lOMoARcPSD|26232864

Pr E1-UNIT-D auditing and assurance services

Bachelor of Science in Accountancy (Catanduanes State University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Gal Field ([email protected])
 lOMoARcPSD|26232864

UNIT D
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
INCLUDING ITS INTERNAL CONTROL AND ASSESSING THE
RISKS OF MATERIAL MISSTATEMENT

Outline
1. Understanding the Entity and its Environment
a. Nature of the entity
b. Objectives and strategies and related business risks
c. Measurement and review of the entity’s financial performance

2. Internal Control
a. Basic concepts and elements of internal control
b. Consideration of accounting and internal control systems
I. Understanding and documentation
II. Assessment of control risks
 Tests of controls
 Documentation

3. Assessing the risks of material misstatement

a. Risk assessment procedures
b. Significant risks that require special audit consideration
c. Risks for which substantive procedures alone do not provide sufficient
appropriate audit evidence
d. Revision of risk assessment

4. Communicating with those charged with governance and management

Objectives:

At the end of the unit, the student should be able to:

1. Know and describe the responsibilities of a professional certified public accountant

2. Understand the industry, regulatory and other external factors affecting financial
reporting

3. Appreciate the importance of internal control and assessment of an entity’s control

environment

122

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT INCLUDING

ITS INTERNAL CONTROL AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT

Phase I of the risk-based audit approach includes 1) Performance of preliminary

engagement activities to decide whether to accept or continue an audit engagement, 2) Planning the
audit to develop an overall audit strategy and audit plan, and 3) Performance of risk assessment
procedures to identify/assess risk of material misstatement (ROMM) through understanding of the
entity.

PSA 315, Identifying and Assessing the Risks of Material Misstatements through
Understanding the Entity and Its Environment requires the following:

1. Risk assessment procedures and sources of information about the entity and its
environment, including its internal control

2. Understanding the entity and its environment, including its internal control

3. Identifying and assessing the risks of material misstatements

4. Material weaknesses in internal control

5. documentation

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

Relevant Industry, Regulatory And Other External Factors

To better understand the company, the auditor must obtain an understanding of the
environment within which the company operates. This includes Industry conditions such as
competition, supplier and customer relationships, technological development, regulatory
environment such as financial reporting framework, legal and political environment, environmental
requirements and other external factors

Nature of The Entity

The auditor’s understanding of the entity, its environment and its internal control serves as
the foundation of an effective audit. It establishes a frame of reference within which the auditor
plans the audit and exercises professional judgment such as:

 Assessing risk of material misstatement

 Establishing materiality
 Considering appropriateness of accounting policies

The auditor should obtain an understanding of the nature of the entity, including the
following:

123

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

a) Operations
b) Ownership and governance structure
c) Types of investments that the entity is making and plans to make
d) The way that the entity is structured and how it is financed to enable the auditor to
understand the classes of transactions, account balances, and disclosures to be expected
in the financial statements.
e) The entity’s selection and application of accounting policies, including the reasons for
change, if any. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.

Objectives and Strategies and Related Business Risks

The client company conducts business in an environment where industry, regulatory and
other internal and external factors exist. Management and those charged with governance must
therefore clearly define objectives in accordance with the overall plans for the entity to be able to
respond to these factors. Risks that the auditor may identify for a particular client includes those
related to the completion, government regulations, technology, volatility of raw material prices, and
external factors, foreign exchange changes, etc.

Obtaining an understanding of the related business risks enables the auditor to evaluate
risks of material misstatements.

Measurement and Review of the Entity’s Financial Performance

Financial performance of the client entity are measured periodically, in terms of internal
performance parameters or in comparison with industry performance. These performance
measures, whether internal or external may create pressures on the entity and motivate
management to take action to improve the business performance or to misstate the financial
statements.

Auditors should thus obtain an understanding of the client company’s financial performance,
including consideration of key financial ratios, employee performance measures and incentives, and
other performance measures. This will enable the auditor to assess whether risk of material
misstatement exists within the company’s performance evaluation environment.

INTERNAL CONTROL

Every entity, whether profit oriented or not, faces risks that may prevent it from achieving
its objectives. To address these risks, including the risk of material misstatements in the financial
statements, the entity establishes a system of internal control. However, without an effective
internal control system, these risks may not be prevented which could pose a threat on the
company’s ability to continue as a going concern.

Internal control is designed to provide reasonable assurance of achieving the objectives of a

company related to reliable financial reporting, operational efficiency and effectiveness, and
compliance with applicable laws and regulations.

124

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

An Auditor must evaluate whether internal control is working effectively. To be able to do

so, understanding of how the client’s internal control system works must first be obtained, including
how the system works, what controls exist and who performs them, how various types of
transactions are processed and recorded, and what accounting records and supporting documents
exist.

Basic Concepts and Elements of Internal Control

Internal control is described as the process designed and effected by those charged with
governance, management, and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to a) reliability of financial reporting, b)
effectiveness and efficiency of operations, and c) compliance with applicable laws and regulations
(PSA 315). To achieve these objectives, business organizations set up an internal control system.

