7.

0 AUDIT PROCESS: Internal Control Considerations

7.1 Internal Control

As defined by PSA 315, internal control refers to the process designed, implemented and maintained by those
charged with governance, management and other personnel to provide reasonable assurance about the
achievement of an entity’s objectives.
 Responsibility of the entity for internal control is as follows:
o Management – to establish a control environment and maintain policies and procedures to
assist in achieving the entity’s objectives
o Those charged with governance – to ensure the integrity of accounting and financial reporting
systems through oversight of management
o Other personnel – to perform their respective functions
 Internal control can be expected to provide only a reasonable assurance because of the following
limitations that may affect the effectiveness of internal control:
o Reasonable assurance – Cost of an internal control should not exceed the expected benefits
derived
o Management’s responsibility – Controls are influence and designed by management, and as
such, will only be as effective as management desires
o Inherent limitations
 Potential for human error
 Possibility of circumvention and collusion
 Management override
 Possibility that procedures may become inadequate due to changes in condition, and
compliance with procedures may deteriorate
 The following are the entity’s objectives to which why internal control is designed: (a) effectiveness and
efficiency of operations, (b) compliance with applicable laws and regulations, and (c) reliability of
financial reporting
o However, in the audit of financial statements, the auditor concerns himself only of those
policies and procedures within the accounting and internal control systems that are relevant to
the financial statement assertions; thus, the most relevant objective is the financial reporting
objective.
o Operational and compliance objective may only be relevant if they relate to data the auditor
evaluates to determine the reliability of some financial statement assertions.

7.1.1 Control Environment

Control environment sets the tone of an organization, influencing the control consciousness of its people.
It is the foundation for all other components of internal control, providing discipline and structure. Factors
reflected in the control environment include:
 Board of directors/audit committee participation
 Assignment of authority and responsibility
 Management’s philosophy and operating style
 Commitment to competence
 Human resource policies and practices
 Organizational structure
 Integrity and ethical values

7.1.2 Risk Assessment

An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management
of risks relevant to the preparation of FS. Risks can arise or change due to circumstances, such as:
 Changes in operating environment
 New personnel
 New or revamped information systems
  Rapid growth
 New technology
 New lines, products or activities
 Corporate restructurings
 Foreign operations
 Accounting pronouncements

7.1.3 Information and Communication Systems

The information system relevant to financial reporting objectives, which includes the accounting system,
consists of methods and records established in order to initiate, record, process, summarize and report
entity transactions, as well as events and conditions, and to maintain accountability for the related assets,
liability, and equity. The quality of the system-generated information affects management’s ability to
make appropriate decisions in controlling the entity’s activities and to prepare reliable financial reports.

7.1.4 Control Activities

An audit does not require an understanding of all the control activities related to each significant class of
transactions, account balance, and disclosure in the financial statements or to every assertion relevant to
them. Control activities are policies and procedures that help ensure that management directives are
carried out. They help ensure that necessary actions are taken to address risks to achievement of the
entity’s objectives. These activities may be in the form of:
 Performance review – actual performance vs. budgets, forecasts and prior period performance
 Information processing – controls to check accuracy, completeness and authorization of
transactions
 Physical controls – physical security, authorization for access to computer programs and data
files, periodic counting and comparison of physical amount to control records
 Segregation of duties – assignment of different people the responsibility of authorizing,
recording transactions, and maintaining custody of assets

Transaction cycle refers to the policies and the sequence of procedures for processing a particular type of
transaction. Auditors usually take a “transaction cycle approach” when understanding the internal control
components of an entity. The is approach leads to efficient processing of large number of transactions
because a large number of transactions within a given cycle can be categorized into a relatively small
number of distinct types. Generally, the flow of each transaction cycle can be summarized as follows:

Flow/Step Related control objective

(1) Transaction authorization That all transactions are authorized
(2) Transaction execution That only authorized transactions must be executed
(3) Source document
That all transactions are recorded
(4) Book of original entry
(5) General ledger
That all transactions are summarized
(6) Trial balance
(7) Financial statement That all transactions are properly valued, classified and
reported in the proper accounting period

In a small business, it may not be practicable to institute formal control activities, such as the ones to be
discussed below. In this situation, the active involvement of the owner (supervision) may compensate for
the absence of some control activities, such as segregation of duties.
Controls over Revenue/Receipt Cycle
(1) Sales order entry or processing – sales department
 Sales order should be prenumbered and accounted for. A sales order is used to collect
information needed to initiate the sales process. It can be a copy of the customer’s
purchase order prepared by the customer or a document prepared by a member of the
sales staff in response to mail, phone or personal contact with the customer.
 The sales department’s function should be confined to the generation of sales and
provision of services to customers.

