Audit and Assurance Concepts and Applications 1

1
Internal Control Consideration and Responses to Assessed Risks

Module 004: Internal Consideration and

Responses to Assessed Risks

Course Learning Outcomes:

At the end of this module, the student will be able to:
1. Understand internal control system consideration
2. Identify the accounting and internal control systems
3. Know the concept of internal control, its inherent limitations and its
components.
4. Comprehend the responses to assessed risks and tests of control.

Internal Control Consideration

The auditor should obtain an understanding of the accounting and internal control systems
sufficient to plan the audit and develop an effective audit approach.
The auditor uses the understanding of internal control to identify types of potential
misstatements, consider factors that affect the risks of material misstatement, and design
the nature, timing, and extent of further audit procedures.

Accounting and Internal Control Systems

Accounting system is a series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify, assemble,
analyze, calculate, classify, record, summarize and report transactions and other events.
Internal Control System means all the policies and procedures (internal controls)
adopted by the management of an entity to assist in achieving management’s objective of
ensuring, as far as practicable:
 Orderly and efficient conduct of its business, including adherence to management
policies;
 Safeguarding of assets;
 Prevention and detection of fraud and error;
 Accuracy and completeness of the accounting records; and
 Timely preparation of reliable financial information.
The internal control system extends beyond those matters which relate directly to the
functions of the accounting system.

Course Module
Entity’s Internal Control
Internal control is a process, effected by those charged with governance, management,
and other personnel, designed to provide reasonable assurance regarding the achievement
of objectives in the following categories:
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting; and
c. Compliance with applicable laws and regulations.

Assurance provided by internal control

There is a direct relationship between an entity’s objectives and the controls which are
implemented to provide assurance of their achievement. However, no matter how well
designed and operated, internal control can only provide reasonable assurance.

Inherent Limitations of Internal Control

The inherent control can only provide reasonable assurance because of inherent
limitations that may affect the effectiveness of internal controls. Such limitations include:
 Management usual requirement that a control be cost-effective (cost-benefit
consideration);
 The possibility that a person responsible for exercising control could abuse that
responsibility (management overriding the control);
 The possibility of circumvention of controls through collusion with parties outside
the entity or with employees of the entity;
 The possibility that procedures may become inadequate due to changes in condition
and compliance with procedures may deteriorate;
 The potential for human error due to carelessness, distraction, mistakes of judgment
or the misunderstanding of instructions; and
 The fact that most controls tend to be directed at anticipated types (routine) of
transactions and not at unusual (non-routine) transactions.

Areas of Internal Control

Areas of internal control can be classified as wither administrative control or accounting
control.
Administrative control includes, but is not limited to, plan of organization and the
procedures and records that are concerned with the decision processes leading to
management’s authorization of transactions. Administrative controls promote operational
efficiency and adherence to managerial policies.
On the other hand, accounting control comprise the plan of organization and the
procedures and records that are concerned with the safeguarding of assets and the
reliability of financial records. It involves systems of authorization and approval controls
over assets, internal audit and all other financial matters.
 Audit and Assurance Concepts and Applications 1
3
Internal Control Consideration and Responses to Assessed Risks

Controls Relevant to the Audit

The auditor’s risk assessment process relates to controls pertaining to the entity’s objective
of preparing financial statements for external purposes and the management risk that may
give rise to a material misstatement in those financial statements.
It is matter of professional judgment, subject to the requirements of PSA, whether a control,
individually or in combination with others, is relevant to the auditor’s considerations in
assessing the risks of material misstatement and designing and performing further
procedures in response to assessed risks. In exercising that judgment, the auditor
considers the applicable component and factors such as the following:
a. The auditor’s judgment about materiality;
b. The size of the entity;
c. The nature of the entity’s business, including its organization and ownership
characteristics;
d. The diversity and complexity of the entity’s operations;
e. Applicable legal and regulatory requirements; and
f. The nature and complexity of the systems that are part of the entity’s internal
control, including the use of service organizations.

Components of Internal Control

Internal control, as discussed in PSA 315 (Redrafted), consists of the following
components:
a. Control environment
b. Entity’s risk assessment process
c. Information and communication systems
d. Control activities
e. Monitoring of controls

A. The control environment

The control environment includes the governance and management functions and the
attitudes, awareness, and actions of those charged with governance and management
concerning the entity’s internal control and its importance in the entity.
Elements of control environment:
1. Communication and enforcement of integrity and ethical values;
2. Management’s philosophy and operating style;
3. Commitment to competence;
4. Participation by those charged with governance;
5. Assignment of authority and responsibility;
6. Human resources policies and procedures; and