Internal control system is defined as the policies and procedures (controls) adopted by the
management of an entity to assist in achieving management’s objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence to management
policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy
and completeness of the accounting records, and the timely preparation of reliable financial
information.

The following are the components of an internal control system (PSA 315):

1. The control environment

2. The entity’s risk assessment process
3. The information system, including the related business processes, relevant to financial
reporting, and communication
4. Control of activities
5. Monitoring of controls

These components are described in the following figure:

Figure D-1: Five Components and the Principles Representative of the Fundamental Concepts
Associated with the Component (Adopted from Cabrera & Cabrera, 2020)
Components Description Applicable Principles
1. Control The collective effect of an The Organization:
Environment entity’s management, and 1. Demonstrates a commitment to integrity
owner’s on establishing, and ethical values
enhancing, or mitigating 2. Demonstrates independence of the
the effectiveness of specific board of directors from management and
control policies or exercises oversight for the development
procedures. The control and performance of internal control
environment sets the tone 3. Establishes, with board oversight,
and provides discipline and structures, reporting lines, and
structure appropriate authorities and
responsibilities in the pursuit of
objectives
4. Demonstrates a commitment to attract,
develop and retain competent individuals

125

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

Components Description Applicable Principles

in alignment with objectives
5. Holds individuals accountable for their
internal control responsibilities in the
pursuit of objectives
2. Risk Assessment Management’s efforts to 6. Specifies objectives with sufficient clarify
identify, analyze, and to enable the identification and
manage risks pertaining to assessment of risks relating to objectives
the preparation of FS 7. Identifies risks to the achievement of its
objectives across the entity and analyzes
risks as a basis for determining how the
risks should be managed
8. Considers the potential for fraud in
assessing risks to the achievement of
objectives
9. Identifies and assess changes that could
significantly impact the system of internal
control
3. Control Activities Policies and procedures to 10. Select and develops control activities that
ensure that necessary contribute to the mitigation of risks to
actions are taken to the achievement of objectives to
address risks to the acceptable levels
achievement of preparing 11. Selects and develops general control
reliable FS. Control activities over technology to support the
activities pertain to achievement of objectives
performance physical 12. Deploys control activities through policies
controls, and segregation that establish what is expected and in
of duties procedures that put policies into action
4. Information and The entity’s information 13. Obtains or generates and uses relevant,
Communication system and procedures for quality information to support the
communicating matters functioning of other components of
related to the processing of internal control
accounting data. This 14. Internally communicates information,
components generates the including objectives and responsibilities
financial statements for internal control, necessary to support
the functioning of other components of
internal control
15. Communicates with external parties
regarding matters affecting the
functioning of other components of
internal control
5. Monitoring The process an entity uses 16. Selects, develops, and performs ongoing
to assess the quality of and/or separate evaluations to ascertain
internal control over time whether the components of internal
control are present and functioning
17. Evaluates and communicates internal
control deficiencies in a timely manner to
those parties responsible for taking
correction action, including senior
management and the board of directors,
as appropriate

126

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

 The Control Environment – this is the overall attitude, awareness and actions of directors
and management regarding the internal control system and its importance in the entity. A
strong and supportive control environment contributes to the effectiveness of control
procedures. The control environment includes:

 Communication and enforcement of integrity and ethical values

 Commitment to competence
 Participation by those charged with governance
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resources policies and procedures

 Entity’s Risk Assessment Process – is the identification, analysis and management of risks
pertaining to the preparation of FS. Management should consider internal and external
events and circumstances that may affect an entity’s ability to generate and report financial
information that is reliable and credible. In the risk assessment process, management
identifies the risks that could occur due to fraud and error, their significance, the likelihood
of occurrence and how this risks should be managed. Risks may exist due to the following
factors:

 Changes in regulatory or operating environment

 New personnel
 New or revamped information systems; new technology
 Rapid growth
 New business models, products or activities
 New accounting pronouncements

 Control Activities

A company may use manual or IT systems. Whatever the system being used, control
procedures are instituted at various organizational and functional levels. Control procedures
may be categorized as follows:

A. Performance Review

B. Information Processing Controls

 Segregation of duties
 Adequate documents and records
 Safeguards over access to assets
 Independent checks on performance

C. Physical controls

 Monitoring of Controls is the process of assessing and evaluating the internal control,
including its design and operation of controls on a timely basis and taking corrective action
as necessary. This involves communication from external parties such as customers,
suppliers, banks, regulating agencies, etc.

127

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

Consideration of Accounting and Internal Control Systems

Documentation of Understanding of Internal Control

The auditor shall document the key elements of each of the internal control components,
including information sources thereof. The form and extent of documentation depends on the size
and complexity of the audit client company. Documentation techniques include narratives,
flowcharts and questionnaires.

