UE CENTER for REVIEW and SPECIAL STUDIES

2219 C.M. Recto, Ave. Sampaloc Manila Tel Nos. 735-5602, 735-5471 loc. 332/331

Auditing Theory AT – Lecture 7

Prof. Francis H. Villamin
==================================================================

Internal Control

“The auditor should obtain an understanding of internal control relevant to the audit.”

1. The auditor uses the understanding of internal control to identify the types of potential misstatements,
consider factors that affect the risks of material misstatement and design the nature, timing and
extent of further audit procedures.

2. The COSO Report, issued by the Committee on Sponsoring Organizations, is the most
comprehensive document issued on internal control to date. The report provides a framework against
which entities can assess their internal controls and establish a common definition of internal control
that serves the needs of a variety of groups.

Internal control is “a process, effected by those charged with governance, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:

a. Effectiveness and efficiency of operations

b. Reliability of financial reporting
c. Compliance with applicable laws and regulations”

It follows that internal control is designed and implemented to address identified business risks that
threaten the achievement of the above mentioned objectives.

3. Four key concepts embodied in the COSO Report’s definition of internal control are:

a. Internal control is a process (not a single event) integrated within (not added onto) another
process: the process management uses to plan, to execute transactions and events, and to
monitor results.
b. People at every level of the organization, including the board of directors, management, and
employees, accomplish internal control. The effectiveness of internal control can be diminished
by the inherent limitations of people.
c. Internal control is a means to achieve an entity’s objectives.
d. Internal controls can be expected to provide reasonable, but not absolute, assurance that
objectives will be accomplished, since the benefits expected from some controls may not be
worth the cost of implementation.

4. There is a direct relationship between an entity’s objectives and the controls it implements to provide
reasonable assurance about their achievement.

5. The auditor’s risk assessment process relate to controls pertaining to the entity’s objective of
preparing financial statements for external purposes and the management risk that may give rise to a
material misstatement in those financial statements. It is a matter of professional judgment, subject
to the requirements of PSA, whether a control, individually or in combination with others, is relevant to
the auditor’s considerations in assessing the risks of material misstatement and designing and
performing further procedures in response to assessed risks.

Inherent Limitations of Internal Control

1. Human judgment
2. Manual or automated controls can be circumvented by collusion
3. Management may inappropriately override internal control
4. Custom, culture, the governance system and an effective internal control environment are not
absolute deterrents to fraud.
5. Costs should not exceed benefits.
 AT Lecture 7 “Internal Control” 2

6. In exercising that judgment, the auditor considers the applicable component and factors such as the
following:
 The auditor’s judgment about materiality
 The size of the entity
 The nature of the entity’s business, including its organization and ownership
characteristics
 The diversity and complexity of the entity’s operations
 Applicable legal and regulatory requirements
 The nature and complexity of the systems that are part of the entity’s internal control,
including the use of service organizations.

7. Areas of Internal Control

a. Administrative Control
This includes, but is not limited to, plan of organization and the procedures and records that are
concerned with the decision processes leading to management’s authorization of transactions.
Administrative controls promote operational efficiency and adherence to managerial policies.

b. Accounting Control
This comprises the plan of organization and the procedures and records that are concerned
with the safeguarding of assets and the reliability of financial records. It involves systems of
authorization and approval controls over assets, internal audit and all other financial matters.

8. The COSO Report also identifies five interrelated components of internal control that should be
integrated within the management process:

a. Control environment – management’s and the board of director’s attitude, awareness, and
actions toward internal control.
Sub elements:
- Integrity and ethical values
- Commitment and competence
- Board of directors or audit committee
- Management’s philosophy and operating style
- Organizations structure
- Assignment of authority and responsibility
- Human resource policies and practices

b. Risk assessment – every entity faces risks, both external (such as technological developments)
and internal (such as employee pilferage). Management’s task is to identify the risks that bear on
their operations, financial reporting, and compliance objectives and to take the action necessary
to manage them. For example, an entity might confront the following risks solely as a result of
managing change.
- Changed operating environment
- New personnel
- New information systems
- Rapid growth
- New technology
- New products or services
- Corporate restructuring
- Foreign operations

c. Control activities – (also called control procedures), are policies and procedures in addition to
the control environment and the information system that management establishes to provide
reasonable assurance that their objectives are achieved. The independent auditor’s objective is to
understand an entity’s control activities sufficiently to plan the audit. Control activities are
established over:

1. Authorization and execution of transactions – responsible personnel acting within the

scope of their prescribed authority and responsibility should authorize all transactions.
a. Specific authorization means authorization is required each time the transaction is
proposed and is typically used for unusual, material, or infrequent projects.
b. General authorization means the entity has policies and procedures that personnel
should follow to determine if a proposed transaction or project is authorized in
general.

