ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY

CPA Review Batch 46  October 2023 CPA Licensure Examination AT-10

AUDITING (Auditing Theory) J. IRENEO  E. ARAÑAS  F. TUGAS  C. ALLAUIGAN

UNDERSTANDING THE ENTITY’S INTERNAL CONTROL

Audit Risk and Risk Assessment Procedures
Definition of Terms:
Audit Risk- the risk that financial statements may contain material misstatements (i.e., inherent and
control risks) coupled with the possibility that the auditor may fail to detect those material
misstatements those misstatements (i.e., detection risk) that may lead the auditor to express an
inappropriate audit opinion.
a. Risk of Material Misstatements (RMM)
- Inherent Risk
- Control Risk
b. Detection Risk

RISK ASSESSMENT PROCEDURES (RAP)

Objective:
The auditor shall design and perform risk assessment procedures to obtain audit evidence that
provides an appropriate basis for:
(a) The identification and assessment of risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels; and
(b) The design of further audit procedures in accordance with ISA 330
PART II: Understanding the Components of the Entity’s System of Internal Control
A. Controls- Policies or procedures that an entity establishes to achieve the control objectives of
management or those charged with governance.
i. Policies are statements of what should or should not be done within the entity to
effect control.
ii. Procedures are actions to implement policies.
B. The auditor shall understand the Components of the Entity’s System of Internal
Control
System of internal control
1. The system designed, implemented, and maintained by
a. those charged with governance
b. Management
c. other personnel
2. Providing reasonable assurance about the achievement of an entity’s objectives
which include:
a. reliability of financial reporting
b. effectiveness and efficiency of operations
c. compliance with applicable laws and regulations.
Components of the Entity’s System of Internal Control
(i) Control environment;
(ii) The entity’s risk assessment process;
(iii) The entity’s process to monitor the system of internal control;
(iv) The information system and communication; and
(v) Control activities.

In the information system and communication and control activities components,

the controls are primarily direct controls. Direct controls are controls that are
sufficiently precise to prevent, detect, or correct misstatements at the assertion level.

In the control environment, the entity’s risk assessment process and the entity’s
process to monitor the system of internal control components, the controls are primarily
indirect controls (although there may be some direct controls, these are likely less in
these components). Indirect controls are controls that support direct controls.

C. Specific Consideration
The auditor shall obtain an understanding of the COMPONENTS relevant to the preparation
of the financial statements AND evaluate these components through performing risk
assessment procedures.

Page 1 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
CONTROL ENVIRONMENT

UNDERSTAND EVALUATE
(a) Understanding the set of controls, processes and and
structures that address:
(b) Evaluating whether:
(i) How management’s oversight responsibilities are
(i) Management, with the oversight of
carried out, such as the entity’s culture and
those charged with governance, has
management’s commitment to integrity and ethical
created and maintained a culture
values;
of honesty and ethical behavior;
(ii) When those charged with governance are separate
(ii) The control environment provides an
from management, the independence of, and
appropriate foundation for the other
oversight over the entity’s system of internal control
components of the entity’s system of
by, those charged with governance;
internal control, considering the
nature and complexity of the entity;
(iii) The entity’s assignment of authority and
and
responsibility;
(iii) Control deficiencies identified in the
(iv) How the entity attracts, develops, and retains
control environment undermine the
competent individuals; and
other components of the entity’s
system of internal control.
(v) How the entity holds individuals accountable for their
responsibilities in the pursuit of the objectives of the
system of internal control

RISK ASSESSMENT PROCESS

UNDERSTAND EVALUATE
(a) Understanding the entity’s process for: and
(b) Evaluating whether the
(i) Identifying business risks relevant to financial reporting
entity’s risk assessment
objectives;
process is appropriate to the
entity’s circumstances
(ii) Assessing the significance of those risks, including the
considering the nature and
likelihood of their occurrence; and
complexity of the entity.
(iii) Addressing those risks;

MONITORING PROCESS

UNDERSTAND EVALUATE
(a) Understanding those aspects of the entity’s process that address: and
(c) Evaluating
(i) Ongoing and separate evaluations for monitoring the effectiveness of controls,
whether the
and the identification and remediation of control deficiencies identified;
entity’s
process for
(ii) The entity’s internal audit function, if any, including its nature, responsibilities
monitoring
and activities;
the system
of internal
(b) Understanding the sources of the information used in the entity’s process to
control is
monitor the system of internal control, and the basis upon which management
appropriate
considers the information to be sufficiently reliable for the purpose;
to the
entity’s
circumstanc
es
considering
the nature
and
complexity
of the
entity.