1. Narrative (or Memorandum) is a written description of a phase or phase of the internal

control system. The description includes the origin of documents and records, transactions
processing, disposition of documents and records, indication of relevant controls to prevent
or detect risks of material misstatement such as separation of duties of recording from
`handling cash, authorization and verification.
Advantages:
 Flexible, tailor-made for engagement
 Detailed analysis and forces auditor to understand and control

Disadvantages:
 Time consuming, requires more time and careful study
 Weaknesses are not obvious

2. Flowchart – a diagram which uses symbols to depict or show the auditor’s understanding of
a specific part of an internal accounting control system. It indicates the flow of data and/or
authority and reflects the segregation of duties. The following questions should be
answered clearly before the preparation of a flowchart:

a. Who performs the various functions in the routine?

b. Why are these functions performed?
c. What work is performed, and is the work considered input or output
d. When are the functions performed and is the work considered input or output?
e. How are the functions performed and in what sequence?

Advantages:
 Easily understood
 Better overall picture or complex system
 Easy to read and update
 Unlikely to overlook control

Disadvantages:
 Time consuming and requires more knowledge
 Weaknesses are not obvious

Flowcharting is an art, and therefore, different individuals may prepare different flowcharts
for any given situation. The critical factor is that flowcharts should clearly represent a
system.

128

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

Figure D-2: Sample Common Flowcharting Symbols

Indicates the input or output of information. Can be used in place of the

document symbol
Input/Output
Operation(s) causing the information to change in some manner without
manual assistance (e.g., update of master payroll records or preparation
Process of payroll checks in computerized payroll system

If flow lines cross, they are not related

Cross Flow Lines
For the addition of comments. May be connected to a symbol of a flow
line
Annotation

Punch Card

Using online storage in an input-output function

Online Storage
Storage or information or documents. The method of storage may be
indicated inside the symbol
Offline storage

For example, sales invoice, purchase order, check, remittance advice,

etc.
Document
An operation to determine tape proof, or similar batch control
information, or an activity that necessitates decision
Decision

The processing of data in a system by manual techniques

Manual
Operation

3. Internal Accounting Control Questionnaire asks a series of questions about the control in
each audit area to identify control deficiencies or weaknesses. Most questionnaires require a
“yes” or “no” or “not applicable” response, with “no” response indicating potential
weakness or at least, further investigation is required.

For “no” responses which indicate a weakness, an investigation of the weakness should be
conducted to determine whether it is material or not. The investigation should be
documented in a separate sheet. A material weakness should be reported to senior
management, board of directors and the audit committee.

Advantages:
 Easy to complete
 Unlikely to overlook controls with comprehensive list of questions
 Weaknesses become obvious with “no” responses

129

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

Disadvantages:
 May not be answered adequately
 Questions may be “unfit” to client
 Not process overview

A sample Questionnaire is presented in figure D-3

4. Internal control checklist contains a detailed enumeration of the methods and practices
which characterize good internal control or of item to be considered in reviewing internal
control. This basically provides a guide to review the internal control of the auditee and
does not represent a record of the auditor’s findings.

5. Decision tables. In this approach, the system is depicted as decision points

130

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

D-3: Sample Questionnaire (Adopted from Cabrera & Cabrera, 2017)

Internal Control Questionnaire for Sales

Client: _________________________________________ Audit Date: _______________
Client Personnel Interviewed: __________________________________________________
Auditor: _______________________________________ Date Completed: ___________
Reviewed by: __________________________________ Date Reviewed: ___________
Type of Testing: Compliance .

Cycle: Revenue
Executing Yes No NA Remarks
1. Are customer orders compared to an approved
customer list?
2. Is a prenumbered sales order issued for each accepted
customer order?
3. Is there internal verification of the agreement of sales
order with customer order
4. Are all credit sales approved prior to the sale?
5. Is a sales order required before an order is filled?
6. Is there internal verification of the goods in filling a
sales order?
7. Are the goods compared with the sales order in
shipping?
8. Is each shipment supported by a prenumberd shipping
document?
9. Are shipping documents and sales orders compared in
billing?
10. Are prenumbered sales invoices used in billing?
11. Is there internal verification of prices and
mathematical accuracy of sales invoice?
12. Are daily sales summaries prepared and agreed to the
invoices used?

Recording
1. Are the daily sales journal entries agreed to daily sales
summaries?
2. Are invoices journalized in numerical sequence?
3. Is there periodic independent reconciliation of
accounts receivable control and the customers’
ledger?
4. Are postings to the subsidiary ledgers made
independent of journalizing and posting the general
ledger?

Custody
1. Are there adequate physical controls over accounts
receivable records?
2. Is there independent mailing of monthly statements to
customers?

131

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

Relationship of Effectiveness of Internal Control and Substantive Tests.

The auditor’s evaluation of internal control provides a basis for the level of reliance placed
upon the system, depending on whether, in the auditor’s assessment, the internal control is
effective or not. During the assessment, the auditor may find deficiencies. These deficiencies exist
when a) a control is unable to prevent, or detect and correct, FS misstatements and b) a necessary
control is missing.