(2) Granting of credit – credit department

 The following should be done by the credit manager:
o Investigate before granting credit to prospective customers
o Approve credit memos (However, in small entities, the accounts receivable
clerk may approve credit memos, provided the owner reviews the credit
memos before they are recorded (compensating balance of supervision)
o Approve orders which causes the customer to exceed beyond his allowable
credit limit
 Credit check best prevents the sale of goods on account to a fictitious customer
 All credit memos are approved by the credit manager and accounted for. For
segregation of duties, the credit manager should report to the treasurer
 The credit manager should best report to the treasurer.

(3) Shipment of goods – shipping department

 The shipping personnel should not have access to the storeroom.
 Before preparing a shipping document, shipping department personnel should ensure
that the inventory received from the warehouse matches the sales order, and the
picking ticket or stock release form (i.e. document that is typically used within the
warehouse, strictly to pick up products to fulfill an order). The reconciliation that occurs
in the shipping department is intended to ensure that goods shipped matched the goods
ordered.
 The shipping department should prepare a packing slip, which travels with the goods to
the customer, and describes the contents on the order. Another document that is
prepared and sent to the customer is the bill of lading, which is the legal contract
between the seller and the carrier for the goods in transit.
 Upon filling the order, the shipping department sends the shipping notice to the billing
department to notify them that the order has been filled and shipped. The shipping
notice contains additional information that the packing slip may not contain, such as
shipment date, carrier and freight charges..
 All approved sales orders should be shipped on a timely basis and in accordance with
customer specifications.

(4) Billing of customers – billing department

 The billing department prepares the sales invoice promptly after goods are shipped.
Billing department matches the stock release copy of the sales order (from shipping) to
the invoice, ledger, and file copies of the sales order (sent directly to billing), and then
mails the invoice to the customer. After a certain amount of time has passed, the billing
department should investigate any unmatched invoice, ledger, and file copies of the
sales order by performing controls, such as comparing control totals for shipping
documents with corresponding totals for sales invoices.
 Invoices are posted to the sales journal. Before invoice preparation, the billing
department matches shipping documents with approved sales orders.
  To provide reasonable assurance that all credit sales transactions of entity are recorded,
the billing department supervisor should match prenumbered shipping documents with
entries in the sales journal.
 To achieve control when there is no billing department, the billing function should be
performed by the accounting department.

(5) Recording of receivables – accounts receivable clerk (who reports directly to the controller)
 Invoices sent to them by the billing department are posted to the accounts receivable
subsidiary ledger.
 The AR clerk shall prepare monthly customer statements and mail them to customers.

(6) Collection of receivables – cash receipts clerk/treasurer

 Receipt of cash from customer
o If a company wants to prevent lapping, the entity should have customers send
payments directly to the company's bank.
o However, the entity may choose to have the collections sent to them. In this
case, supervision in the mail room department is critical, since personnel
(usually the receptionists) are the ones who will open the mail and list all cash
receipts (in a cash prelist or cash receipts listing or remittance list or a duplicate
listing of checks received). Upon receipt of customers’ checks, the employee
should forward the list to the cashier and a copy of such listing should be sent
to the accounts receivable clerk to update subsidiary AR records.
 A weekly reconciliation of cash receipts would include comparing the cash prelist with
bank deposit slips
 Cash receipts are posted to the cash receipts journal on a timely basis by the cash
receipts clerk. From the cash prelist prepared by the mail room clerk, the accounts
receivable clerk should post the cash receipts to the AR subsidiary ledger.
 Cash should be in the custody of the cashier, who reports directly to the treasurer.
 Use of a bank lockbox system most likely would reduce the risk of diversion of customer
receipts by an entity’s employees.