Page 2 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
INFORMATION SYSTEM & COMMUNICATION

UNDERSTAND EVALUATE

(a) Understanding the entity’s information processing activities, including its data and
and information, the
resources to be used in such activities and the policies that define, for (c) Evaluating
significant classes of transactions, account balances and disclosures; whether the
entity’s
(i) How information flows through the entity’s information system, including how: information
system and
a. Transactions are initiated, and how information about them is recorded, communicati
processed, corrected as necessary, incorporated in the general ledger and on
reported in the financial statements; and appropriatel
y support
b. Information about events and conditions, other the
than transactions, is captured, processed and preparation
disclosed in the financial statements; of the
entity’s
(ii) The accounting records, specific accounts in the FS and other supporting financial
records relating to the flows of information in the information system; statements
in
(iii) The financial reporting process used to prepare the entity’s FS, including accordance
disclosures; and with the
applicable
(iv) The entity’s resources, including the IT financial
environment, relevant to (a)(i) to (a)(iii) above; reporting
framework.
(b)Understanding how the entity communicates significant matters that support
the preparation of the financial statements and related reporting responsibilities
in the information system and other components of the system of internal
control:

(i) Between people within the entity, including how financial reporting roles and
responsibilities are
communicated;

(ii) Between management and those charged with governance; and

(iii) With external parties, such as those with regulatory authorities;

Definition of terms:

General information technology (IT) controls – Controls over the entity’s IT processes that
support the continued proper operation of the IT environment, including the continued effective
functioning of information processing controls and the integrity of information (i.e., the completeness,
accuracy and validity of information) in the entity’s information system. Also see the definition of IT
environment.
Information processing controls – Controls relating to the processing of information in IT
applications or manual information processes in the entity’s information system that directly address
risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and
other information).
IT environment – The IT applications and supporting IT infrastructure, as well as the IT processes and personnel
involved in those processes, that an entity uses to support business operations and achieve business strategies.
For the purposes of this ISA:
(i) An IT application is a program or a set of programs that is used in the initiation, processing, recording
and reporting of transactions or information. IT applications include data warehouses and report writers.

(ii) The IT infrastructure comprises the network, operating systems, and databases and their related
hardware and software.

(iii) The IT processes are the entity’s processes to manage access to the IT environment, manage program
changes or changes to the IT environment and manage IT operations.

Page 3 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
CONTROL ACTIVITIES

UNDERSTAND EVALUATE

(a) Identifying (and understanding) controls that address and

risks of material misstatement at the assertion level in
the control activities component as follows:
(i) Controls that address a risk that is determined to be a
significant risk;
(ii) Controls over journal entries, including nonstandard
journal entries used to record nonrecurring, unusual
transactions or adjustments;
(iii) Controls for which the auditor plans to test operating
effectiveness in determining the nature timing and
extent of substantive testing, which shall include
controls that address risks for which substantive
procedures alone do not provide sufficient appropriate
audit evidence; and
(d) For each control identified in (a) or
(c)(ii):
(i) Evaluating whether the control is
designed effectively to address the
risk of material misstatement at the
assertion level, or effectively designed
to support the operation of other
controls; and
(ii) Determining whether the control has
been implemented by performing
procedures in addition to inquiry of the
entity’s personnel.

(iv) Other controls that the auditor considers to be

appropriate to enable the auditor to meet the
objectives of RAP, based on the auditor’s
professional judgement.

