Chapter 6

CONSIDERATION OF INTERNAL CONTROL

Set Desired Level of Audit Risk
Assess Inherent Risk Assess ControlDetermine
Risk Acceptable Level of Detection Risk

Auditing Planning Consideration of Performing Substantive

Internal control

Once the auditor has set the desired level of audit risk and assessed the appropriate level of inherent risk,
the next step is to assess the level of control risk.

Assessing control risk is the process of evaluating the design and operating effectiveness of an entity's
internal control as to how it prevents or detects material misstatements in the financial statements. The
conclusion reached as a result of assessing control risk is referred to as the assessed level of control risk.

Nature of Internal Control

When an entity is small, its owner or manager can personally perform, or directly oversee, all of its
functions. However, as the entity grows larger, it becomes necessary to delegate functional
responsibilities to employees. Once this occurs, mechanisms need to be introduced which enable the
performance of the employees to be checked, to ensure that they are fulfilling their responsibilities as
intended.

According to PSA 315, internal control is the process designed and effected by those charged with
governance, management, and other personnel to provide reasonable assurance about the achievement of
the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.

This definition embodies four essential concepts.

1. Internal control is a process

Internal control is not an end in itself. Instead, it is means of achieving the entity's objectives.

2. Internal control is affected by those charged with governance management and other personnel.
Internal control is accomplished by people at every level of organization, including the management,
those charged with governance, and entity's staff personnel. It is the responsibility of the management
to establish a control environment and maintain policies and procedures to assist in achieving the
entity's objectives. Those charged with governance, on the other hand, ensure the integrity of
accounting and financial reporting systems through oversight of management. Staff personnel should
also perform their respective functions in order to accomplish the objectives of the entity.
3. Internal control can be expected to provide reasonable assurance of achieving the entity's objectives
Internal control can only provide reasonable assurance (not absolute assurance that the entity's
objectives will be achieved. This is because there are inherent limitations that may affect the internal
control's effectiveness. These benefits to be derived

 Management's usual requirement that the cost of internal control should not exceed the expected
benefits to derived.
 Most internal controls tend to be directed at routine transactions rather than non-routine
transactions.
 The potential for human error due to carelessness, distraction, mistakes of judgment and the
misunderstanding of instructions.
 The possibility of circumvention of internal controls through the collusion among employees.
 The possibility of management overriding the internal control. The possibility that procedures
may become inadequate due to changes in conditions, and compliance with procedures may
deteriorate.

4. Internal control is designed to help achieve the entity's objectives.

Internal control is geared towards the achievement of the entity's objectives in the following
categories:
 Effectiveness and efficiency of operations.
 Compliance with laws and regulations
 Reliability of financial reporting

In the audit of financial statements, the auditor is only concerned with those policies and procedures
within the accounting and internal control systems that are relevant to the financial statement
assertions. Therefore, the objective that is most relevant to the audit is the financial reporting objective.

Operational and compliance objectives may to the audit only if they relate to data evaluates to determine
the reliability of some financial statement assertions. For example, controls pertain non-financial data that
the auditor uses in a procedure, such as production statistics, or pertaining to detecting non-compliance
with regulations that may have a direct and material effect on the financial statements, such as controls
over compliance with income tax laws and regulations used to determine the income tax provision, may
be relevant to an audit.

 Components of internal control

Although internal control policies and procedures vary significantly from one entity to another, there
are essential components of internal control that must be established to provide reasonable assurance
that the entity's objectives will be achieved. There are five interrelated components of the entity's
internal control, namely:

 Control Environment
 Risk Assessment
 Information and communication systems
 Control activities
 Monitoring
❖ Control Environment

The control environment includes the attitudes, awareness, and actions of management and those
charged with governance concerning the entity internal control and its importance in the entity. The
function control environment also includes the governance of management functions and sets the
tone of an organization, influencing the control consciousness of its people. It is the foundation for
effective internal control, providing discipline and structure.

Factors reflected in the control environment include:

▪ Integrity and ethical values

Management should establish ethical standards that discourage employees from engaging in
dishonest, unethical, or illegal acts that could materially affect the financial statements.

▪ Management philosophy and operating style

The auditor should assess the management attitudes towards financial reporting and their
emphasis on meeting projected profit goals because these will significantly influence the risk of
material misstatements in the financial statements.

