Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

CHAPTER 6
INTERNAL CONTROL AND CONTROL RISK
1. INTRODUCTION
Definition: A system of internal control consists of policies and procedures designed to
provide management with reasonable assurance the company achieves its objectives
and goals.

Internal control is not only essential to maintaining the accounting and financial records of an
organization, it is essential to managing the entity. Everyone from the external auditors to
management to the board of directors to the stockholders of large public companies to
government, have an interest in internal controls. In many parts of the world, regulators have
emphasized the importance of internal control by requiring management to make annual public
statements about the effectiveness of internal controls.

Reinforcing internal controls is generally seen as one of the most important steps in avoiding
negative surprises. Even a company that is considered “in control” will face risks. Effective
internal controls will ensure that risks are identified at an early stage. Company risk
management procedures will identify ways to deal with these risks, to the extent possible.

2. INTERNALCONTROL OBJECTIVES
Management has three broad objectives in designing an effective internal control system.
i. Reliability of financial reporting- Management has both a legal; and professional
responsibility to be sure that the information is fairly presented in accordance with
reporting requirements such as IFRS. The objective of effective internal control over
financial reporting is to fulfill these financial reporting responsibilities.
ii. Efficiency and effectiveness of operations - Controls within a company encourage
efficient and effective use of its resources to optimize the company’s goals .An important
objective of these controls is accurate financial and nonfinancial information about the
entity’s operations for decision making.
iii. Compliance with laws and regulations - Organizations are required to follow many
laws and regulations. Some relate to accounting only indirectly, such as environmental
protection and civil rights laws. Others are closely related to accounting, such as income
tax regulations and anti-fraud legal provisions.
3. MANAGEMENT AND AUDITOR RESPONSIBILITIES CONCERNING INTERNAL
CONTROL
3.1. Management Responsibilities
Management has responsibility for establishing and maintaining the entity’s internal controls.
Management identifies the risk of not achieving their objectives. To minimize these risks,
management designs and puts in place a set of rules, physical constraints and activities called
“internal controls” which, if they are implemented properly, will minimize the risks of not
meeting objectives.

Today, careful evaluation of internal control design and how it is operating in practice is
stimulated by regulatory requirements, such as (those in USA) the Sarbanes-Oxley Act (in
which internal control statements are required), and the SEC. This internal control report
contains a statement of management’s responsibility for establishing and maintaining adequate
control over financial reporting, and a description of the framework management uses to
evaluate the effectiveness of controls. Management must give their assessment of the
effectiveness of internal controls and the auditor is asked for an attestation report on
management’s assessment.

1
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

Two key concepts underlie management’s design and implementation of internal control
a) Reasonable Assurance – a company should developed internal controls that provide
reasonable, but not absolute, assurance that the financial statements are fairly stated.
Internal controls are developed after considering the costs and benefits of controls.
b) Inherent limitations- internal controls can never be regarded as completely effective,
regardless of the care followed in their design and implementation. Inherent limitation
can be divided into three areas:
1. Collusion – an agreement between two parties to carry out an improper purpose.
2. Management override- there are two types of override. One is outright theft, where
the manager authorizes an improper payment to himself, and then forces the
employees underneath him to make the payment by implicitly threatening to fire them
if they do not. The other type is financial statement misrepresentation, where the
manager deliberately misstates the financial statements for purpose of either
deceiving outsiders or giving good result for his superiors for the sake of a pay raise
or bonus.
3. Temporary failure – everybody makes mistake.
 Generally, management’s assessment of internal control over financial reporting consists
of two key components.
a) Design of internal control - First management must evaluate the design of internal
control over financial reporting.
b) Operating Effectiveness of controls -Management must test the operating
effectiveness of those controls.The testing objective is to determine whether the control
is operating as designed and whether the person performing the control possesses the
necessary authority and qualifications to perform the control effectively.
3.2. Auditor Responsibilities
3.2.1. Auditor Responsibilities for Understanding Internal Control
As we discussed in in the previous chapter focusingon Audit Concepts and Planning the Audit
(ISA 300, 315, 320), the consideration of internal control is an important part of audit planning
process. In dealing with internal controls matters, auditors are primarily concerned about
controls over the reliability of financial reporting and controls over classes of transactions.
Controls Over the Reliability of Financial Reporting - To comply with auditing standards, the
auditor focuses primarily on controlsrelated to the first of management’s internal control
concerns -reliability of financial reporting. Financial statements are not likely to correctly
reflectIFRS if internal controls over financial reporting are inadequate. Unlike the client, the
auditor is less concerned with controls that affect theefficiency and effectiveness of company
operations, because such controls may not influence the fair presentation of financial
statements. Auditorsshould not, however, ignore controls affecting internal management
information, such as budgets and internal performance reports. These types ofinformation are
often important sources used by management to run the business and can be important sources
of evidence that help the auditordecide whether the financial statements are fairly presented. If
the controls over these internal reports are inadequate, the value of the reports asevidence
diminishes.