Deficiencies in internal control may be in it’s a) design or b) operation. A design deficiency

exists when a necessary control is missing, or existing but not properly designed. An operation
deficiency exists when a properly designed control does not operate as designed, or the person
performing the control does not possess the necessary authority or competence.

Primarily, internal control assessment is done to enable the auditor to plan substantive tests
that will be effective in detecting the types of errors or irregularities that are possible in the
circumstances and to determine recommendations to improve internal control.

Effectiveness of internal control and substantive tests are inversely related. The more
effective the internal control, the lesser the substantive tests the auditor performs.

When controls are initially considered to be effective, the auditor may observe the following
steps:
1) Reduce control risk
2) Reduce acceptable risk of overreliance on internal control
3) Perform tests of controls through inquiries, inspection, observation and/or
reperformance
4) Increase the acceptable risk of incorrect acceptance (increase detection risk), and
5) Reduce the planned substantive tests through
 Use of less persuasive or less effective substantive tests
 Perform substantive tests at interim date
 Decrease the extent of substantive test by selecting a smaller sample size

When controls are initially not considered effective or not cost efficient, the auditor should
consider the following:
1) Assess control risk at maximum (100%)
2) Acceptable risk of overreliance on internal control at maximum (100%)
3) Perform no tests of controls
4) Use low risk of incorrect acceptance (decrease detection risk)
5) Perform extensive substantive testing through
 Use of more effective substantive tests (more persuasive)
 Perform substantive tests at year end
 Increase extent of substantive tests by selecting a larger sample size

Assessment of inherent and control risks

The types of material weaknesses in internal control that the auditor may identify when
obtaining an understanding of the entity and its internal controls may include:

 Risk of material misstatement that the auditor identifies and which the entity has not
controlled, or for which the relevant control is inadequate

132

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

 A weakness in the entity’s risk assessment process that the auditor identifies as material,
or the absence of a risk assessment process in those cases where it would be
appropriate for one to have been established.

Material weaknesses may also be identified in controls that prevent, or detect and correct
errors, or those to prevent and detect fraud.

Audit risk refers to the possibility that auditors fail to appropriately modify their opinion on
FS that are materially misstated. It is composed of inherent risk, control risk and detection risk.
Auditing standards describe the relationship between audit risk and its components as:

Audit risk = Inherent risk x Control risk x Detection risk

Audit risk is depicted in the following figure:

Figure D-4: Audit Risk for a Specific Financial Statement Assertion (Adopted from Cabrera
& Cabrera, 2020)

Audit Risk

The risk that the assertion The risk that the auditor will not
contains a material misstatement detect a material misstatement

Which is composed of Which is composed of

Inherent Risk Control Risk Detection Risk

Sampling Risk Nonsampling Risk

Inherent risk refers to the susceptibility of an account balance to material errors assuming
the client does not have any related internal control. Inherent risk is assessed in both the financial
statement level and the account balance and class of transactions level. The auditors use their
knowledge of the client’s industry and the nature of its operations, including information obtained in
prior year audits to assess inherent risk.

Control risk is the risk that a material error in an account will not be prevented or detected
on a timely basis by the client’s system of internal control. This can never be zero because internal

133

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

control systems cannot provide complete assurance that all material errors will be prevented or
detected.

After obtaining an understanding of the accounting and internal control systems, the auditor
should make a preliminary assessment of control risk, at the assertion level, for each material
account balance or class of transactions.

The preliminary assessment of control risk for a FS assertion should be high unless the
auditor is a) able to identify internal controls relevant to the assertion which are likely to prevent or
detect, and correct a material misstatement, and b) plans to perform tests of control to support the
assessment.

Detection Risk refers to the risk that the auditor’s examination will not detect a material
error in an account balance. This is a function of the effectiveness of the auditor’s verification of
account balances and is influenced by the nature, timing, ad extent of the auditor’s procedures.

Using the audit risk model, the auditor determines the nature, timing, and extent of audit
procedures to manage audit risk. Following are the steps to determine the allowable detection risk:

1. Determined planned audit risk for each FS assertion and the FS as a whole

2. Assess inherent risk

3. Assess control risk – if after the auditor has obtained an understanding of internal
control and concludes that internal controls are completely ineffective to prevent or
detect misstatement, the auditor would assign a high, perhaps 100% (maximum level)
risk factor to control risk.

Before auditors can set control risk less than 100%, they must do these things:
a) obtain an understanding of internal control
b) evaluate how well it should function based on the understanding, and
c) test the internal controls for effectiveness

4. Determine allowable detection risk – allowable detection risk or planned dection risk is
the amount of risk the auditor can allow for an assertion or a measure of the risk that
audit evidence for a segment will fail to detect misstatements exceeding a tolerable
amount, should such misstatements exist.

Tests of Controls or Compliance Tests

Tests of controls are audit procedures designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting, material misstatements at the assertion level.