 Active participation of those charged with governance

The entity must have an audit committee which will be responsible for overseeing the financial
reporting policies and practices of the entity.

▪ Commitment to competence
The entity should consider the level of competence required for each task and translate it to
requisite knowledge and skills.

▪ Personnel policies and procedures

The entity must implement appropriate policies for hiring, training, evaluating, promoting, and
compensating entity's personnel because the competence of the entity's employees will bear
directly on the effectiveness of the entity's internal control.

 Assignment of responsibility and authority/Organizational structure

Organizational structure provides a frame for planning, directing, and controlling entity's
operations. Appropriate methods assigning responsibility must be implement to avoid
incompatible functions minimize the possibility of errors because too much work load assigned to
an employee.

 Risk Assessment

Entity's business objectives cannot be achieved without some risks. Business risk is the risk that the
entity's business objectives will not be attained as a result of internal and external factors such as
technological developments, changes in customers demand and other economic changes.

Business risks are crucial to every organization. Management should adopt policies and procedures
that are designed to identify and analyze the risks affecting the entity's business and to take the
appropriate action to manage these risks. For audit purposes, the auditor is concerned only with those
risks that are relevant to the preparation of reliable financial statements
❖ Information and Communication Systems

Effective internal control must provide timely information and communication. The information
system relevant to financial reporting objectives, which includes the financial reporting system,
consists of the procedures and records established to initiate, record, process, and report entity
transactions as well as events and conditions) and to maintain accountability for the related assets,
liabilities, and equity.

An information system encompasses methods and records that:

 Identify and record all valid transactions

 Describe on a timely basis the transactions insufficient detail to permit proper classification of
transactions for financial reporting,
 Measure the value of transactions in a manner that permits recording their proper monetary value in
the financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions in the
proper accounting period.
 Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to

internal control over financial reporting. Open communication channels help ensure that exceptions are
reported and acted on. Communication can be made electronically, orally, and through the actions of
management. It can take such forms as policy manuals, accounting and financial reporting manuals, and
memoranda.

 Control Activities

Control activities are the policies and procedures that help ensure that management directives are
carried out. Specific control procedures that are
relevant to financial statement audit would include:

 Performance Reviews
 Information Processing
 Physical Controls
 Segregation of duties

1. Performance reviews
These control activities include reviews and of actual performance versus budgets, forecast, and
prior period performance; relating different data to one another, together with analyses of
relationships and investigative and corrective actions, reviews and analyses sets, forecasts, and ng
different sets of

2. Information processing
 A variety of controls are performed to check accuracy, completeness, and authorization of
transactions. When computer processing is used in significant accounting applications, internal
control procedures can be classified into two types: general and application controls.

3. Physical Control
These activities encompass the physical security of assets, including adequate safeguards such as
secured facilities over access to assets and records, authorization for access to computer
programs and data files, and periodic counting and comparison with amounts shown on control
records.

4. Segregation of duties
Assigning different people, the responsibilities of authorizing transactions, recording transactions,
and maintaining custody of assets is intended to reduce the opportunities to allow any person to be
in position to both perpetrate and conceal errors or fraud normal course of the person's duties.
Examples of segregation of duties include reports reviewing and approving reconciliations,
approval and control of documents.

 Monitoring

Monitoring is a process of assessing the quality of internal control performance over time. It involves
assessing the design and operation of controls on a timely basis and taking necessary corrective
actions, Monitoring is done to ensure that controls continue to operate effectively.

Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations,

or a combination of the two. Ongoing monitoring activities are built into the normal recurring
activities of an entity and include regular management and supervisory activities such as preparation
of monthly bank reconciliation. Separate evaluations are monitoring activities that are performed
on a non-routine basis, such as functions performed by internal auditors.

➢ Internal control for a small business

In small businesses, with very few office employees, it is difficult to have proper segregation of
duties or maintain a separate internal audit department. Consequently, internal control systems in
small businesses tend to be weak compared to the internal control systems of larger entities.
These weaknesses, however, can be compensated if the owner/manager actively participates in
the operations of the business.

o Consideration of Internal Control

Auditors are not responsible for establishing and maintaining an entity's accounting and internal
controls systems: that is the responsibility of the entity's management. Nevertheless, the auditors
should give adequate consideration to these controls because the quality of the entity's internal
control systems can have a significant impact on the audit.