Course Module
 7. Organizational structure
B. The entity’s risk assessment process
An entity’s risk assessment process is the process of identifying and responding to
business risks and the results thereof.
For financial reporting purposes, the entity’s risk assessment process includes how
management identifies risks relevant to the preparation of financial statements that are
presented fairly, in all material respects in accordance with the entity’s applicable
financial reporting framework, estimates their significance, assesses the likelihood of
their occurrence, and decides upon actions to manage them.
Risks can arise or change due to circumstances such as the following:
a. Changes in operating environment
b. New personnel
c. New or revamped information systems
d. Rapid growth
e. New technology
f. New business models, products or activities
g. Corporate restructurings
h. Expanded foreign operations
i. New accounting pronouncements
The auditor shall obtain an understanding of whether the entity has a process for:
 Identifying business risks relevant to financial reporting objectives
 Assessing the significance of risks and the likelihood of their occurrence
 Deciding how to manage those risks
C. The information system, including the related business processes relevant to
financial reporting, and communication
An information system consists of
a. Infrastructure (physical and hardware components);
b. Software (processes and procedures);
c. People;
d. Input or data; and
e. Output or meaningful information.
NOTE: Infrastructure and software will be absent, or have less significance in systems
that are exclusively or primarily manual.
The information system relevant to financial reporting objectives, such as the financial
reporting system, consists of the procedures and records established to initiate, record,
process, and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities, and equity.
Communication of financial reporting roles and responsibilities and significant matters
relating to financial reporting includes:
 Audit and Assurance Concepts and Applications 1
5
Internal Control Consideration and Responses to Assessed Risks

a. Communications between management and those charged with governance and

b. External communications, such as those with regulatory authorities
D. Control activities relevant to the audit
Control activities are the policies and procedures to help ensure that management
directives are carried out.
Examples of control activities include those relating to the following:
a. Authorization
 Specific authorization (for unusual, material, or infrequent projects)
 General authorization (for regular transactions)
b. Performance reviews (actual performance versus budget, forecasts, and prior
period performance)
c. Information processing (from initiation up to the eventual inclusion of
transaction in financial reports)
d. Physical controls (for both assets and documents)
e. Segregation of duties
To achieve optimum segregation of responsibilities, the following functions
should be performed by different employees:
 Independent checks
 Custody of assets
 Authorization of transactions
 Recording of transactions
 Execution of transactions
E. Monitoring of controls
Monitoring is the process of assessing the quality of internal control performance over
time. It involves assessing the design and operations of controls on a timely basis and
taking necessary corrective actions. Monitoring is done to ensure that controls continue
to operate effectively.
Monitoring can be accomplished through
a. Ongoing monitoring activities (performed by persons within the same line
function)
b. Separate evaluations (performed by internal auditors, audit committee, and/or
external auditors)
c. Combination of the two.

Course Module
Responses to Assessed Risks
The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the financial statement level.
Moreover, the auditor shall design and perform further audit procedures whose nature,
timing and extent are based on and are responsive to the assessed risks of material
misstatement at the assertion level.
In designing the further audit procedures to be performed, the auditor shall:
a. Consider the reasons for the assessment given to the risk of material misstatement
at the assertion level for each class of transactions, account balance, and disclosure,
including:
i. The likelihood of material misstatement due to the particular characteristics
of the relevant class of transactions, account balance, or disclosure (i.e., the
inherent risk); and
ii. Whether the risk assessment takes account of relevant controls (i.e., the
control risk), thereby requiring the auditor to obtain audit evidence to
determine whether the controls are operating effectively (i.e., the auditor
intends to rely on the operating effectiveness of controls in determining the
nature, timing and extent of substantive procedures); and
b. Obtain more persuasive audit evidence, the higher the auditor’s assessment of risk.

Tests of Controls
The auditor should give adequate consideration to controls relevant to the audit. The
quality of the entity’s internal control can have a significant impact in determining the
nature, timing and extent of the audit procedures in gathering audit evidence related to
class of transactions, account balances and disclosures.
The auditor shall design and perform tests of controls t obtain sufficient appropriate audit
evidence as the operating effectiveness of relevant controls when:
a. The auditor’s assessment of risks of material misstatement at the assertion level
includes an expectation that the controls are operating effectively (i.e., the auditor
intends to rely on the operating effectiveness of controls in determining the nature,
timing and extent of substantive procedures); or
b. Substantive procedures alone cannot provide sufficient appropriate evidence at the
assertion level.
Tests of controls over the design of a policy or procedure include inquiry, observation,
inspection, reperformance, and walk-through tests.

Substantive Procedures
Irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance,
and disclosure.
 Audit and Assurance Concepts and Applications 1
7
Internal Control Consideration and Responses to Assessed Risks

Summary of Procedures Performed in Consideration of Internal Control

Effect of reassessment of control risk on the audit approach

Reassessment of Control Audit Approach Effect on Substantive Test
Risk
CR assessment remains at Reliance approach  Less effective
less than high procedures
 Interim testing may
be appropriate
 Smaller sample size
CR assessment is changed Switch to no reliance  More effective
to high approach procedures
 Tests nearer or at
year-end
 Larger sample size

Documentation requirements
Control Risk Understanding of Control Risk Basis for the
Assessment Internal Control Assessment control risk
assessment
High Yes Yes No
Less than high Yes Yes Yes

Course Module
References and Supplementary Materials
Books and Journals
1. Cabrera, M.E. (2017) Applied Auditing. Manila: GIC Enterprises & Company,
Incorporated
2. Asuncion, D.J.., Escala, RF., Ngina, M.A. (2018) Applied Auditing. Aurora Hill, Baguio
City: Real Excellence Publishing

Online Supplementary Reading Materials

1. https://www.aasc.org.ph/downloads/PSA/publications/PDFs/PSA-315-
Redrafted.pdf
2. https://www.aicpa.org/research/standards/auditattest/downloadabledocuments/a
u-00318.pdf
3. http://www.aasc.org.ph/downloads/PSA/publications/PDFs/PSA330-Redrafted.pdf