Types of compliance tests:

1) No Trail – tests that do not leave a visible trail in the supporting documents of the
performance of control procedure by the client’s employee. The auditor makes inquiries
and observation of office personnel and routines to determine how control procedures
are performed and who performs them

134

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

2) Documentary Trail – tests that leave a visible train the supporting documents. Hence,
the auditor inspects the documents supporting a particular type of transaction to see
whether a control procedure, such as approval or other checking, was performed and
who performed it as indicated by signatures or initials.

ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

Risk Assessment Procedures

Risk assessment procedures are performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess risks of material
misstatements, whether due to fraud or error, at the financial assessments and assertions levels.
The procedures that may be performed by the auditor includes the following:

a) Inquiries of management and others within the entity

The auditor performs inquiries/interviews of management and those responsible for

financial reporting, and of others within the entity who may have information to assist in
identifying risk of material misstatement such as the internal audit personnel, etc. Aside
from inquiring from management, the auditor may also make inquiries of the company’s
legal counsel or other experts employed by the company. Reports or information from
external sources such as analysts, banks, journals, etc. may also be helpful.

b) Analytical procedures

This includes trend analysis, ratio analysis and test of reasonableness. These procedures
are used by the auditor in the three phases of the risk-based audit process. In Phase 1,
the risk assessment phase, the auditor uses analytical procedures in order to obtain an
understanding of the entity and its environment and identify and assess ROMM. In the
Phase 2, risk response, analytical procedures are used, among others, to detect material
misstatements in the FS and to obtain evidence on the fairness of the assertions
contained therein. Analytical procedures are also used in Phase 3, in forming
conclusion.

Analytical procedures are an important part of the audit process and consist of
evaluations of financial information made by a study of plausible relationships among
both financial and nonfinancial data. Analytical procedures range from simple
comparisons to the use of complex models involving many relationships and elements of
data. A basic premise underlying the application of analytical procedures is that
plausible relationships among data may reasonably be expected to exist and continue in
the absence of known conditions to the contrary. Particular conditions that can cause
variations in these relationships include, for example, specific unusual transactions or
events, accounting changes, business changes, random fluctuations, or misstatements.

Results of analytical procedures may assist the auditor in identifying unusual

transactions, events, amounts, trends and ratios that might indicate matters that have
financial statement and audit implications.

135

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

c) Observation and inspection – information obtained from observation and inspection

may support inquiries of management and others, and also provide information about
the entity and its environment. Observation and inspection usually includes observation
of an entity’s activities and operations, inspection of documents such as business plans
and strategies, records and manuals, and visits to the entity’s premises and plant
facilities.

A risk-based audit approach involves identifying and assessing the risk of material
misstatements of financial statements that guide the auditor to perform appropriate audit
procedures. This means that the auditor does not simply perform a list of specified procedures,
which is known as audit by completion checklists – an ineffective approach

Generally, the audit is focused on areas that are likely to be materially misstated. The
auditor should therefore identify material classes of transactions, account balances and disclosures
in the financial statements. In the process, the auditor uses professional judgment, taking into
account both quantitative and qualitative factors.

Financial statement level risk of material misstatement refers to risks that relate
pervasively (widely) to the financial statements as a whole, and potentially affect many assertions.
They relate to risks that have a potential impact on a large number of F/S items.

Assertion level risk of material misstatement refer to risks that are confined to one or a few
assertions for classes of transactions, account balances, and disclosures in the F/s/

Significant Risks That Require Special Audit Consideration

Significant risk is a risk of material misstatement that, in the auditor’s judgment, requires
special audit considerations. Factors to consider in evaluating whether a risk is significant or not
includes the following:

 Fraud risk
 Significant development
 Complex transactions
 Related party transactions
 Degree of subjectivity
 Unusual transactions

After ascertaining that risks are significant, the auditor should obtain an understanding of
controls, including control activities. Absence of control indicates material weakness.

Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit
Evidence

These risks may include risks of inaccurate or incomplete processing for routine transactions
(e.g., revenue, purchases, and cash receipts or payments), which are subject to highly automated
processing whit little or no manual intervention.

The auditor shall obtain an understanding of the controls over such risks and perform tests
of control to obtain sufficient appropriate evidence.

136

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

COMMUNICATING WITH THOSE CHARGED WITH GOVERNANCE AND

MANAGEMENT

The auditor shall timely communicate significant deficiencies and material weaknesses in
internal control in writing to management and those charged with governance. This communication
is typically contained in a management letter (the “by product” of audit) together with auditor’s
constructive suggestions not included in the auditor’s report.

REFERENCES:

Carbales, L., Ocampo, R., Valdez, R., A Risk-Based Approach, Part I – Audit Theory (2019), Dom Dane
Publishers and Made Easy Books

Cabrera, M. E., Auditing & Assurance Services: Principles of Auditing & Assurance Services, (2018).
Manila: Conanan Educational Supply

Salosagkol, J. G., Tiu, M. F. & Hermosilla, R. E., Auditing Theory, (2017), Manila: GIC Enterprises &
Co., Inc.

