INTERNAL CONTROL CONSIDERATION

A. INTERNAL CONTROL
1. Internal control is the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to
a. reliability of financial reporting;
b. effectiveness and efficiency of operations; and
c. compliance with applicable laws and regulations.

2. Controls refer to policies or procedures that an entity establishes to achieve the control objectives of
management or those charged with governance. In this context:
 Policies are statements of what should, or should not, be done within the entity to effect control. Such
statements may be documented, explicitly stated in communications, or implied through actions and
decisions.
Policies are implemented through the actions of personnel within the entity, or through the restraint of
personnel from taking actions that would conflict with such policies.
 Procedures are actions to implement policies.
Procedures may be mandated, through formal documentation or other communication by management or
those charged with governance, or may result from behaviors that are not mandated but are rather
conditioned by the entity’s culture. Procedures may be enforced through the actions permitted by the IT
applications used by the entity or other aspects of the entity’s IT environment.
Controls are embedded within the components of the entity’s system of internal control. They may be direct or
indirect. Direct controls are controls that are precise enough to address risks of material misstatement at the
assertion level. Indirect controls are controls that support direct controls.
Moreover, the way in which internal control is designed, implemented and maintained varies with an entity’s
size and complexity.

3. Characteristics of internal control

a. Internal control is a process
b. Internal control is effected by entity’s personnel
c. Internal control provides reasonable assurance of achieving its objectives
Inherent limitations that may affect the effectiveness of internal controls (COC CHA)

 Cost-benefit consideration
 Management Overriding the control
 The possibility of circumvention of controls through Collusion with parties outside the entity or with
employees of the entity;
 The possibility that procedures may become inadequate due to Changes in condition and
compliance with procedures may deteriorate.
 The potential for Human error due to carelessness, distraction, mistakes of judgment or the
misunderstanding of instructions;
 The fact that most controls tend to be directed at Anticipated types (routine) of transactions
and not at unusual (non-routine) transactions;
d. Internal control is geared toward attainment of entity’s objectives

4. Areas of internal control

Areas of internal control can be classified as either administrative control or accounting control.
a. Administrative control includes, but is not limited to, plan of organization and the procedures and records
that are concerned with the decision processes leading to management’s authorization of transactions.
Administrative controls promote operational efficiency and adherence to managerial policies.
 b. Accounting control comprises of the plan of organization and the procedures and records that are
concerned with the safeguarding of assets and the reliability of financial records. It involves systems of
authorization and approval controls over assets, internal audit and all other financial matters.

5. Accounting system vs. Internal control system

Accounting system means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify, assemble, analyze, calculate,
classify, record, summarize and report transactions and other events.
Internal Control System means all the policies and procedures (internal controls) adopted by the management
of an entity to assist in achieving management's objective of ensuring, as far as practicable,
 orderly and efficient conduct of its business, including adherence to management policies;
 safeguarding of assets;
 prevention and detection of fraud and error;
 accuracy and completeness of the accounting records; and
 timely preparation of reliable financial information.
From these characteristics, we can conclude that internal control system is much broader than accounting
system. It encompasses accounting system since it extends beyond those matters which relate directly to the
functions of the accounting system.

6. Components of Internal Control

Internal control, as discussed in PSA 315, consists of the following components: (CRIME)
a. Control Environment
b. Entity’s Risk assessment process
c. Information and communication systems
d. Control Activities
e. Monitoring of Controls
A. The control environment
The control environment describes a set of standards, processes, and structures that provide the basis for
carrying out internal control across the organization. Control environment is the foundation on which an
effective system of internal control is built and operated in an organization.
Elements of control environment (IM CPA HO) that could be relevant when obtaining an understanding
of the control environment include the following:
a. Communication and enforcement of Integrity and ethical values
b. Management’s philosophy and operating style
c. Commitment to competence
d. Participation by those charged with governance
e. Assignment of authority and responsibility
f. Human resources policies and procedures
g. Organizational structure
B. The entity’s risk assessment process
The auditor shall obtain an understanding of whether the entity has a process for: (IAM)
 Identifying business risks relevant to financial reporting objectives
 Assessing the significance of risks and the likelihood of their occurrence
 Deciding how to Manage those risks

C. The information system, including the related business processes relevant to financial reporting,
and communication.
Information system

Information is obtained or generated by management from both internal and external sources in order to
 support internal control components.
An information system enables the entity to have the ability to generate timely and meaningful
information. An information system consists of
a. infrastructure (physical and hardware components),
b. software (processes and procedures)
c. people
d. input or data
e. output or meaningful information.