Consideration of the entity's internal control systems in the following steps:

 1. Obtain understanding of the internal control
2. Document the understanding of accounting internal control systems.
3. Assess the level of control risk
4. Perform tests of controls
5. Document the assessed level of control risks

➢ Understanding Internal Control

The auditor should obtain sufficient understanding of the components of the entity's internal
control relevant to the audit. Obtaining an understanding of internal control involves

 evaluating the design of a control; and

 determining whether it has been implemented.

Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting, material
misstatements. Implementation of a control means that the control exists and that the controls have been
placed in operation.

An initial understanding of the design of the entity's internal control systems is ordinarily obtained by
 Making inquiries of appropriate individuals;
 Inspecting documents and records; and
 Observing of entity's activities and operations.

After obtaining sufficient knowledge about the design of the system, the auditor should determine
whether these controls have been implemented. This is accomplished by performing "walk-through"
test. This task involves tracing one or two transactions through the entire accounting system, from their
initial recording at source to their final destination as a component of an account balance in the financial
statements. Walk-through tests also confirm the auditor’s understanding of how the accounting systems
and control procedures function.

It is to be emphasized that the auditor is not required to obtain knowledge about the operating
effectiveness the internal control when obtaining an understanding the entity's internal control system. At
this stage of the audit, the auditor is basically concerned about the design of relevant control policies and
procedures and whether such controls are actually being applied.

The auditor uses the understanding of internal control to

 Identify types of potential misstatements that can occur.
 Consider factors that affect the risk of material misstatements.
 Design the nature, timing, and extent audit procedures to be performed.

Documenting the auditor's understanding of internal control

After obtaining sufficient knowledge about the design of internal control system and verifying that the
policies and procedures are implemented, the next step would be for the auditor to document his
understanding of accounting and internal control systems. This documentation need not be in any
particular form. The extent of documentation may vary depending on the size and complexity of the entity
and nature of the entity's internal control systems. Some commonly used forms of documentation include:

 narrative description of the entity's internal control;

  flowchart that diagrams the flow of transactions and documents; and
 internal control questionnaire providing management's responses to questions about internal
control.

Assessment of Control Risk

After obtaining and documenting the auditor's understanding of the accounting and internal control
systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for each
material account balance or class transactions. The auditor's preliminary assessment of control risk may
be at a high level (100%) or less than high level.

When the auditor's knowledge of the entity's internal control indicates that internal controls related to a
particular assertion are not effective, the auditor may simply assess control risk at a high level. Hence, no
tests of controls need to be performed and the auditor will rely primarily on substantive tests.

On the other hand, if the auditor believes that controls appear to be reliable, the auditor should determine
whether it is efficient to obtain the evidence to justify an
assessment of control risk at a lower level.

If the auditor concludes that it is more efficient to rely on the entity's internal control systems, the auditor
would plan to assess control risk at less than high level. For
this purpose, the auditor should

 Identify specific internal control policies or procedures that are likely to prevent or detect and
correct material misstatement relevant to financial statement assertion, and
 Perform tests of control to determine the effectiveness of such policies or procedures.

Performing tests of controls

Irrespective of how effective internal control procedures may appear to be in preventing material
misstatements from occurring in the financial statements, before the auditor can rely on them to reduce
substantive tests; the auditor must test these controls to obtain evidence that they are working effectively
as the preliminary assessment suggests. Tests of controls are performed to obtain evidence about the
effectiveness of the

 design of the accounting and internal control systems; or

 operation of the internal controls throughout the period.

It is important to note that the auditor will only tests the operating effectiveness of controls that are likely
to detect or prevent material misstatements. That is, the auditor will only test those controls that he or she
plans to rely upon. According to PSA, the auditor should obtain audit evidence through tests of control to
support any assessment of control risk at less than high level. The lower the assessment of control
risk, the more support the auditor should obtain that the internal control is suitably designed and operating
effectively. Thus, the greater the reliance the auditor plans to place on internal control, the more extensive
the tests of those controls that need to be performed

❖ Nature of tests of control

Tests of controls generally consist of one (or a combination of the following evidence gathering
techniques (1) inquiry, (2) observation, (3) inspection, and (4) reperformance.
 Inquiry consists of searching for the appropriate information about the effectiveness of internal
control from knowledgeable persons inside or outside the entity

Observation refers to looking at the process being performed by others. For example, the
auditor may observe the payroll payoff procedures or the performance of internal control
procedures that leave no evidence of performance.

