentation by entity personnel to the auditor (an indicator of fraud)
 Employees or management who lack the qualifications and training to fulfill their assigned functions
 Management override of controls
 Failure of an application control caused by a deficiency in the design or operation of an IT general control
 An observed deviation rate that exceeds the number of deviations expected by the auditor in a test of operating
effectiveness of a control
Sources: U.S. generally accepted auditing standard AU-C 265 & CAS 265.

Copyright © 2023 McGraw Hill Limited.

6-47
 Learning Objective 6-15

Types of Controls in an IT Environment

General Application
Controls Controls

1. Data center and network 1. Data capture controls

operations
2. System software acquisition, 2. Data validation controls
change, and maintenance 3. Processing controls
3. Access security 4. Output controls
4. Application system acquisition,
5. Error controls
development, and
maintenance

Copyright © 2023 McGraw Hill Limited.

6-48
 Learning Objective 6-15

TABLE 6-8 Common Data Validation Controls

Data Validation
Description
Control
Limit test A test to ensure that a numerical value does not exceed some
predetermined value
Range test A check to ensure that the value in a field falls within an
allowable range of values
Sequence check A check to determine if input data are in proper numerical or
alphabetical sequence
Existence A test of an ID number or code by comparison to a file or table
(validity) test containing valid ID numbers or codes
Field test A check on a field to ensure that it contains either all numeric or
all alphabetic characters
Sign test A check to ensure that the data in a field have the proper
arithmetic sign
Check-digit A numerical value computed to provide assurance that the
verification original value was not altered
Closed-loop A process that takes data entered into the system to find and
verification present other, related information, enabling the user to verify
the correctness of the original data entry

Copyright © 2023 McGraw Hill Limited.

6-49
 Learning Objective 6-16

Figure 6-6 Flowcharting Symbols

Copyright © 2023 McGraw Hill Limited.

6-50