(7) Other matters

 Write-offs must be approved by the treasurer or any other responsible officer
independent of the sales, credit and record keeping function, after reviewing credit
department recommendations and supporting evidence.
 Defective merchandise returned by customers should be presented to the receiving
department. The receiving department counts and inspects items which are returned by
customers. The receiving department prepares a return slip of which a copy goes to the
warehouse for restocking, and a copy goes to the sales order department so that a
credit memo can be issued to the customer, subject to the credit department’s
approval.
 The following duties are incompatible:
o Sales order processing and credit approval
o Cash receipts and recording accounts receivable
 In case of stock-outs, shipping out-of-stock items as soon as they become available may
be addressed by matching the back order file to goods received daily. Once identified,
appropriate action on unfilled orders could be made.
 Daily sales summaries include information about billed sales. Reconciliation of these
summaries to the AR subsidiary ledger would provide reasonable assurance that all
billed sales were posted.
Controls over Expenditure/Disbursement Cycle
(1) Purchase order entry – purchasing department
 The purchasing department’s function is solely to purchase authorized goods
(requisitioned materials) and services at the desired quality and best price. This function
necessarily includes approval of purchase orders and negotiation with vendor of
purchase terms. It has no function in authorization for purchase, in receiving, or in
payment.
 To minimize the risk that purchasing agents will use their positions for personal gain, an
entity should require competitive bidding.
 Determining the need for raw materials before preparing the purchase order will ensure
that only needed materials will be ordered.
 Systematic reporting of product changes that will affect raw materials ensures that
obsolete materials will not be ordered.
 Obtaining financial approval before making a commitment is important to ensure that
sufficient funds will be available on payment date.
 Purchase orders should be prenumbered and accounted for.

(2) Receipt of goods – receiving department

 When goods are received, the receiving clerk should match the goods received with the
vendor’s shipping document and the purchase order. Then, the receiving clerk prepares
a receiving report indicating the quantity received.
 Quantity of the merchandise ordered is omitted from the copy of the purchase order
(blind purchase order) to ensure that the department will count the incoming
merchandise; thereby allowing the entity to pay only for what was received, which may
not be what was billed by the vendor.
 Receiving reports should be prenumbered and accounted for.

(3) Record liabilities – accounts payable department

 The accounts payable department processes vendor invoices for payment.
 Accounts payable clerk is responsible for comparing the quantity purchased (purchase
orders) with the quantity received (receiving report) and the quantity billed by the
vendor (vendor’s invoice)
 Before checks are prepared, AP clerk matches the documents, verifies mathematical
accuracy, and approves the voucher for payment by an authorized person.
 This department also indicates the asset and expense accounts to be debited.
 This department prepares the voucher and daily summary of purchases. Daily summary
is forwarded to General Accounting for recording.

(4) Payment of liabilities – cash disbursements department/treasurer

 This department is responsible for preparing and signing checks, canceling support
documents, and mailing signed checks. Keeping the control of mailing with the
employee who signed the checks, instead of sending them back to the AP department,
prevents alteration of check amounts and payees. Mailing disbursement checks should
be controlled by the employee who signs the check last.
 Canceling the voucher package/packet – voucher, PO, RR, and VI – upon payment
prevents duplicate payments of a voucher. This should be done in the treasurer’s office
to ensure that the documents will not be recycled for duplicate payments. Each voucher
should be stamped “paid” by the check signer.
 This department prepares daily summary of cash disbursements.
 A standard control over cash disbursements include sequentially numbering checks.
They shall be accounted for by the person preparing the bank reconciliation.
Controls over Investing Cycle
(1) Investments in fixed assets
 Authorization functions
o Written policies and procedures for all additions, disposals, and retirements
should be made.
 Custodial functions
o To strengthen control procedures over the custody of heavy mobile equipment,
the client would most likely institute a policy requiring a periodic inspection of
equipment and reconciliation with accounting records.
 Record keeping functions
o To improve accountability for fixed asset retirements, management most likely
would implement an internal control structure that includes continuous
utilization of serially numbered retirement work orders
(2) Investments in financial assets
 Custodial function
o Securities should be properly controlled physically in order to prevent
unauthorized usage.
o Securities may be safeguarded thru the employment of an independent trust
agent. To safeguard against the loss of marketable securities, an independent
trust company that has no direct contact with the employees who have record-
keeping responsibilities, has possession of the securities.
o However, if such agent is not employed, access to securities should be vested
in more than 1 individual (two company officials have joint control of
marketable securities, which are kept in a bank safety deposit box).
o Responsibility of custody over short-term investments and submission of
coupons for periodic interest collections (in case of bonds) should be delegated
to the treasurer.