As stated in Chapter 2, auditors have significant responsibility for the discovery of material
fraudulent financial reporting and misappropriation of assets (fraud) and direct-effect illegal acts.
Auditors are therefore also concerned with a client’s internal control over the safeguarding of
assets and compliance with laws and regulations if they affect the fairness of the financial
statements. Internal controls, if properly designed and implemented, can be effective in
preventing and detecting fraud.

2
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

Controls over Classes of Transactions- Auditors emphasize internal control over classes of
transactions rather than account balances because the accuracy of accounting system outputs
(account balances) depends heavily on the accuracy of inputs and processing (transactions).
Forexample, if products sold, units shipped, or unit selling prices are wrong in billing customers
for sales, both sales and accounts receivable will bemisstated. On the other hand, if controls are
adequate to ensure correct billings, cash receipts, sales returns and allowances, and write-offs,
theending balance in accounts receivable is likely to be correct. Because of the emphasis on
classes of transactions, auditors are primarily concernedwith the transaction-related audit
objectives discussed when assessing internal controls over financial reporting.

Even though auditors emphasize transaction-related controls, the auditor must also gain an
understanding of controls over ending account balance and presentation and disclosure
objectives.

3.2.2. Auditor Responsibilities for Testing Internal Control

Tests of the operating effectiveness of controls may be performed on controls that the auditor
has determined are suitably designed to prevent, or detect and correct, a material misstatement.
The result of testing the design may reveal deficiencies in internal control, which must be
reported to management (ISA 265).

Section 404(b) of the Sarbanes–Oxley Act of USA requires that the auditor report on the
effectiveness of internal control over financial reporting. To express an opinion on these
controls, the auditor obtains an understanding of and performs tests of controls for all significant
account balances, classes of transactions, and disclosures and related assertions in the
financial statements.
4. COMPONENTS OF INTERNAL CONTROL
Internal control consists of five interrelated components:
 Control Environment
 Risk Assessment
 The Information System, Communication, And Related Business Processes
 Control Activities (Control Procedures)
 Monitoring
4.1. Control Environment
The control environment means the overall attitude, awareness, and actions of directors and
management regarding the internal control system and its importance in the entity. The control
environment has a pervasive influence on the way business activities are structured, the way
objectives are established, and the way risks are assessed. The control environment is
influenced by the entity’s history and culture. Effectively controlled companies set a positive
“tone at the top” and establish appropriate policies and procedures.

Elements of the control environment are: communication and enforcement of integrity and
ethical values; commitment to competence; participation by those charged with governance;
management’s philosophy and operating style; organizational structure; assignment of authority
and responsibility; and human resource policies and practices.

4.2. Risk Assessment Process

All components of internal control, from control environment to monitoring, should be assessed
for risk. Certain conditions may increase risk and, therefore, deserve special consideration.
These conditions are: changed operating environment; new personnel; new or revamped

3
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

information systems; rapid growth; new technology; new lines, products and activities; corporate
restructuring; and foreign operations.

