UNDERSTANDING THE ENTITY’S INTERNAL CONTROL
documents. For example, through inquiries of management and
The Entity’s Internal Control
Internal control is the process designed, implemented and
maintained by TCWG, management and other personnel to
address risks that are present between the entity and the
accomplishment of its objectives. Its purpose is to address
identified business risks that threaten the achievement of the
entity’s objectives about:
 the reliability of the entity’s financial reporting
(auditor’s primary concern);
 the effectiveness and efficiency of its operations; and
 its compliance with applicable laws and regulations.
Internal control structure varies with an entity’s size and
complexity. Smaller entities may use less structured means and
simpler processes and procedures.
An understanding of internal control assists the auditor in
identifying types of potential misstatements and factors that
affect the ROMM, and in designing the nature, timing, and
extent of FAP (ToC and SP).
Components of Internal Control
The following are the five components of an effectiveness
internal control:
 control environment
 risk assessment process
 information system and communication
 control activities
 monitoring
Control Environment
Control environment is the governance and management
functions and the attitudes, awareness, and actions of TCWG
and management concerning the entity’s internal control and its
importance in the entity. It is the foundation of internal control
as it sets the tone of an organization that influences the control
consciousness of its people.
The seven elements of the control environment are:
 communication and enforcement of integrity and ethical
values
 commitment to competence
 human resource policies and practices
 assignment of authority and responsibility
 management’s philosophy and operating style
 participation of those charged with governance
 organizational structure
The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, the auditor
shall evaluate whether:
 management, with the oversight of TCWG, has created
and maintained a culture of honesty and ethical
behavior; and
 the strengths in the control environment elements
collectively provide an appropriate foundation for the
other components of internal control, and whether those
other components are not undermined by control
environment weakness.
Relevant audit evidence may be obtained through a combination
of inquiries and other risk assessment procedures such
corroborating inquiries through observation or inspection of
employees, the auditor may obtain an understanding of how
management communicates to employees its views on business
practices and ethical behavior and considering whether
management has a written code of conduct and whether it acts in
a manner that supports the code.
Risk Assessment Process
The entity’s risk assessment process refers to the entity’s process
for identifying business risks relevant to financial reporting
objectives an deciding about actions to address those risks, and
the results thereof. If that process is appropriate to the
circumstances, including the nature, size and complexity of the
entity, it assists the auditor in identifying ROMM. Whether
entity’s risk assessment process is appropriate is a matter of
judgment.
The auditor shall obtain an understanding of whether the entity
has a process for:
 identifying business risks relevant to financial reporting
objectives;
 estimating the significance of the risks;
 assessing the likelihood of their occurrence; and
 deciding about actions to address those risks.
Information System and Communication
Information and communication relates to the identification,
capture, and exchange of information that enables individuals to
carry out their responsibilities. It includes information system
and communication relevant to financial reporting system which
consists of the procedures and records established to initiate,
record, process and report entity transactions (as well as events
and conditions) and to maintain accountability for the related
assets, liabilities and equity.
Information system and communication consists of
infrastructure (physical and hardware components), software,
people, procedures and data.
The auditor shall obtain an understanding of the information
system, including the related business processes, relevant to
financial reporting, including how the entity communicates
financial reporting roles and responsibilities and significant
matters relating to financial reporting, including:
 communications between management and TCWG; and
 external communications, such as those with regulatory
authorities
Control Activities
Control activities are policies and procedures of the entity that
help ensure that management directives are carried out.
Examples of control activities include policies and procedures
on :
 authorization
 performance reviews
 information processing
 physical controls
 segregation of duties
The auditor shall obtain an understanding of control activities
relevant to the audit.
Control activities that are relevant to the audit are:
1
  those that are required to be treated as such, being
control activities that relate to significant risks and
those that relate to risks for which substantive
procedures alone do not provide sufficient appropriate
audit evidence; or
 those that are considered to be relevant in the judgment
of the auditor, being those necessary in order to assess
the ROMM at the assertion level and design FAP
responsive to assessed risks.
Risks arising from, and control activities in , IT
In understanding the entity’s control activities, the auditor shall
obtain an understanding of how the entity has responded to risks
arising from IT.
Monitoring
Monitoring is a process that assesses the effectiveness of internal
control performance over time. It includes assessing the design
and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.
The types of monitoring activities are:
 ongoing monitoring activities - often built into the
normal recurring activities of an entity and include
regular management and supervisory activities.
 separate evaluations – often performed by internal
auditors or company employees and provide feedback
on the effectiveness of other internal control process.
 a combination of the two above.
Internal auditing is often considered a highly effective
monitoring control.
The auditor shall obtain an understanding of the major activities
that the entity uses to monitor internal control over financial
reporting, including those related to those control activities
relevant to the audit, and how the entity initiates corrective
actions to its controls.
Inter-relationship of Components of Internal Control
Internal control consists of five interrelated components
designated to work together as a process in order to address
entity’s business risks and help it accomplish the objectives.
Inherent Limitations of Internal Control
Internal control can only provide reasonable assurance that the
entity’s objectives are met because of the following inherent
limitations:
 cost-benefit considerations
 human errors or mistakes
 management override or circumvention
 collusion among employees or outside parties
Understanding Entity’s Internal Controls Through
Transaction Cycles
Transaction cycles refer to certain business processes, or
segments into which related transactions can be conveniently
grouped and for which specific accounting procedures and
control activities are established by entity’s management.