(b) Based on controls identified in (a), identifying the IT

applications and the other aspects of the entity’s IT
environment that are subject to risks arising from the
use of IT;
(c) For such IT applications and other aspects of the IT
environment identified in (b), identifying:

(i) The related risks arising from the use of IT; and

(ii) The entity’s general IT controls that address such

risks;

D. Control Deficiencies
Based on the auditor’s evaluation of each of the components of the entity’s system of internal
control, the auditor shall determine whether one or more control deficiencies have been
identified.
E. Assessing Control Risk
A. If the auditor plans to test the operating effectiveness of controls, the auditor shall assess
control risk.
B. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s
assessment of control risk shall be such that the assessment of the RMM is the same as the
assessment of inherent risk.
F. Documentation
The auditor shall include in the audit documentation the evaluation of the design of identified
controls, and determination whether such controls have been implemented.
G. Limitations of Internal Control
No matter how well designed and operated, IC can provide an entity with only reasonable
assurance about achieving the entity’s financial reporting objectives.
• human judgment in decision making
• breakdowns in internal control
• errors or mistakes
• collusion

Design, implementation, and monitoring of internal control varies depending on the entity’s
size and complexity of the processes.

Page 4 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
1. Which of the following is incorrect statement in relation to internal controls?
A. Internal controls are process designed, implemented and maintained by those charged
with governance, management, and other personnel
B Internal controls provide absolute assurance about the achievement of the entity’s
objectives on financial reporting, operations, and compliance.
C. There is a direct relationship between an entity’s objectives and the controls it
implements to provide reasonable assurance about their achievement.
D. Effective control scan reduce the cost of external audit.

2. Internal controls maybe classified as?

I. Manual, automated or-IT-dependent controls
II. Preventive, detective or corrective controls.
A. I only B. II only C. Both I and II D. Neither I nor II

3. Internal control can only provide reasonable, not absolute, assurance of achieving entity control
objectives. Which of the following is a limiting factor of achieving those objectives?
I. In the performance of most control procedures, there are possibilities of errors arising from
mistakes in judgment.
II. The board of directors is active and independent.
III. The cost of internal control should not exceed its benefits.
IV. Collusion may occur even if incompatible functions or duties have been segregated.
A. I and III only B. I, II and III only C. I, III and IV only D. I, II, III and IV

4. Which of the following conditions supports strong internal control?

A. Strict monitoring by the Bureau of Internal Revenue.
B. The existence of related parties and related party transactions.
C. Pressure by the financial community to improve earnings performance.
D. An economic downturn.

5. Which of the following is not useful for obtaining an understanding of internal controls?
A. Observe client activities and operations C. Make inquiries of the client’s personnel
B. Examine documents and records D. Read industry trade magazines

6. Evaluate the following statements:

I. When obtaining an understanding of an entity's control environment, an auditor should
concentrate on the substance of management's policies and procedures rather than their form
because management may establish appropriate policies and procedures but not act on them.
II. In the assessment of control risk, the auditor is basically concerned that the client's internal
control provides reasonable assurance that errors and fraud have been prevented or detected.
A. Both statements are false C. Only the first statement is true
B. Both statements are true D. Only the second statement is true

7. The 5 components of the system of internal control have been split into two types that align with the
nature of the controls within each component, and may affect the auditor’s identification and assessment
of risks of material misstatement, as well as responding to the assessed risks. Which among these
components have controls that are primarily indirect controls?
I. Control environment
II. The entity’s risk assessment process
III. The entity’s process to monitor the system of internal control
IV. The information system and communication
V. Control activities.
A. I, II,III
B. I, IIII
C. IV,IV
D. II, IV, V

8. S1 The control environment does not directly prevent, or detect and correct, misstatements.
S2 Control environment may provide an appropriate foundation for the system of internal control
and may help reduce the risk of fraud, an appropriate control environment is not necessarily
an effective deterrent to fraud.
A. False, True
B. True, False
C. True, True
D. False, False

Page 5 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
9. Which of the following statements best describes “control activities”?
A. The entity’sprocessforidentifyingbusinessrisksrelevanttofinancialreportingobjectives
and deciding about actions to address those risks, and the results thereof.
B. The system for transferring information from transaction processing systems to the general
ledger or the financial reporting system.
C. Policies and procedures that help ensure that management directives are carried out.
D. This includes the governance and management functions and the attitudes, awareness,
and actions of those charged with governance and management concerning the entity’s
internal control and its importance to the entity.
10. Which of the following is not an element of “control environment”?
A. Commitment to competence
B. Communication and enforcement of integrity and ethical values
C. Assignment of authority and responsibility
D. Leadership responsibilities for quality within the firm
11. Management’s attitude towards aggressive financial reporting and its emphasis on meeting
projected profit goals most likely would significantly influence an entity’s control environment
when:
A. Management is dominated by one individual who is also a shareholder.
B. External policies established by parties outside the entity affect its accounting practices.
C. The audit committee is active in overseeing the entity’s financial reporting policies.
D. Internal auditors have direct access to the board of directors and entity management.
12. An entity’s risk assessment process includes how management:
I. Identifies business risks relevant to financial reporting objectives
II. Estimates the significance of the risks
III. Assesses the likelihood of the occurrence of risks
IV. Decides on actions to address the risks.
A. I and III only B.I, II and III only C.I, III and IV only D.I, II, III and IV