PICPA Compilation of PSAs

Review materials from review schools

137

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

END OF CHAPTER REVIEW QUESTIONS

A. Answer the following questions:

1. Discuss internal control.

2. Why is it important for the auditor to obtain an understanding of the client’s internal
control?

3. Identify and explain the components of internal control.

4. Describe the relationship between substantive tests and the reliance placed by an
auditor on the internal control system.

5. Discuss the different techniques auditors use in documenting the understanding of a

client’s internal control.

B. Multiple Choice

1. A reason to establish internal control is to:

A. Have a basis for planning the audit.
B. Provide reasonable assurance that the objectives of the organization are achieved.
C. Encourage compliance with organizational objectives.
D. Ensure the accuracy, reliability and timeliness of information.

2. An effective internal control structure

A. Reduces the need for management to review exception reports on a day-to-day basis.
B. Eliminates risk and potential loss to the organization.
C. Cannot b circumvented by management.
D. Is unaffected by changing circumstances and conditions encountered by the organization.

3. The primary purpose of the auditor’s consideration of internal control is to provide a basis for –
A. Determining whether procedures and records that are concerned with the safeguarding of
assets are reliable.
B. Constructive Suggestion to client’s concerning deficiencies in internal control.
C. Determining the nature, timing and extent of audit tests to be applied.
D. The depression of an opinion.

4. S1 Internal control systems refer to all policies and procedures adopted by the management of
an entity to assist in achieving management’s objectives.
S2 The internal control system is confined to those matters which relate directly to the
functions of the accounting system.
A. True, False B. False, True C. True, True D. False,
False

5. An auditor is least likely to test the internal controls that provide for
A. Approval of the purchase and sale of marketable securities.
B. Classification of revenue and expense transactions by product line.
C. Segregation of the functions of recording disbursements and reconciling the bank account.

138

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

D. Comparison of receiving reports and vendors’ invoices with purchase orders.

6. Which of the following statements best describes the phrase, “evaluating the design of a
control”?
A. Considering whether the control, individually or in combination with other controls, is
capable of effectively preventing, or detecting and correcting, material misstatements.
B. Determining whether the control exists and that the entity is using it.
C. Expressing an opinion as to the effectiveness f a control.
D. Observing the application of specific controls.

7. When obtaining an understanding of an entity’s internal control, an auditor should concentrate

on the substance of controls rather than their form because:
A. Management may establish appropriate controls but not act on them.
B. The controls may be operating effectively but may not be documented.
C. The controls may be so inappropriate that no reliance is contemplated by the auditor.
D. Management may implement controls with costs in excess of benefits.

8. As part of obtaining an understanding of internal controls, an auditor is not required to:

A. Consider factors that affect the risk of material misstatement.
B. Ascertain whether internal control policies and procedures have been placed in operation.
C. Identify the types of potential misstatements that may occur.
D. Obtain knowledge about the operating effectiveness of internal control.

9. Narratives, flowcharts, and internal control questionnaires are three commonly used methods
of
A. Designing the audit manual and procedures.
B. Testing the internal control structure.
C. Documenting the study of internal controls.
D. Documenting the auditor’s understanding of client’s organizational structure.

10. The following are components of internal control:

A. Organizational structure, management philosophy, and planning.
B. Legal environment of the firm, management philosophy, and organizational structure.
C. Risk assessment process, back up facilities, responsibility accounting and natural laws.
D. Control environment, risk assessment process, control activities, information system and
communication, and monitoring of controls.

11. Which of the following is most correct concerning the understanding of internal control needed
by the auditors to plan the audit?
A. The auditors must understand the control environment, but not the accounting system or
the control procedures of an entity.
B. The auditors must understand the control environment and the accounting system, but not
the control procedures.
C. The auditors must understand the control environment, the accounting system and must
use judgment as to the control procedures which must be considered.
D. The auditors must understand the control environment, the accounting system and all
control procedures.

12. Which of the following statements best describes “control environment”?

A. The entity’s process for identifying business risks relevant to financial reporting objectives
and deciding about actions to address those risks, and the results thereof.

139

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

B. The system for transferring information from transaction processing systems to the general
ledger of the financial reporting system.
C. Policies and procedures that help ensure that management directives are carried out.
D. This includes the governance and management functions and the attitudes, awareness, and
actions of those charged with governance and management concerning the entity’s internal
control and its importance to the entity.

13. Management’s attitude towards aggressive financial reporting and its emphasis on meeting
projected profit goals most likely would significantly influence an entity’s control environment
when:
A. Management is dominated by one individual who is also a shareholder.
B. External policies established by parties outside the entity affect its accounting practices.
C. The audit committee is active in overseeing the entity’s financial reporting policies.
D. Internal auditors have direct access to the board of directors and entity management.