Management’s risk assessment differs from, but is closely related to, the auditor’s risk
assessment. Management assesses risks as part of designing and operating the internal control
system to minimize errors and irregularities. Auditors assess risks to decide the evidence
needed in the audit. The two risk assessment approaches are related in that if management
effectively assesses and responds to risks, the auditor will typically need to accumulate less
audit evidence than when management fails to, because control risk is lower.

Risk assessment should not be treated as a strictly separate component, for risk is assessed in
all the other components – control environment risk, information system risk, risk of lack of
control procedures, and risk from absence of adequate monitoring.

4.3. The Information System, Communication, and Related Business Processes

Information is needed at all levels of the organization: financial information; operating
information; compliance information; and information about external events, activities, and
conditions. This information must be identified, captured, and communicated in a form and time
frame that enables people to carry out their responsibilities. The information system controls
should be tested because there are general IT and input risks that the accounting system does
not produce sufficient audit evidence.

The information relevant to financial reporting is recorded in the accounting system and is
subjected to procedures that initiate, record, process, and report entity transactions. The quality
of information generated by the system affects management’s ability to make appropriate
decisions in controlling the entity’s activities and preparing reliable financial reports.
Financial Reporting Information System and Processes -For an audit, the auditor should
obtain an understanding of the information system and the related business processes relevant
to financial reporting in the following areas:
• the classes of transactions in the entity’s operations that are significant to the financial
statements;
• the procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed, and reported from their occurrence to their inclusion in
the financial statements; this includes the correction of incorrect information and how
information is transferred to the general ledger.
• the related accounting records, supporting information, and specific accounts in the
financial statements and how they initiate, record, process, and report transactions;
• how the information system captures events and conditions, other than transactions, that
are significant to the financial statements;
• controls surrounding journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments; and
• the financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures.
4.4. Control Activities (Control Procedures)
Control procedures (sometimes called “control activities”) are policies and procedures that help
ensure management directives are carried out. They help ensure that necessary actions are
taken to address risks to the achievement of the entity’s objectives for operations, financial
reporting, or compliance. Generally, control procedures fall into five broad categories:
authorization, performance reviews, information processing, physical controls, and segregation
of duties.

4
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

Two Elements of Control Procedures

Control procedures may be divided into two elements: a policy establishing what should be
done and procedures to effect that policy. A policy, for example, might be that a securities
dealer retail branch manager must monitor (conduct performance reviews of) customer trades.
The control procedure to effect that policy is a review of a report of trade activities by the
customer, performed in a timely manner and with attention given to the nature and volume of
securities traded. Control procedures implement the control policies by specific routine tasks,
performed at particular times by designated people, held accountable by adequate supervision
and evidence of performance.
The categories of control activities given in ISA 315 are:
• Performance reviews,
• Information processing (accuracy, adequate documents, application controls),
• Physical controls,
• Segregation of duties, and
• Authorization of transactions and activities, general controls.

4.4.1. Performance Reviews

Performance reviews are independent checks on performance by a third party not directly
involved in the activity. Sometimes called internal verification, these control activities include
reviews and analyses of actual performance versus budgets, forecasts, and prior period
performance; relating different sets of data – operating or financial – to one another, together
with analyses of the relationships and investigative and corrective actions; comparing internal
data with external sources of information; and review of functional or activity performance.
These reviews may also include reviews of actual performance versus budgets; surprise checks
of procedures; periodic comparisons of accounting records and physical assets; and a review of
functional or activity performance.

An example of surprise check would be to pull the time cards at the beginning of a shift and see
that everyone who is “punched in” is present. A routine comparison of accounting records and
physical assets is a bank reconciliation performed by a person independent of the accounting
records and handling of cash. A review of functional or activity performance would be a bank’s
consumer loan manager’s review of reports by branch, region, and loan type for loan.