13. Risks can arise or change due to circumstances such as the following, except:
A. There is a change in the regulatory or operating environment.
B. No new employees have been hired by the company.
C. The company switched from manual information systems to a computerized system.
D. The accounting and financial reporting framework has experienced significant revisions.
14. Which of the following pertains to risk assessment?
I. An audit client’s process for identifying business risks relevant to the financial reporting
objective
II. Business procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed, corrected, transferred to the general ledger and reported
in the financial statements
III. Client policies on limiting physical access to assets and records
A. I and III only B. I only C.II and III only D.I, II and III

15. The information system consists of the following:

A. Infrastructure (physical and hardware components) and software
B. People
C. Procedures and data
D. All of these.

16. Control activities are the policies and procedures that help ensure that management directives are
carried out. These include activities relating to authorization, performance reviews, information
processing, physical controls and segregation of duties. There is proper segregation of duties when
an individual who
A. Authorizes a transaction records it.
B. Authorizes a transaction maintains custody of the asset that resulted from the transaction.
C. Records a transaction do not compare the accounting record of the asset with the asset itself.
D. Maintains custody of an asset has access to the accounting records for the asset.

Page 6 of 7 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
UNDERSTANDING the ENTITY’S INTERNAL CONTROL AT-10
17. The objective of the recording function of transactions (in the context of internal accounting control) is
to
A. Limit access to assets and to permit preparation of financial statements in accordance with GAAP.
B. Assure compliance with the rules of all regulatory bodies having jurisdiction over the reporting
entity.
C. Permit preparation of financial statements in accordance with GAAP and to maintain accountability
of assets.
D. Encourage operational efficiency and adherence to prescribed managerial policies.

18. Which of the following descriptions pertain to performance reviews?

A. Control activities that include reviews and analyses of actual performance versus budgets,
forecasts, and prior period performance.
B. Controls performed to check accuracy, completeness, and authorization of transactions.
C. Physical security of assets, including adequate safeguards such as secured facilities over access
to assets and records.
D. The assignment of incompatible functions to different people.
E. Control activities involving the specific or general authorization of a transaction.
19. An entity’s ongoing monitoring activities often include:
A. Periodic audits by the audit committee.
B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.

20. Which of the following is not a detective control?

A. The use of batch totals.
B. Reconciling the accounts receivable subsidiary file with the control account.
C. Requirement that two persons open mail.
D. Preparation of bank reconciliation.

21. Not an example of general transaction authorization is the:

A. Setting of automatic reorder points.
B. Establishment of sales prices.
C. Establishment of a customer’s credit limits.
D. Approval of a construction budget for a new warehouse.

22. A control that reduces the risk that an existing or potential control weakness will result in a failure
to meet a control objective is referred toas:
A. Compensating control C. Conditional control
B. Non-routine control D. Offset control

23. Which of the following is (are) a correct statement(s) for internal control systems of small
companies?
I. Elements of internal control for small entities may not be available in documentary form
II. Segregation of incompatible duties are often inadequate due to staff limitations
III. The involvement of the owner-manager may be a compensatory control for the inadequate
segregation of incompatible duties

A. I and III only B. II only C. II and III only D. I, II and III

24. According to PSA315, the auditor uses the understanding of internal control to:
I. Identify types of potential misstatements
II. Consider factors that affect the risk of material misstatements
III. Design the nature, timing and extent of further audit procedures (i.e., tests of controls and
substantive tests)

A. I and III only B. II only C. II and III only D. I, II and III

- END -

Page 7 of 7 0915-2303213  www.resacpareview.com