14. An entity’s risk assessment process includes how management:

A. Identifies risk
B. Assesses significance and likelihood of occurrence of these identified risks
C. Decides upon actions to manage these risks
D. All of these.

15. Risks can arise or change due to circumstances such as the following, except:
A. There is a change in the regulatory or operating environment.
B. No new employees have been hired by the company.
C. The company switched from manual information systems to a computerized system.
D. The accounting and financial reporting framework has experienced significant revisions.

16. The information system consists of the following:

A. Infrastructure (physical and hardware components) and software
B. People
C. Procedures and data
D. All of these.

17. This means “identifying and capturing the relevant information for transactions or events”
A. Recording B. Processing C. Reporting D. None of these

18. The objective of the recording function of transactions (in the context of internal accounting
control) is to
A. Limit access to assets and to permit preparation of financial statements in accordance with
GAAP.
B. Assure compliance with the rules of all regulatory bodies having jurisdiction over the
reporting entity.
C. Permit preparation of financial statements in accordance with GAAP and to maintain
accountability of assets.
D. Encourage operational efficiency and adherence to prescribe managerial policies.

19. When obtaining an understanding of the accounting and internal control system the auditor
may trace a few transactions through the accounting system. This technique is:
A. Reperformance. C. Control test.
B. Walk-through. D. Validity test.

140

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

20. Which of the following descriptions pertain to performance reviews?

A. Control activities that include reviews and analyses of actual performance versus budgets,
forecasts, and prior period performance.
B. Controls performed to check accuracy, completeness, and authorization of transactions.
C. Physical of security of assets including adequate safeguards such as secured facilities over
access to assets and records.
D. The assignment of incompatible functions to different people.

21. Which of the following would be preventive controls?

A. The use o batch totals.
B. Reconciling the accounts receivable subsidiary file with the control account.
C. Requirement that two persons open mail.
D. Preparation of bank reconciliation.

22. An example of specific transaction authorization is the:

A. Setting of automatic reorder points.
B. Establishment of sales prices.
C. Establishment of a customer’s credit limits.
D. Approval of a construction budget for a new warehouse.

23. A proper segregation of duties requires:

A. That an individual authorizing a transaction should record it also.
B. That and individual authorizing a transaction maintain custody of the asset that resulted
from the transactions.
C. That an individual maintaining custody of an asset be entitled to access the accounting
records for the asset.
D. The different individuals should handle custody, authorization and record-keeping.

24. An entity’s ongoing monitoring activities often include:

A. Periodic audits by the audit committee.
B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.
25. This is basic concept of internal control which recognizes that the cost of internal control should
not exceed the benefits expected to be derived from it:
A. Management by exception B. Management responsibility C. Limited liability D.
Reasonable assurance

26. Which of the following is an example of an inherent limitation in a client’s internal control
system?
A. The effectiveness of procedures depends on the segregation of employee duties.
B. Procedures are designed to assure the execution and recording of transactions in
accordance with management’s authorization.
C. In the performance of most control procedures, there are possibilities of errors arising from
mistakes in judgment.
D. Procedures for handling large numbers of transactions are processed by information
technology (IT) equipment.

27. Which of the following conditions supports strong internal control?

A. Strict monitoring by the Bureau of Internal Revenue.
B. The existence of related parties and related party transactions.

141

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

C. Pressure by the financial community to improve earnings performance.

D. An economic downturn.

28. Set the following steps in proper order:

A. Determine the nature, extent and timing of substantive tests
B. Make a preliminary control risk assessment
C. Obtain understanding of the entity and its environment
D. Determine the appropriate response to assessed risks
E. Re-assess control risk

29. After obtaining a sufficient understanding of internal control, the auditor:

A. Assesses the need to apply GAAS.
B. Determines the preliminary assessment of control risk.
C. Assesses detection risk to determine the acceptable level of inherent risk.
D. Determines the assessed levels of detection risk and inherent risk.

30. The audit risk model consists of: AR = IR x CR x DR. The detection risk is the dependent
variable. What is the acceptable level of detection risk if the assessed level of inherent risk is
HIGH and the control risk is MEDIUM?
A. Lowest B. Lower C. Medium D.
Higher

31. The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the
risk is that:
A. Tests of control may fail to identify controls relevant to assertions.
B. Material misstatements may exist in the financial statements.
C. Specified controls requiring segregation on duties may be circumvented by collusion.
D. Entity policies may be circumvented by senior management.

32. An auditor’s preliminary control risk assessment is at a HIGH level. Which of the following are
possible reasons for this preliminary assessment?
I. The entity’s internal control system is not effective
II. Evaluating the effectiveness of the entity’s internal control system would not be
efficient.
A. I only B. II only C. Both I and II D. Neither I and II

33. When control risk is assessed at less than high for all financial statements assertions, an auditor
should document the auditor’s
A B C D
 Understanding of the entity’s internal control structure Yes Yes No Yes
 Conclusion that control risk is less than high No Yes Yes Yes
 Basis for the conclusion that control risk is less than high Yes Yes No No

34. Overall responses to address the risks of material misstatement at the financial statement level
include:
A. Emphasizing to the audit team the need to maintain professional skepticism in gathering and
evaluating audit evidence.
B. Assigning more experience staff or those with special skills or using experts
C. Incorporating additional elements of unpredictability in the selection of further audit
procedures.