Controls over Production/Conversion Cycle – the objectives of internal control for this cycle are to provide
assurance that custody of work-in-process and of finished goods is properly maintained, and that the
transactions are properly executed and recorded.
(1) Custodial function (storekeeping department)
 This department is responsible for receiving materials from the receiving department,
make arrangement for proper storage of materials and finished goods, issue materials
to production departments against proper and authorized materials requisition, issue
purchase requisition.
 Inventory movements should be properly documented and recorded to establish
accountability.
 Access to inventory should be restricted to personnel authorized by management.
Management could establish physical control over inventory, maintain insurance, both
for inventory and for inventory personnel in the form of fidelity bonds and segregate
responsibility for handling inventory from inventory recording, cost accounting, and
general accounting.
(2) Record keeping function (inventory control department)
 The entity can easily keep track of materials usage by maintaining perpetual inventory
records. To maintain accurate inventory records, periodic inventory counts are used to
adjust the perpetual inventory records.
 To control inventory recording, management could establish processing and recording
procedures, prenumber and control material release forms and production orders, and
maintain logs of inventory movement into and out of storerooms and production.
 To ensure the accuracy of the recorded inventory quantities, management may
establish a cutoff for goods received and shipped.
 Controls over Payroll Cycle
(1) Personnel function (personnel department)
 An entity’s personnel department provides authorization for hiring, for pay rates, and
deductions.
 Thus, this department holds records for employment, discharges, and pay rates.
 To avoid payroll fraud, personnel department should promptly send employee
termination notices to the payroll supervisor.

(2) Timekeeping function (department supervisors)

 An entity’s department manager provides authorization for hours worked.
 Immediate line supervisors in the department should also be given the control activity
of reviewing and approving time cards and reports because they have direct knowledge
about whether work has been performed, and benefit expenses are incurred only for
work performed.

(3) Record keeping function (payroll department)

 Payroll clerk should calculate and record the payroll based on authorized pay rates and
deductions, and each of the employee’s time card. Time cards are the official records of
time worked by employees, and should be the basis for payroll computation (each
employee should have one time card, but may have 1 or more job time tickets in a day)
 It also may maintain employee’s year-to-date records.
 This department is responsible for the preparation of periodic governmental reports as
to employee’s earnings and withholding taxes.
 Payroll department is responsible for verifying the agreement of job time tickets with
employee clock card hours by employees.

(4) Custodial function

 Paychecks should only be prepared by the treasurer’s office only on the basis of
supporting documentation from both the timekeeper and payroll accounting.
 Distribution of the paychecks should be ideally done by a paymaster (sometimes the
receptionist), or any responsible official who does not authorize or record payroll.
 In a cash payroll system, employees must be required to sign a receipt that will serve as
documentation for the payment received.
 Unclaimed pay envelopes should be deposited in the bank for proper custody (in a
special bank account), or directly to the treasurer. However, management may establish
a policy that requires that the paymaster deliver all unclaimed payroll checks to the
internal auditing department at the end of each payroll distribution day in order to
detect any fictitious employee who may have been placed on the payroll.

7.1.5 Monitoring
Monitoring is a process that assesses the quality of internal control performance over time. It involves
assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
This process is accomplished through:
 Ongoing activities – built into the normal recurring activities of an entity and include regular
management and supervisory activities, such as preparation of monthly bank reconciliation
 Separate evaluations – monitoring activities that are performed on a non-routine basis, such as
functions performed by internal auditors
 Various combinations of the foregoing
7.2 Obtain Understanding of Internal Control
In all audits, the auditor should obtain an understanding of each of the five components of internal control
sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit
of FS, and whether they have been implemented; however, the auditor is not required to obtain knowledge
about the operating effectiveness as part of the understanding internal control. At this stage of the audit, the
auditor is basically concerned about the design and whether such controls are actually applied, regardless of
its effectiveness.

Component Understanding required by PSA 315

Control  Management, with the oversight of those charged with governance, has
environment created and maintained a culture of honesty and ethical behavior; and
 The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control, and
whether those other components are not undermined by control environment
weaknesses.

