CHAPTER 3

INTERNAL CONTROL CONSIDERATION AND RESPONSES TO ASSESSED RISKS

Glen DV. De Leon, CPA, MBA, Ph. D, SFRIM, FRIEDr, FRIAcc, FBE

TOPIC OVERVIEW:

This chapter discusses internal controls, assessment of control risk and how will it affect audit procedures.

LEARNING OBJECTIVES:

After studying this chapter, you should be able to:

1. Describe the objectives and inherent limitation of an internal control.

2. Identify and explain each component of internal control.
3. Describe the appropriate responses of the auditor to assessed risks.
4. Explain test of controls and substantive procedures and identify how they are affected by assessed risk.

INTERNAL CONTROL CONSIDERATION

The auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the
audit and develop an effective audit approach.

The auditor uses the understanding of internal control to identify types of potential misstatement, consider factors
that affect the risks of material misstatement, and design the nature, timing, and extent of further audit procedures.

ACCOUNTING AND INTERNAL CONTROL SYSTEMS

Accounting system is a series of tasks and records of an entity by which transactions are processed as a means of
maintaining financial records. Such systems identify, assemble, analyze, calculate, classify, record, summarize and
report transactions and other events.

Internal Control System means all the policies and procedures (internal controls) adopted by the management of
an entity to assist in achieving management’s objective of ensuring, as far as practicable:

 orderly and efficient conduct of its business, including adherence to management policies;
 safeguarding of assets;
 prevention and detection of fraud and error;
 accuracy and completeness of the accounting records; and
 timely preparation of reliable financial information.

The internal control system extends beyond those matters which relate directly to the functions of the accounting
system.

ENTITY’S INTERNAL CONTROL

Internal control is a process, effected by those charged with governance, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

a. Effectiveness and efficiency of operations;

b. Reliability of financial reporting; and
c. Compliance with applicable laws and regulations.

Assurance provided by internal control

There is a direct relationship between an entity’s objectives and the controls which are implemented to provide
assurance of their achievement. However, no matter how well designed and operated, internal control can only
provide reasonable assurance.

Inherent Limitations of Internal Control

The internal control can only provide reasonable assurance because of inherent limitations that may affect the
effectiveness of internal controls. Such limitations include: (COC CHA)

 Management usual requirement that a control be cost-effective (Cost-benefit consideration);

 The possibility that a person responsible for exercising control could abuse that responsibility
(Management Overriding the control);
 The possibility of circumvention of controls through Collusion with parties outside the entity or with
employees of the entity;

1
  The possibility that procedures may become inadequate due to Changes in condition and compliance with
procedures may deteriorate;
 The potential for Human error due to carelessness, distraction, mistakes of judgment or the
misunderstanding of instructions; and
 The fact that most controls tend to be directed at Anticipates types (routine) of transactions and not at
unusual (non-routine) transactions.

Areas of Internal Control

Areas of internal control can be classified as either administrative control or accounting control.

Administrative control includes, but is not limited to, plan of organization and the procedures and records that are
concerned with the decision processes leading to management’s authorization of transactions. Administrative
controls promote operational efficiency and adherence to managerial policies.

On the other hand, accounting control comprises the plan of organization and the procedures and records that are
concerned with the safeguarding of assets and the reliability of financial records. It involves systems of authorization
and approval controls over assets, internal audit and all other financial matters.

Controls Relevant to the Audit

The auditor’s risk assessment process relates to controls pertaining to the entity’s objective of preparing financial
statements for external purposes and the management risk that may give rise to a material misstatement in those
financial statements.

It is a matter of professional judgment, subject to the requirements of PSA, whether a control, individually or in
combination with others, is relevant to the auditor’s considerations in assessing the risks of material misstatement
and designing and performing further procedures in response to assessed risks. In exercising that judgment, the
auditor considers the applicable component and factors such as the following:

a. The auditor’s judgment about materiality;

b. The size of the entity;
c. The nature of the entity’s business, including its organization and ownership characteristics;
d. The diversity and complexity of the entity’s operations;
e. Applicable legal and regulatory requirements; and
f. The nature and complexity of the systems that are part of the entity’s internal control, including the use of
service organizations.

Components of Internal Control

Internal control, as discussed in PSA 315 (Redrafted), consists of the following components: (CRIME)

a. Control Environment
b. Entity’s Risk assessment process
c. Information and communication systems
d. Control Activities
e. Monitoring of Controls

A. The control environment

The control environment includes the governance and management functions and the attitudes, awareness, and
actions of those charged with governance and management concerning the entity’s internal control and its
importance in the entity.

Elements of control environment: (IM CPA HO)

1. Communication and enforcement of Integrity and ethical values;

2. Management’s philosophy and operating style;
3. Commitment to competence;
4. Participation by those charged with governance;
5. Assignment of authority and responsibility;
6. Human resources policies and procedures; and
7. Organizational structure.