- Authorization is not the same as approval. Authorization means authority has been
given to acquire or expend resources. Approval, in contrast, means the conditions for
AT Lecture 7 “Internal Control” 3

authorization have been met and resources may therefore be acquired or expended.
Transaction authorization usually precedes approval, although they may occur
simultaneously.

2. Segregation of duties – segregation of responsibilities aids in preventing any one employee,

acting alone, from committing and concealing frauds. Optimum segregation of duties exists
when collusion is necessary to circumvent controls.
 Optimum segregation of duties suggests that no employee be responsible for any
more than one function because:
a. Restricting employee responsibility to one function means at least four different
employees are required to authorize, execute, record, and check a transaction. A
system of checks and balances reevaluates the validity of a transaction four
separate times.
b. The more employees required to complete a transaction, the more employees
necessary to commit and conceal fraud and it is reasonable to assume that
employees are less apt to attempt collusion as the number of employees
required to commit fraud increases.

To achieve optimum segregation of responsibilities, an entity’s management,

custodial, accounting and monitoring functions should be performed by different
employees. That is, the following responsibilities would be separated:

- Transaction authorization ( a management function)

- Transaction execution (a custodial function)
- Transaction recording (an accounting function)
- Independent checks on (a monitoring function)
performance

3. The design and use of documents and records – transactions must be recorded promptly
in the accounting periods and PESO amounts actually executed, and classified properly in
subsidiary ledger and control accounts.

 Documents and records are evidence of executed transactions and collectively

represent the audit trail that is so critical to an auditor when tracing transactions
through an accounting system.
 The transaction-recording process and the accounting records should be described
clearly and unambiguously in a procedures manual in order to encourage consistent
use and completion of prescribed accounting records and documents and to provide
a ready reference for newly hired personnel.

4. Access to assets and records – only authorized personnel should have access to assets
and records.

d. Information and communication – to operate efficiently, an entity needs to identify, capture and
communicate both external and internal information in a form and time frame that enables people
to discharge their assigned responsibilities.

 External information includes market share, customer complaints, etc.

 Internal information includes the accounting system, which consists of the methods
and records established by management to record and report transactions and
events and to maintain accountability for assets and liabilities. To be effective an
accounting system should:

- Include methods and records that will identify all valid transactions
- Record transactions in the proper accounting period
- Describe transactions on a timely basis and in sufficient detail to permit proper
classification, to measure the transaction properly, and to present summarized
transactions and related disclosures accurately in the financial statements.

The auditor’s objective in considering an entity’s accounting system is to obtain an

understanding of:
AT Lecture 7 “Internal Control” 4

- Major classes of transactions

- How transactions are initiated
- The records, documents and accounts used in the processing and reporting
of transactions.
- The processing of transactions
- Financial reporting procedures

The central activity of most business typically involves a series of related functions, all of
which must be captured within the accounting system. The table below categorizes
these functions into four groups of transactions called transaction cycles, the means by
which transactions are processed by an accounting system:
(1) financing
(2) expenditure/disbursement
(3) conversion
(4) revenue/receipt

e. Monitoring – to assure quality, internal controls should be monitored through continuing or

periodic evaluations, or both. Discrepancies should be resolved by management at least one
level above those responsible.
 The reliability of an accounting system can be evaluated by comparing recorded
assets with actual assets continually or periodically.
 To maximize effectiveness, monitoring should take advantage of the element of
surprise, be performed by personnel independent of the functions tested, and result
in appropriate corrective action.

CONSIDERING INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT

1. In order to comply with the PSA, an auditor must acquire “a sufficient understanding of internal
control …to plan the audit and to define the nature, timing, and extent of tests to be performed.”

2. There are three steps to the auditor’s consideration of internal control:

1. Obtain an understanding of how management has designed policies and procedures

for the control environment, risk assessment, the control activities, information and
communication, and monitoring.