4.4.2. Information Processing

Information processing control procedures are those controls that insure accuracy of input and
processing,adequacy of documents and records, and computer application controls.
Application controls are controls that apply to applications that initiate, record, process, and
report transactions (such as MS Office, SAP, QuickBooks, Peachtree), rather than the computer
system in general.
There are several standard application controls. The chart of accounts is an important
application control because it provides the framework for determining the information presented
on to financial statements and budgets. The most widely applicable control device is the use of
serial numbers on documents and input transactions. Serial numbers provide control over the
number of documents issued. Checks, tickets, sales invoices, purchase orders, stock
certificates and many other business papers use this control. Documents should be recorded
immediately because long periods between transaction and recording increase the chance of
misstatement. Systems manuals for computer accounting software should provide sufficient
information to make the accounting functions clear.

Information system authorization controls, called general controls, is considered an

authorization control rather than an information processing control. General controls are

5
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

policies and procedures that relate to many applications and support the effective functioning of
application controls by helping to ensure the continued proper operation of information systems.
General controls include access controls like user ID, passwords and back-up and recovery
procedures.

Information Processing of Transaction Records -A standard general information processing

control is an entity’s transaction records. The entity should maintain a set of records on which
transactions are recorded and summarized. In a manual system these records include sales
invoices, shipping documents, purchase orders, subsidiary records, journals, ledgers, and
employee time cards. In a computer system, these records are all represented in the database
maintained by an accounting application program (such as QuickBooks, SAP, and Oracle
Financials).

These records must be adequate to provide good assurance that all assets are properly
controlled and all transactions correctly recorded. Well-designed documents in a manual system
and preformatted input screens in a computer system should be pre-numbered consecutively,
prepared at the time a transaction takes place, simple enough to be clearly understood,
designed for multiple uses to minimize the number of different forms, and constructed in a
manner that encourages correct preparation.

4.4.3. Physical Controls

Physical controls are procedures to ensure the physical security of assets. Assets and records
that are not adequately protected can be stolen, damaged, or lost. In highly computerized
companies damaged data files could be costly or even impossible to replace. For these
reasons, only individuals who are properly authorized should be allowed access to the
company’s assets. Direct physical access to assets may be controlled through physical
precautions, for example: storerooms guard inventory against pilferage; locks, fences and
guards protect other assets such as equipment; and fireproof safes and safety deposit vaults
protect assets such as currency and securities.

4.4.4. Segregation of Duties

Segregation of duties seeks to prevent persons with access to readily realizable assets from
being able to adjust the records that record and thereby control those assets. Duties are
divided, or segregated, among different people to reduce the risks of error or inappropriate
actions. For instance, responsibilities for authorizing transactions, for recording them, and for
handling the related assets (called custody of assets) are separated.

Segregation of duties entails three fundamental functions (acronym ARC) that must be
separated and adequately supervised:

1. Authorization is the delegation of initiation of transactions and obligations on the

company’s behalf.
2. Recording is the creation of documentary evidence of a transaction and its entry into the
accounting records.
3. Custody is physical control over assets or records.

A separation of these three functions (Authorization, Custody and Recording) is an essential

element of control. Let us use the example of wages. Authorization is required for hiring of staff
and is a function of the personnel department. The accounting department handles the