The common divisions of transactions cycles are:
 revenue and receipt cycle
 purchasing and disbursement cycle
 payroll and personnel cycle
 production or conversion (inventory and warehousing)
cycle
 investing and financing cycle
Collectively these cycles have no beginning or end except at the
origin and final disposition of an entity.
Relevant Controls: Nature and Extent of the Auditor’s
Understanding
The auditor shall obtain an understanding of internal control
relevant to the audit, not all controls that relate to financial
reporting are relevant to the audit. It is a matter of the auditor’s
professional judgment whether a control, is relevant to the audit.
When obtaining an understanding of controls that are relevant to
the audit, the auditor shall evaluate the design of those controls
and determine whether they have been implemented, by
performing procedures in addition to inquiry of the entity’s
personnel.
Evaluating the design of a control involves considering whether
the control, individually or in combination with other controls, is
capable of effectively preventing, or detecting and correcting,
material misstatements. Implementation of a control means that
the control exists and that the entity is using it. There is little
point in assessing the implementation of a control that is not
effective, and so the design of a control is considered first. An
improperly designed control may represent a material weakness
(to be discussed at the end part of the lecture notes) in the
entity’s internal control.
Procedures to Obtain Understanding of Internal Controls
Risk assessment procedures to obtain audit evidence about the
design and implementation (D&I) of relevant controls may
include:
 inquiring of entity personnel
 observing the application of specific controls
 inspecting documents and reports
 tracing transactions through the information system
relevant to financial reporting
Inquiry alone, however, is not sufficient for such purposes.
Evaluating the design of a control involves considering whether
the control is capable of effectively preventing, or detecting and
correcting, material misstatements. Implementation of a control
means that the control exists and that the entity is using it. There
is little point in assessing the implementation of a control that is
not effective, and so the design of a control is considered first.
An improperly designated control may represent a material
weakness in the entity’s internal control.
Obtaining an understanding of an entity’s controls is not
sufficient to test their operating effectiveness (which is
determined through test of controls), unless is some automation
that provides for the consistent operation of the controls.
Documentation
The auditor shall document the key element of each of the
internal control components, including the sources of
information from which the understanding was obtained.
The auditor may document its understanding through any or
combination of the following techniques:
2
  Narratives – a narrative is a written description of a
client’s internal controls.
 Flowcharts – an internal control flowchart is a diagram
of the client’s documents and their sequential flow in
the organization. Flowcharts have two advantages over
narratives: typically they are easier to read and easier to
update. It is unusual to use both a narrative and a
flowchart to describe the same system because both
present the same information.
 Internal Control Questionnaire (ICQ) – an ICQ asks a
series of questions about the controls in each audit area
as a means of identifying internal control deficiencies.
Most questionnaires require a “yes” or a “no” response,
with “no” responses indicating potential internal control
deficiencies. The two main disadvantages of
questionnaires are their inability to provide an overview
of the system and their inapplicability for some audits,
especially smaller ones.
Performing a Transaction Walkthrough Test
Walkthrough test involves tracing a few transactions through the
financial reporting system. This test is normally done after the
auditor has initially documented its understanding of the
transaction cycle and significant business processes. It should be
done every year.
The auditor shall perform walkthroughs to achieve the following
objectives:
 confirm understanding, as identified in during process
documentation, of the flow of significant classes of
transactions within significant processes or sources and
preparation of information resulting in significant
disclosures, including how these transactions are
initiated, authorized, recorded, processed and reported;
and
 verify the identified “what can go wrong” (WCGWs)
that have the potential to materially affect relevant
financial statement assertions related to significant
accounts and disclosures within each significant class
of transactions.
Significant deficiency in internal control refers to a deficiency or
combination of deficiencies in internal control that, in the
auditor’s professional judgment, is of sufficient importance to
merit the attention of those charged with governance. Significant
deficiency is less severe than a material weakness.
Material weakness in internal control is deficiency, or a
combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a
material misstatement of the company’s annual or interim
financial statements will not be prevented or detected on a
timely basis. In other words, if a deficiency in an internal control
is thought to be of material weakness, this means that it could
lead to a material misstatement in a company’s financial
statements.
The auditor shall evaluate whether, on the basis of the audit
work performed, the auditor has identified a material weakness
in the design, implementation or maintenance of internal control.
The types of material weaknesses in internal control that the
auditor may identify when obtaining an understanding of the
entity and its internal controls may include:
 ROMM that the auditor identifies and which the entity
has not controlled, or for which the relevant control is
inadequate.
 A weakness in the entity’s risk assessment process that
the auditor identifies as material, or the absence of a
risk assessment process in those cases where it would
be appropriate for one to have been established.
The auditor shall communicate material weaknesses in internal
control identified during the audit on a timely basis to
management at an appropriate level of responsibility and with
those charged with governance.
Material weaknesses may also be identified in controls that
prevent, or detect and correct, error, or those to prevent and
detect fraud.

Deficiencies and Material Weakness in Internal Control

The auditor shall determine whether, on the basis of the audit
work performed, the auditor has identified one or more
deficiencies in internal control.

Deficiency in internal control exists when:

 a control is designed, implemented or operated in such
a way that it is unable to prevent, or detect and correct,
misstatements in the financial statements on a timely
basis; or
 a control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely
basis is missing.

If the auditor has identified one or more deficiencies in internal

control, the auditor shall determine, on the basis of the audit
work performed, whether, individually or in combination, they
constitute significant deficiencies.

The auditor shall communicate in writing significant deficiencies

in internal control identified during the audit to those charged
with governance on a timely basis.