 An understanding of internal control allows an auditor to identify the types of material

misstatements that could occur in the financial statements, to consider factors that
affect the risk of material misstatements, and to design substantive tests of account
balances and transaction classes that are processed by the internal controls.

 Obtaining an understanding of internal control consists of:

1) Performing a preliminary review which provides an opinion on whether reliance

on the control is likely to be cost effective

2) Documenting the system’s internal controls and identifying transaction cycles

In practice today, auditors use one or more of the three means to document an
entity’s internal controls:

1. Narrative memorandum is a written description of a particular phase or

phases of an accounting system.
2. Flowchart or Data flow diagram consists of interrelated symbols that
diagram the flow of transactions and events through a system. Flowcharts
capture the complexity of the systems, allowing the auditors to focus sharply
on key controls within the system.
3. Internal control questionnaire consists of a series of questions designed to
detect control deficiencies.

Because the number and nature of transaction cycles varies from industry to
industry and from company to company, an auditor must identify each client’s
major transaction cycles. Identifying cycles involves five steps:
AT Lecture 7 “Internal Control” 5

1. Review account components for homogeneity.

2. Identify representative cycles
3. Flowchart each cycle, supplementing with narratives and questionnaires as
necessary.
4. Trace one or a few representative transactions through each cycle (a
transaction walk-through).
5. Revise flowcharts if necessary.

3) Performing a transaction walk-through, and

4) Identifying controls that reduce to a relatively low level the risk of material
misstatements.

2. Assess control risk for relevant assertions related to each significant account balance
or transaction class. To determine an assessed level of control risk the auditor:
 Considers the errors or frauds that could occur and that could result in misstatements
in the financial statements.
 Identifies relevant control activities designed to prevent or detect the errors or frauds,
and
 Performs tests of controls on the control activities that may prevent or detect the
errors or frauds.

In a financial statement audit, tests of controls consist of audit procedures directed

toward testing the effectiveness of the design or the operation of an internal control policy
or procedure. Tests of controls directed toward the design of a policy or procedure
address one issue:

 Whether or not the policy or procedure is suitably designed to prevent or detect

material misstatements in specific financial statement assertions.

Tests of controls over the design of a policy or procedure include inquiring of client
personnel, inspecting documents and reports and observing employees performing the
policy or procedures.

3. Determine the nature, timing, and extent of substantive tests necessary to restrict
detection risk to an acceptable level. Control risk and detection risk are inversely related
– as assessed level of control risk increases, the acceptable level of detection risk
decreases.

 In planning substantive tests an auditor would perform more persuasive tests,

perform tests at the balance sheet date rather than at interim dates, and would test
more extensively.
 As assessed level of control decreases the acceptable level of detection risk
increases. In planning substantive tests an auditor would perform less persuasive
tests, perform tests at the interim dates rather than at the balance sheet date, and
would test less extensively.

COMMUNICATING REPORTABLE CONDITIONS AND MATERIAL WEAKNESSES IN INTERNAL

CONTROL

1. Establishing, maintaining, and monitoring an entity’s internal controls is the responsibility of

management. The auditor is required to communicate with management when, in the course of
the review, he or she identifies a “reportable condition.”

2. Reportable conditions are defined as “significant deficiencies in the design or operation of the
internal control, that could adversely affect the organization’s ability to record, process,
summarize, and report financial data consistent with the assertions of management in the
financial statements.”

3. A major reportable condition may involve deficiencies in any component of internal control,
including the control environment and the control activities.
- A deficiency may be of such magnitude as to be considered a “material weakness.”
AT Lecture 7 “Internal Control” 6

- As defined– material weakness is “a condition in which the design or operation of the

specific internal control elements do not reduce to a relatively low level the risk that errors
or frauds in amounts that would be material in relation to the financial statements being
audited may occur and not be detected within a timely period by employees in the normal
course of performing their assigned functions.”

4. The auditor in the form of reports communicates reportable conditions to the audit committee.
The reports are restricted use reports and general use reports.

- Restricted use reports are intended for specified parties.

- General use reports are not intended for specified parties.

5. Reportable conditions communicated are those conditions detected as a result of considering

internal control in accordance with PSA. Additional conditions may exist and not be detected.

6. Audit engagements are designed and conducted with the primary audit objective in mind, to
issue an opinion on the financial statements, and cannot be relied on to detect all significant
deficiencies in internal control.

*****************************************