6
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

recording of the time records and the payroll in the payroll journals. The receipt of paychecks
and issuance of them to the employees is handled by work supervisors.
Authorization vs.Custody - People who authorize transactions should not have control over
the related asset. The authorization of a transaction and the handling of the related asset by the
same person increase the possibility of defalcation within the organization.
Custody vs. Recording - If an individual has custody of assets and also accounts for them,
there is a high risk of that person disposing of the asset for personal gain and adjusting the
records to cover the theft. The basic control imposed by double-entry bookkeeping means that
in order to conceal the theft or fraudulent use of an asset, the perpetrator must be able to
prevent the asset being recorded in the first place or to write it off. If the theft cannot be
permanently written off, it may still be temporarily concealed by being carried forward in
preparing inventory sheets, in performing the bank reconciliation, or in reconciling the debtor or
creditor control accounts.
IT Segregation of Duties - Operations responsibility and record keeping and the information
technology (IT) duties should be separate. Information systems are crucially important to
control, so it is suggested that those duties be segregated for programmer, computer operator,
librarian, and data reviewer. A programmer wrote (or configured) the software. Giving the
programmer access to input data creates temptation. The computer operator (who inputs the
accounting data) should not be allowed to modify the program. A librarian maintains and is
custodian of the records and files that should only be released to authorized personnel. The
person who tests the efficiency of all aspects of the system should be independent of the other
computer jobs.

4.4.5. Authorization of Transactions and Activities, General Controls

Every transaction must be properly authorized if controls are to be satisfactory. If any person in
an organization could acquire or expend assets at will, complete chaos would result.
Authorization can be either general or specific.

Under general authorization, management establishes policies and subordinates are

instructed to implement these general authorizations by approving all transactions within the
limits set by the policy. General authorization decisions include the issuance of fixed price lists
for the sale of products, credit limits for customers, and fixed reorder points for making
acquisitions.

Specific authorization applies to individual transactions. For certain transactions, management

prefers to authorize each transaction. An example is the authorization of a sales transaction by
the sales manager for a used-car company.

The distinction between authorization and approval is also important. Authorization is a policy
decision for either a general class of transactions or specific transactions. Approval is the
implementation of management’s general authorization decisions. An example of a general
authorization is management setting a policy authorizing the ordering of inventory when less
than a 3-week supply is on hand. When a department orders inventory, the clerk responsible for
maintaining the perpetual record approves the order to indicate that the authorization policy has
been met. In other cases, the computer approves the transactions by comparing quantities of
inventory on hand to a master file of reorder points and automatically submits purchase orders
to authorized suppliers in the vendor master file. In this case, the computer is performing the
approval function using preauthorized information contained in the master files.

7
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

Summary of Segregation of Duties

Transaction Controls Examples
type
Authorization Controls that ensure that Organizational chart, accounting procedures
only necessary transactions manual, chart of accounts, conflict of interest
based on the entity’s policy, signatures on checks limited to that of
objectives are undertaken. president, etc.
They prevent unnecessary
and fraudulent transactions.
Recording Controls which ensure that Entries in journals then ledgers, posting reference
all authorized transactions in journals, rotation of accounting personnel,
are allowed in the listing of mail receipts, cash register tapes,
accounting records, they are reconciliation of bank statements, etc.
properly entered, and are not
deleted or amended without
proper authorization.
Custody Controls that ensure that Pre-numbered forms, access to records
assets cannot be misused. (computer or manual) limited to authorized
personnel, individuals handling cash do not keep
the accounting records of cash, bonding of
employees, locked storage, people responsible for
assets should not be authorized to sell them, daily
deposits of cash, etc.

4.5. Monitoring
Internal control systems need to be monitored. Monitoring is a process that deals with ongoing
assessment of the quality of internal control performance over time. The process involves
assessing the design of controls and their operation on a timely basis and taking necessary
corrective actions. By monitoring, management can determine that internal controls are
operating as intended and that they are modified as appropriate for changes in conditions.

Ongoing monitoring information comes from several sources: exception reporting on control
activities, reports by government regulators, feedback from employees, complaints from
customers, and most importantly from internal auditor reports. For large companies, an internal
audit department is essential to effective monitoring. This feedback from the internal auditors
may also help external auditors reduce evidence requirements.

Management’s monitoring activities may include using information from communications from
external parties such as customer complaints and regulator comments that may indicate
problems or highlight areas in need of improvement. Two more examples of monitoring activities
are management’s review of bank reconciliations, and an internal auditors’ evaluation of sales
personnel’s compliance with the company’s human resource policies.

