Module 6: Consideration of internal control

Assessing control Risk- It is the process of evaluating the design and operating effectiveness of an
entity’s internal control.
Assessed level of control risk- the conclusion reached as a result of assessing control risk.
Nature of Internal control (4Is)
1. Internal control is a process.
- Internal control is not an end in itself. Instead, it is a means of achieving the entity’s objectives.
2. Internal control is effected by those charged with governance, management and other
personnel.
- Internal control is accomplished by people at every level of organization.
- Management responsibility is to establish a control environment and maintain policies and procedures.
- Governance ensures integrity of accounting and financial reporting system.
- Staff personnel perform their respective function to accomplish the objectives of the entity
3. Internal control can be expected to provide reasonable assurance of achieving the entity’s
objectives.
4. Internal control is designed to help achieve the entity’s objectives.
- Internal control is geared towards the achievement of an entity’s objectives in the following
categories: (ECR)
 Effectiveness and efficiency of operations
 Compliance with laws and regulations
 Reliability of financial reporting
*auditor is only concerned with those policies and procedures within the accounting and internal control
systems that are relevant to the financial statement assertions. Therefore, the objective that is most relevant to
the audit is the financial reporting objective.

Components of Internal Control (CRICM)

I. Control Environment (IMACPA)
- Includes the attitudes, awareness, and actions of management and those charge with governance.
- It is the foundation of effective internal control.
- Factors reflected includes;
*Integrity and ethical values- management should established ethical standards.
*Management philosophy and operating cycle- the auditor should assess the management attitudes
towards financial reporting.
*Active participation of those charge with governance- the entity must have an audit committee.
*Commitment to competence- entity should consider the level of competence required for each task.
*Personnel Policies and procedures- entity must implement appropriate policies.
*Assignment of responsibility and authority/Organizational structure- appropriate methods of assigning
responsibility should be implemented to avoid incompatible functions.
II. Risk Assessment
- Business Risk- risk that entity’s business objectives will not be attained.
III. Information and Communication systems (IDMDP)
- Information systems encompasses methods and records that;
1. Identify and record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail
3. Measure the value of transactions in the proper monetary value
4. Determine the time period in which the transactions occurred
5. Present properly the transactions and related disclosures in the FS
- Communication- providing an understanding of individual roles and responsibilities.
- Open Communication channels- help ensure that exceptions are reported and acted on.
IV. Control Activities
- These are policies and procedures that helps ensure that management directives are carried out.
- Specific control procedures relevant to audit; (PIPS)
1. Performance Reviews- include reviews and analyses of actual performance versus budgets.
 2. Information processing- variety of controls are performed to check accuracy, completeness, and
authorization of transactions.
3. Physical Controls- encompasses the physical security of assets.
4. Segregation of duties- assigning different people the responsibilities of authorizing transactions.
V. Monitoring
- a process of assessing the quality of internal control performance over time.
- Ongoing monitoring activities- are built into the normal recurring activities of an entity, include
supervisory activities(e.g monthly bank reconciliation)
- Separate evaluations- are monitoring activities that are performed on a non-routine basis.