Risk assessment Whether the entity has a process of:

 Identifying business risks relevant to financial reporting objectives;
 Estimating the significance of the risks;
 Assessing the likelihood of their occurrence; and
 Deciding about actions to address those risks

Information and  Significant classes of transactions

communication  The procedures, manual or not, for recording, processing, correcting as
system necessary, posting, and reporting n the financial statements;
 Related accounting records, supporting information and specific accounts in FS
 How the information system captures events and conditions, other than
transactions that are significant to the financial statements;
 The financial reporting process used to prepare the entity’s FS
 Controls surrounding journal entries
 Communications between management and those charged with governance
 External communications, such as those with regulatory authorities

Control activities  Control activities relevant to the audit to assess the risks of material
misstatement at the assertion level and design further audit procedures
responsive to assessed risks.
 How the entity has responded to risks arising from IT.

Monitoring  major activities that the entity uses to monitor internal control over financial
reporting, including those related to those control activities relevant to the
audit, and how the entity initiates corrective actions to its controls
 sources of the information used in the entity’s monitoring activities, and the
basis upon which management considers the information to be sufficiently
reliable for the purpose

The auditor uses the understanding of internal control to:

 Identify types of potential misstatements that can occur
 Consider factors that affect the risk of material misstatements
 Design the nature, timing and extent of audit procedures to be performed
 Procedures to obtain initial understanding
A. Design of internal control
 Making inquiries of appropriate individuals
 Inspecting documents and records
 Observing of entity’s activities and operations
B. Implementation of internal control – reperformance, or conducting a “walk-through test,” which
involves tracing one or two transactions through the entire accounting systems, from their initial
recording at source to their final destination as a component of an account balance in the FS

7.3 Document Understanding of Internal Control

Form and extent is a matter of professional judgment based upon size and complexity of the client and the
size of the firm. Some common forms of documentation includes:
 Internal control questionnaire (ICQ) – a series of questions designed to elicit a “yes” or “no” response
 Narrative description – memoranda describing the system
 Flow chart – a symbolic representation of the auditor’s understanding of the system
 Check lists

7.4 Assess Control Risk Using Initial Understanding

Control risk at the maximum (controls are not effective)

When the auditor’s knowledge of the entity’s internal control indicates that the internal controls related to a
particular assertion are not effective and the auditor decides that testing the effectiveness of controls would
not be cost-effective, the auditor may simply assess the control risk to be at a high level. Hence, no tests of
controls need not be performed and the auditor will rely primarily on substantive tests.

Control risk at less than maximum

If the auditor concludes that it is more efficient to rely on the entity’s internal control systems, the auditor
would plan to assess control risk at less than high level. Should this be the case, the auditor should:
 Extend understanding of control activities to determine what control activities are prescribed by the
client, by whom are those activities performed, and whether those procedures are likely to be
effective in reducing control risk
 Perform tests of controls to determine the controls’ operating effectiveness (i.e. concerned with how
the control was applied, its consistency of use, and by whom it was applied)