Summary of the Components of Internal Control Structure

Components Description of component Component elements

Control Actions, policies and  Integrity and ethical values
environment procedures that reflect the  Commitment to competence
overall attitude of top  Those charged with governance (board
management, directors, and of directors or audit committee)

8
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

owners of an entity about  Management’s philosophy and

controls and its importance operating style
 Organizational structure
 Assignment of authority and
responsibility
 Human resource polices and practice

Management’s Management’s identification Management’s assertions: existence,

risk assessment and analysis of risks relevant completeness, valuation, presentation and
to the preparation of financial disclosure, measurement, occurrence
statements in accordance
with IFRS

Accounting Methods used to identify, Transaction-related audit objectives:

information assemble, classify, record, existence, completeness, accuracy,
systems and and report an entity’s classification, timing, posting, and
communication transactions and to maintain summarization
accountability for related
assets

Control activities Policies and procedures that  Adequate segregation of duties

(Control management established to  Proper authorization of transactions and
procedures) meet its objectives for activities (specific computer controls)
financial reporting  Adequate documents and records
(general computer controls)
 Physical control over assets and
records
 Independent checks on performance

Monitoring Management’s ongoing and

periodic assessment of the Not applicable
effectiveness of the design
and operation of an internal
control structure to
determine if it is operating as
intended and modified when
needed

5. OBTAIN AND DOCUMENT UNDERSTATING OF INTERNAL CONTROL

Auditing standards require auditors to obtain and document their understanding of internal
control for every audit. This understanding is necessaryfor both the audit of internal controls
over financial reporting and the audit of financial statements. Management’s documentation is a
major sourceof information in gaining the understanding.

As part of the auditor’s risk assessment procedures, the auditor uses procedures to obtain an
understanding, which involve gatheringevidence about the design of internal controls and
whether they have been implemented, and then uses that information as a basis for
theintegrated audit. The auditor generally uses four of the eight types of evidence described in
Chapter 5 to obtain an understanding of the design andimplementation of controls:
documentation, inquiry of entity personnel, observation of employees performing control

9
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

processes, and re-performanceby tracing one or a few transactions through the accounting
system from start to finish.

Auditors commonly use three types of documents to obtain and document their understanding
of the design of internal control: narratives,flowcharts, and internal control questionnaires.

i. Narrative
 Is a written description of a client's internal controls
 It has four characteristics

 A proper narrative of an accounting system and related controls describes four things:
a) The origin of every document and record in the system
b) All processing that takes place
c) The disposition of every document and record in the system
d) An indication of the control relevant to the assessment of control risk

ii. Flow Chart

 Is a diagram of the client's documents and their sequential flow in the organization
 It is easier to read & easier to up date

 An adequate flowchart includes the same four characteristics identified for narratives.

iii. Internal Control Questionnaire

 Asks a series of questions about the controls in each audit area as a means of
uncovering aspects of internal control that may be inadequate.
 Most questionnaires require a “yes” or a “no” response, with “no” responses
indicating potential internal control deficiencies.
5.1. Evaluating Internal Control Operation
In addition to understanding the design of the internal controls, the auditor must also evaluate
whether the designed controls are actually placed in operation.

There four methods to evaluate

a) Update & evaluate auditor's previous experience with the entity.
b) Make inquiries of client personnel -Inquiries directed toward internal audit personnel may
relate to their activities concerning the design and effectiveness of the entity’s internal
control. Ordinarily, only inquiring of entity personnel will not be sufficient to evaluate the
design of a control or to determine whether a control has been implemented.
c) Examine documents & records.
d) Observing and re-performing the application of a specific control. The auditors may
observe the application of the control or re-perform the application themselves.