Inspection involves the examination of documents and records to provide evidence of

reliability depending on their nature and source and the effectiveness of internal control over
their processing.

Reperformance involves repeating the activity performed by the client to determine whether
proper results were obtained. For example, the auditor may reperform the procedure by tracing
the sales prices to the authorized price list in effect at the date of the transaction. If no errors are
found, the auditor can conclude that the procedure is operating as intended.

For certain controls such as segregation of duties, documentary evidence (audit trail) may not exist. In
this case, the auditor will have to test the effectiveness of the control procedure by making inquiry of
appropriate client personnel and observing the application of the control procedures.

There is a significant overlap between the procedures used to obtain understanding and tests of controls.
Notice that inquiry of client personnel, observation of procedures and inspection of documents are also
used when obtaining understanding about the entity's internal control system. In fact, many of the
procedures used to understand the design of internal control may provide evidence about the reliability of
the client's accounting and internal control systems. Consequently, obtaining understanding of the
entity's internal control system and assessing control risks are often done simultaneously. •

Timing of tests of controls

Auditors usually perform tests of controls during an interim visit in advance of period end. However,
auditors cannot rely on the results of such tests without considering the need to obtain further evidence
relating to the remainder of the period. This evidence may be obtained by performing tests of control for
the remaining period or by reviewing whether there are changes affecting the entity's internal control
system. In determining whether or not to test the remaining period, the following factors must be
considered:

 The results of the interim tests.

 The length of the remaining period.
 Whether changes have occurred in the accounting and internal control systems during the
remaining period.

Extent of tests of control

The auditor cannot possibly examine all transactions related to certain control procedures. In an audit, the
auditor should determine the size of a sample sufficient to support the assessed level of control risk.

Using the results of tests of control

Based on the results of the tests of control, the auditor should evaluate whether the internal controls are
designed and operating as intended. The conclusion reached as a result of this evaluation is called the
assessed level of control risk. The auditor uses the assessed level of control risk (together with the
assessed level of inherent risk) to determine the acceptable level of detection risk. There is an inverse
relationship between detection risk and the combined level of inherent and control risks. For example, if
the combined assessed level of inherent and control risk is high, detection risk needs to be low to reduce
audit risk to an acceptably low level. In this regard, the auditor may consider modifying

 The nature of substantive tests from less effective to more effective procedures
 The timing of substantive tests by performing them at year-end rather than at interim.
 The extent of substantive tests from smaller to larger sample size.
❖ Operating Effectiveness vs. Implementation

Testing the operating effectiveness of controls is different from obtaining audit evidence that
controls have been implemented. When obtaining audit evidence of implementation by
performing risk assessment procedures, the auditor determines that the relevant controls exist and
that the entity is using them. When performing tests of the operating effectiveness of controls, the
auditor obtains audit evidence that controls operate effectively. This includes obtaining audit
evidence about how controls were applied at relevant times during the period under audit, the
consistency with which they were applied, and by whom or by what means they were applied.

➢ Documenting the assessed level of control risk

After evaluating the results of tests of control and assessing the control risk, the auditor should
document his assessment of control risk.

If the control risk is assessed at a high level, the auditor should document his conclusion that
control risk is at a high level If control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high level and the basis for that assessment.
This basis is actually the results of tests of control. Hence, the auditor cannot assess control risk at
less than high level without performing tests of control.

❖ Communication of Internal Control Weaknesses

As a result of the auditor's consideration of the accounting and internal control systems, the
auditor may become aware of weaknesses in the systems. In this regard, the auditor is required to
report to the appropriate level of management material weaknesses in the design or operation of
the accounting and internal control systems, which have come to the auditor's attention. This
communication would ordinarily be in writing and should be done at the earliest opportunity so
that appropriate corrective actions may be taken as soon as possible. Oral communications could
also be made provided these are adequately documented in the audit working papers.

It is to be emphasized that auditors are not required to search for and/or identify internal control
weaknesses. The auditors must, however, communicate internal control weaknesses to the client
when they come to their attention during the course of the audit. These internal control
weaknesses together with other matters of concern are documented in a formal management
letter.