7.5 Further Audit Procedures: Perform Tests of Controls

Tests of controls, as defined by PSA 330, refer to audit procedures designed to evaluate the operating
effectiveness of controls in preventing, detecting and correcting, material misstatements at assertion level.
 Tests of controls are performed, when:
o Auditor’s assessment of risks of material misstatements at the assertion level includes an
expectation that the controls are operating effectively; simply stated, the auditor intends to
rely on the operating effectiveness of the controls
o Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level
 In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence
the greater the reliance the auditor places on the effectiveness of a control.
 Nature, timing and extent of tests of controls:
o Nature & extent – perform inquiry and other procedures to obtain evidence regarding:
 How the controls were applied at relevant times during the period under audit
 Consistency with which controls were applied
 By whom or by what means they were applied
 o Timing – controls are tested for the particular time, or throughout the period, for which the
auditor intends to rely on such controls. When the auditor performs tests during an interim
period, the auditor shall:
 Obtain evidence about significant changes to those controls subsequent to the
interim period
 Determine the additional evidence to be obtained for the remaining period
 Procedures for tests of controls
o Testing the operating effectiveness of controls is different from obtaining an understanding
of and evaluating the design and implementation of controls. However, the same types of
audit procedures are used. The auditor may, therefore, decide it is efficient to test the
operating effectiveness of controls at the same time as evaluating their design and
determining that they have been implemented.
o Further, although some risk assessment procedures may not have been specifically designed
as tests of controls, they may nevertheless provide audit evidence about the operating
effectiveness of the controls and, consequently, serve as tests of controls.
o Auditor may design a test of controls to be performed concurrently with a test of details on
the same transaction. Although the purpose of a test of controls is different from the
purpose of a test of details, both may be accomplished concurrently by performing a test of
controls and a test of details on the same transaction, also known as a dual-purpose test
 If evidence from previous audits is used, the auditor shall establish continuing relevance of such
evidence whether significant changes have occurred subsequent to the audit.
o If there have been changes, the auditor shall test the controls in the current audit.
o If there have not been changes, the auditor shall test the controls once in every third audit,
and shall test some controls each audit to avoid the possibility of testing all the controls on
which the auditor intends to rely in a single audit period with no testing of controls in the
subsequent two audit periods.
 When evaluating the operating effectiveness of relevant controls, the auditor shall evaluate whether
misstatements that have been detected by substantive procedures indicate that controls are not
operating effectively. The absence of misstatements detected by substantive procedures, however,
does not provide audit evidence that controls related to the assertion being tested are effective
 When deviations from controls upon which the auditor intends to rely are detected, the auditor shall
make specific inquiries to understand these matters and their potential consequences, and shall
determine whether:
o The tests of controls that have been performed provide an appropriate basis for reliance;
o Additional tests of controls are necessary; or
o The potential risks of misstatement need to be addressed using substantive procedures

Nature of tests of controls

Tests of controls generally consist of 1 (or a combination) of the following evidence-gathering techniques:
 Inquiry – consists of searching for the appropriate information about the effectiveness of the internal
control from knowledgeable persons inside or outside the entity
 Observation – refers to looking at the process being performed by others;
 Inspection – involves examination of documents and records to provide evidence of reliability
depending on their nature and source and the effectiveness of internal control over their processing
 Reperformance – involves repeating the activity performed by the client to determine whether
proper results were obtained; for example, the auditor may reperform the procedure by tracing the
sales price to the authorized price list in effect at the date of transaction, and if no errors are found,
the auditor can conclude that the procedure is operating as intended
 Revenue cycle  To obtain evidence concerning proper credit approval, an auditor may
select a sample of customer order file.
 To obtain evidence concerning the operating effectiveness of minimizing
errors of failure to post sales invoices to AR subsidiary ledger, an auditor
may select a sample from the sales invoice file.
 To obtain evidence concerning the operating effectiveness of minimizing
errors of failure to invoice goods that have been shipped, the auditor may
select a sample from the bill of lading (or shipping notice) file.
 To obtain evidence about management’s assertion concerning the
completeness of sales transactions, the auditor is most likely to inspect
the entity’s reports of prenumbered shipping documents that have not
been recorded in the sales journal.
 The auditor may observe an entity’s employee prepare the schedule of
past due accounts receivable.
Expenditure cycle  To determine whether checks are being issued for unauthorized
expenditures, an auditor most likely would select a sample from canceled
checks. They shall be matched with approved vouchers, a prenumbered
PO and prenumbered RR. If they are unsupported, it is most likely that
the checks are issued with no authority.
 To obtain evidence concerning the completeness assertion of purchases,
the auditor would most likely test if the PO, RR and vouchers are
prenumbered and periodically accounted for.
Investing cycle  To test the control over proper recording of retirements of PPE, the
auditor should select certain items of equipment from the accounting
records and locate them in the plant.
Payroll cycle  Auditor may observe the distribution of paychecks to ascertain whether
employees of record actually exist and are employed by the client
 An auditor will ordinarily determine whether payroll checks are properly
endorsed during the testing of cash in bank.
 Tracing selected items from the payroll journal to employee time cards
that have been approved by supervisory personnel is designed to provide
evidence that all employees worked the number of hours for which their
pay was computed.
 One of the auditor's objectives in observing the actual distribution of
payroll checks is to determine that every name on the payroll is that of a
bona fide employee. The payroll observation is an auditing procedure
that is generally performed because the various phases of payroll work
are not sufficiently segregated to afford effective control.

7.6 Document Assessed Level of Control Risk

After evaluating the results of control and assessing the control risk, the auditor should document his
assessment of control risk

Control risk is assessed Control risk is assessed

at a high level at less than high level
Conclusion as to the assessed level of risk / /
Basis for assessment X /