6. ASSESS CONTROL RISK

The auditor obtains an understanding of the design and implementation of internal control to
make a preliminary assessment of control risk as part of the auditor’s overall assessment of the
risk of material misstatements. This assessment is a measure of the auditor’s expectation that
internal controls will prevent material misstatements from occurring or detect and correct them if
they have occurred.

The starting point for most auditors is the assessment of entity-level controls. By nature, entity-
level controls, such as many of the elements contained in the control environment, risk

10
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

assessment, and monitoring components, have an overarching impact on most major types of
transactions in each transaction cycle. For example, an ineffective board of directors or
management’s failure to have any process to identify, assess, or manage key risks, has the
potential to undermine controls for most of the transaction-related audit objectives. Thus,
auditors generally assess entity-level controls before assessing transaction specific controls.

Once auditors determine that entity-level controls are designed and placed in operation, they
next make a preliminary assessment for each transaction-related audit objective for each major
type of transaction in each transaction cycle. For example, in the sales and collection cycle, the
types of transactions usually involve sales, sales returns and allowances, cash receipts, and the
provision for and write-off of uncollectible accounts. The auditor also makes the preliminary
assessment for controls affecting audit objectives for balance sheet accounts and presentations
and disclosures in each cycle.
6.1. Use of a Control Risk Matrix to Assess Control Risk
Many auditors use a control risk matrix to assist in the control risk assessment process at the
transaction level. The purpose is to provide convenient way to organize assessing control risk
for each audit objective.

The following are the 6 steps the auditor may follow in preparing the matrix.

1) Identify transaction related audit objectives

2) Identify existing controls
3) Associate controls with transaction related audit objectives
4) Identify & evaluate control deficiencies, significant deficiencies & material weaknesses

 Three levels of evaluating the absence of internal controls for each transaction related
audit objectives are:

a) Control Deficiency
 Exists if the design or operation of controls does not permit company personnel to
prevent or detect misstatements on a timely basis.
 Exists if a necessary control is missing or not properly designed.
 An operation deficiency exists if a well-designed control does not operate as
designed or when the person performing the control is insufficiently qualified or
authorized.
b) Significant Deficiency
 Exists if one or more control deficiencies exist that, more than remotely, adversely
affect a company's ability to initiate, authorize, record, process or report a reliable
financial statement.
c) Material Weakness
 Exists if a significant deficiency by itself, or in combination with in a more than
remote likelihood that internal control will not prevent or detect material financial
statements misstatements.
 A five step approach can be used Identify deficiencies, significant deficiencies and
material weaknesses
a) Identify existing controls
b) Identify absence of key controls
c) Consider the possibility of compensating controls
d) Decide whether there is a significant deficiency or material weakness
e) Determine potential misstatements that could result

11
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

5) Associate significant deficiencies and material weaknesses with transaction - related

audit objectives
6) Assess control risk for each transaction related audit objectives

This assessment is not the final one. Before making the final assessment at the end of the
integrated audit, the auditor will test controls and perform substantive tests. These
procedures can either support the preliminary assessment or cause the auditor to make
changes. In some cases, management can correct deficiencies and material weaknesses
before the auditor does significant testing, which may permit a reduction in control risk.

6.2. Communications to those Charged with Governance and Management Letters

As part of understanding internal control and assessing control risk, the auditor is required to
communicate certain matters to those charged with governance. This information and other
recommendations about controls are also often communicated to management (ISA 265).

 Communications to Those Charged with Governance - The auditor must communicate

significant deficiencies and material weaknesses in writing to those charged with governance as
soon as the auditor becomes aware of their existence. The communication is usually addressed
to the audit committee and to management. Timely communications may provide management
an opportunity to address control deficiencies before management’s report on internal control
must be issued. In some instances, deficiencies can be corrected sufficiently early such that
both management and the auditor can conclude that controls are operating effectively as of the
balance sheet date.