142

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

D. All of the answers.

35. Tests of controls are used to test whether controls are:

A. Operating effectively.
B. Placed in operation or implemented.
C. Properly incorporated in the financial statements.
D. Properly documented by the client.

36. Which of the following procedures most likely would be included as part of an auditor’s tests of
controls?
A. Inspection B. Reconciliation C. Confirmation D. Analytical
procedures

37. S1 Tests of controls are necessary if the auditor plans to use the primarily substantive approach.
S2 Tests of controls are necessary if the auditor plans to assess the level of control risk at a high
level.
A. True, true B. False, false C. True, false D. False, true

38. After documenting the internal control in an audit engagement, the auditor may perform tests
on:
A. Those controls that the auditor plans to rely on.
B. Those controls in which deficiencies or weaknesses were identified.
C. Those controls that have a material effect on the balances in the financial statements.
D. Those controls that were reviewed (selected on a random basis).

39. Tests on controls may include the following, except:

A. Reperformance of internal control procedures.
B. Inquiries about, and observation of, internal controls which leave no audit trail.
C. Analytical procedures involving comparison of operating expenses with budgeted amount.
D. Inspection of documentary support for transactions evidencing authorization.

40. Which of the following ordinarily a test of internal control procedures?

A. Examination of signatures on checks.
B. Count and list cash on hand.
C. Sending confirmation letters to banks.
D. Obtain or prepare reconciliation statements of bank accounts as of the balance sheet date.

41. Which of the following is least likely to be evidence the auditor examines to determine whether
operations are in compliance with the internal control structure?
A. Records documenting usage of IT programs. C. Canceled supporting documents.
B. Confirmations of accounts receivable. D. Signatures on authorization forms.

42. Grace, CPA is considering reliance on the internal controls of Lingayen Manufacturing Inc. for the
2010 audit. If Grace obtains audit evidence about the operating effectiveness of controls during
the interim period, Grace should:
A. Rely on the operating effectiveness of these controls up to period end.
B. Determine what additional audit evidence should be obtained for the remaining period.
C. Should assess risk as High for the remaining period.
D. Should rely on controls for the interim audit, but not for the year-end work.

143

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

43. In testing controls, it is best to remember this statement: “The basic components of business
operations and the primary subject matter of internal accounting control are:
A. Assets.” C. Transactions.”
B. Control methods and behavior.” D. Employee.”

44. When controls leave no documentary evidence or trail:

A. It is impossible for the auditor to verify them so he/she will have to rely on substantive tests.
B. The only thing available as verification of their effectiveness is inquiry of management.
C. The auditor generally observes them being applied.
D. It is impossible to audit that area of the client’s system.

45. The objective of dual-purpose tests is to:

A. Evaluate whether internal controls are operating effectively.
B. Detect material misstatements in the client’s financial statements.
C. Identify unusual trends or patterns in comparative financial statements.
D. Test internal controls as well as transactions and balances using the same test procedures.

46. If the auditors do NOT perform tests of controls of certain assertions:

A. They have performed a substandard audit.
B. They are not required to communicate reportable conditions relating to those accounts to
management.
C. They must issue a qualified opinion.
D. They must assess control risk at the MAXIMUM level for those assertions.

47. During the review of a small business client’s internal control system, the auditor discovered
that the accounts receivable clerk approves credit memos and has access to cash. Which of the
following controls would be most effective in offsetting this weakness?
A. The owner reviews errors in billings to customers and postings to the subsidiary ledger.
B. The controller receives the monthly bank statement directly and reconciles the checking
accounts.
C. The owner reviews credit memos after they are recorded.
D. The controller reconciles the total of the subsidiary ledger to the amount shown I the
general ledger.

48. If evidence was obtained in the prior year’s audit that indicated a key control was operating
effectively:
A. It will be unnecessary to test that control this year.
B. The tests of that control will be reduced this year.
C. The extent of tests of that control may be reduced this year if the auditor determines that it
is still in place.
D. The auditor would not test this area again this year.

49. The acceptance level of detection risk (ADR) and the combined level of inherent risk (IR) and
control risk (CR) are _______ related.
A. directly B. inversely C. proportionately D.
not

50. Which of the following is a correct response of the auditor when he allows a lower acceptable
level of detection risk?
Nature of substantive tests Timing of substantive tests Extent of substantive tests
A. Less effective Year-end More extensive

144

Downloaded by Gal Field ([email protected])

 lOMoARcPSD|26232864

B. Less effective Interim Less extensive

C. More effective Year-end More extensive
D. More effective Interim Less extensive

145

Downloaded by Gal Field ([email protected])