Communication

As far as audit is concern, the auditor gives emphasis on the communication of financial reporting roles
and responsibilities and significant matters relating to financial reporting. This includes:
a. Communications between management and those charged with governance
b. External communications, such as those with regulatory authorities
D. Control activities relevant to the audit
Control activities are actions (generally described in policies, procedures, and standards) that help
management mitigate risks in order to ensure the achievement of objectives. Control activities may be
preventive or detective in nature and may be performed at all levels of the organization.
Examples of control activities include those relating to the following: (APIPS)
a. Authorization
b. Performance reviews
c. Information processing
d. Physical controls
e. Segregation of duties
E. Monitoring of controls.
Monitoring is the process of assessing the quality of internal control performance over time. It involves
assessing the design and operations of controls on a timely basis and taking necessary corrective actions.
Monitoring is done to ensure that controls are present and continue to function effectively.
Monitoring can be accomplished through
a. Ongoing monitoring activities (performed by persons within the same line function)
b. Separate evaluations (performed by internal auditors, audit committee, and/or external auditors)
c. Combination of the two

B. AUDIT PROCEDURES: RESPONSES TO ASSESSED RISKS

The auditor shall design and implement overall responses to address the assessed risks of material misstatement at
the financial statement level.
A. RISK ASSESSMENT PROCEDURES

1. Obtain an understanding of internal control relevant to the audit

When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the
following by performing procedures in addition to inquiry of the entity’s personnel.
a. design of the controls; and
b. determine whether they have been implemented.

2. Make a preliminary assessment of control risk

Assessment to be made may either be (1) at high or maximum level; or (2) at less than high or below
maximum level.
B. FURTHER AUDIT PROCEDURES
1. Perform test of controls

Objective
The auditor shall design and perform tests of control to obtain sufficient appropriate audit evidence as to the
operating effectiveness of relevant controls when:
a. The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (i.e., the auditor intends to rely on the operating
effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
b. Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

Specific procedures
Tests of controls over the design of a policy or procedure include
 Inquiry;
 Observation;
 Inspection;
 Reperformance; and

Recurring audit
In case of recurring audit, the auditor shall establish the continuing relevance of the evidence from a
previous audit about the operating effectiveness of specific controls by obtaining audit evidence about
whether significant changes in those controls have occurred subsequent to the previous audit.
a. If there have been changes that affect the continuing relevance of the audit evidence from the
previous audit, the auditor shall test the controls in the current audit.
b. If there have not been such changes, the auditor shall test the controls at least once in every
third audit, and shall test some controls each audit to avoid the possibility of testing all the controls
on which the auditor intends to rely in a single audit period with no testing of controls in the
subsequent two audit periods.

Significant Risk
Definition

Significant risk is an identified and assessed risk of material misstatement that, in the auditor’s
judgment, requires special audit consideration.

Auditor’s consideration

The auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:
a. Whether the risk is a risk of fraud;
b. Whether the risk is related to recent significant economic, accounting or other developments and,
therefore, requires specific attention;
c. The complexity of transactions;
d. Whether the risk involves significant transactions with related parties;
e. The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
f. Whether the risk involves significant transactions that are outside the normal course of business for
the entity, or that otherwise appear to be unusual.
When the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of
the entity’s controls, including control activities, relevant to that risk.
If the auditor plans to rely on such controls, the auditor shall test those controls in the current period even if
there were no significant changes that have occurred from those controls.

2. Make a re-assessment of control risk

After testing the controls, the auditor shall make a reassessment of control risk. Below is a summary of
the effect of reassessment of control risk on audit approach.
 Reassessment of Audit Approach Effect on Substantive Test
Control Risk
Assessment remains at Less Reliance approach  Less effective procedures
than High  Interim testing may be appropriate
 Smaller sample size
Assessment is changed to High Switch to no  More effective procedures
Reliance approach  Tests moved to nearer or at year- end
 Larger sample size

3. Perform substantive procedures

Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance, and disclosure.

C. DOCUMENTATION AND COMMUNICATION

1. Below is a summary of the required documentation by the standards related to study and evaluation of
internal control.

Control Risk Understanding of Control risk Basis for the control

Assessment internal control assessment risk assessment
High Yes Yes No
Less than high Yes Yes Yes

2. Material Weakness in Internal Control

The auditor shall communicate material weaknesses in internal control identified during the audit on a timely
basis to

a. management at an appropriate level of responsibility; and

b. with those charged with governance (unless all of those charged with governance are involved in
managing the entity).