 Management Letters - In addition to these matters, auditors often identify less significant
internal control-related issues, as well as opportunities for the client to make operational
improvements. These should also be communicated to the client. The form of communication is
often a separate letter for that purpose, called a management letter. Although management
letters are not required by auditing standards, auditors generally prepare them as a value-added
service of the audit.
7. TESTS OF CONTROLS
Assessing control risk requires the auditor to consider both the design and operation of controls
to evaluate whether they will likely to be effective in meeting transaction-related audit objectives.
We’ve examined how auditors link controls, significant deficiencies, and material weaknesses in
internal control to related audit objectives to assess control risk for each objective. Now we’ll
address how auditors test those controls that are used to support a control risk assessment
7.1. Purpose of Tests of Controls
Assessing control risk requires the auditor to consider both the design and operation of controls
to evaluate whether they will likely be effective in meeting related audit objectives. During the
understanding phase, the auditor will have already gathered some evidence in support of both
the design of the controls and their implementation by using procedures to obtain an
understanding. In most cases, the auditor will not have gathered enough evidence to reduce
assessed control risk to a sufficiently low level. The auditor must therefore obtain additional
evidence about the operating effectiveness of controls throughout all, or at least most, of the
period under audit. The procedures to test effectiveness of controls in support of a reduced
assessed control risk are called tests of controls.

If the results of tests of controls support the design and operation of controls as expected, the
auditor uses the same assessed control risk as the preliminary assessment. If, however, the
tests of controls indicate that the controls did not operate effectively, the assessed control risk

12
 Audit I, Lecture Notes, CH 6, Compiled for AAU Students, Jan 2019.

must be reconsidered. For example, the tests may indicate that the application of a control was
curtailed midway through the year or that the person applying it made frequent misstatements.
In such situations, the auditor uses a higher assessed control risk, unless compensating
controls for the same related audit objectives are identified and found to be effective. Of course,
the auditor must also consider the impact of those controls that are not operating effectively on
the auditor’s report on internal control.

7.2. Procedures for Tests of Controls

The auditor is likely to use four types of procedures to support the operating effectiveness of
internal controls. Management’s testing of internal control will likely include the same types of
procedures. The four types of procedures are as follows:
The four types of procedures for tests of control are:
a) Make inquiries of appropriate client personnel
b) Examine documents, records and reports
c) Observe control- related activities
d) Re-preform client procedures
7.3. Extent of Procedures
The extent to which tests of controls are applied depends on the preliminary assessed control
risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are
applied, both in terms of the number of controls tested and the extent of the tests for each
control. For example, if the auditor wants to use a low assessed control risk, a larger sample
size for documentation, observation, and re-performance procedures should be applied. The
extent of testing also depends on the frequency of the operation of the controls, and whether it
is manual or automated.

Controls Addressing Significant Risk - It is especially important to evaluate the design of

controls that address significant risks and controls for which substantive procedures alone is not
sufficient. For significant risks, the auditor should evaluate the design of the entity’s controls,
including relevant control procedures. Implementation of a control means that the control exists
and that the entity is using it. We will discuss tests of implementation of controls in Chapter 8
Control Risk, Audit Planning and Test of Controls.
7.4. Relationship between Tests of Controls and Procedures to Obtain an
Understanding
There is a significant overlap between tests of controls and procedures to obtain an
understanding. Both include inquiry, documentation, and observation. There are two primary
differences in the application of these common procedures.
1. In obtaining an understanding of internal control, the procedures to obtain an
understanding are applied to all controls identified during that phase. Tests of controls,
on the other hand, are applied only when the assessed control risk has not been
satisfied by the procedures to obtain an understanding.
2. Procedures to obtain an understanding are performed only on one or a few transactions
or, in the case of observations, at a single point in time. Tests of controls are performed
on larger samples of transactions (perhaps 20 to 100), and often, observations are made
at more than one point in time.
For key controls, tests of controls other than re-performance are essentially an extension of
procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low
assessed control risk from the beginning of the integrated audit, they will likely combine both
types of procedures and perform them simultaneously.

13