B. The entity’s risk assessment process

An entity’s risk assessment process is the process of identifying and responding to business risks and the results
thereof.

2
For financial reporting purposes, the entity’s risk assessment process includes how management identifies risks
relevant to the preparation of financial statements that are presented fairly, in all material respects in accordance
with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of
their occurrence, and decides upon actions to manage them.

Risk can arise of change due to circumstances such as the following:

a. Changes in operating environment

b. New personnel
c. New or revamped information systems
d. Rapid growth
e. New technology
f. New business models, products, or activities
g. Corporate restructurings
h. Expanded foreign operations
i. New accounting pronouncements

The auditor shall obtain an understanding of whether the entity has a process for: (IAM)

 Identifying business risks relevant to financial reporting objectives

 Assessing the significance of risks and the likelihood of their occurrence
 Deciding how to Manage those risks

C. The information system, including the related business processes relevant to financial reporting, and
communication.

An information system consists of

a. Infrastructure (physical and hardware components);

b. Software (processes and procedures);
c. People;
d. Input or data; and
e. Output or meaningful information.

NOTE: Infrastructure and software will be absent, or have less significance in systems that are exclusively or
primarily manual.

The information system relevant to financial reporting objectives, such as the financial reporting system, consists of
the procedures and records established to initiate, record, process and report entity transactions (as well as events
and conditions) and to maintain accountability for the related assets, liabilities, and equity.

Communication of financial reporting roles and responsibilities and significant matters relating to financial reporting
includes:

a. Communications between management and those charged with governance and

b. External communications, such as those with regulatory authorities

D. Control activities relevant to the audit

Control activities are the policies and procedures to help ensure that management directives are carried out.

Examples of control activities include those relating to the following: (APIPS)

a. Authorization
 Specific authorization (for unusual, material, or infrequent projects)
 General authorization (for regular transactions)
b. Performance reviews (actual performance versus budget, forecasts, and prior period performance)
c. Information processing (form initiation up to the eventual inclusion of transaction in financial reports)
d. Physical controls (for both assets and documents)
e. Segregation of duties
To achieve optimum segregation of responsibilities, the following functions shoul be performed by
different employees: (I CARE)
 Independent checks
 Custody of assets
 Authorization of transactions
 Execution of transactions

E. Monitoring of controls.

3
Monitoring is the process of assessing the quality of internal control performance over time. It involves assessing the
design and operations of controls on a timely basis and taking necessary corrective actions. Monitoring is done to
ensure that controls continue to operate effectively.

Monitoring can be accomplished through

a. Ongoing monitoring activities (performed by persons within the same line function)
b. Separate evaluations (performed by internal auditors, audit committee, and/or external auditors
c. Combination of the two.

RESPONSES TO ASSESSED RISKS

The auditor shall design and implement overall responses to address the assessed risks of material misstatement at
the financial statement level.

Moreover, the auditor shall design and perform further audit procedures whose nature, timing, and extent are based
on and are responsive to the assessed risks of material misstatement at the assertion level.

In designing the further audit procedures to be performed, the auditor shall:

a. Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for
each class of transactions, account balance, and disclosure, including:
i. The likelihood of material misstatement due to the particular characteristics of the relevant class of
transactions, account balance, or disclosure (i.e., the inherent risk); and
ii. Whether the risk assessment takes account of relevant controls (i.e., the control risk), thereby
requiring the auditor to obtain audit evidence to determine whether the controls are operating
effectively (i.e., the auditor intends to rely on the operating effectiveness of controls in
determining the nature timing and extent of substantive procedures); and
b. Obtain more persuasive audit evidence, the higher the auditor’s assessment of risk.

TESTS OF CONTROLS

The auditor should give adequate consideration to controls relevant to the audit. The quality of the entity’s internal
control can have a significant impact in determining the nature, timing and extent of the audit procedures in
gathering audit evidence related to class of transactions, account balances and disclosures.

The auditor shall design and perform test of controls to obtain sufficient appropriate audit evidence as to the
operating effectiveness of relevant controls when:

a. The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation
that the controls are operating effectively (i.e., the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures); or
b. Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

Tests of controls over the design of a policy or procedure include Inquiry, Observation, Inspection, Reperformance
and Walk-through tests.

SUBSTANTIVE PROCEDURES

Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive
procedures for each material class of transactions, account balance, and disclosure.

Summary of Procedures Performed in Consideration of Internal Control

Risk assessment procedures Further audit procedures

Obtain an Control risk Perform

understanding of at maximum Substantive
the internal Make a preliminary level tests
control focusing assessment of
on the design and Control Risk Control risk
at below Perform Test
implementation
maximum of controls
of the controls
level
Perform Control risk at
Substantive tests maximum level Make a
reassessment
Control risk at of Control Risk
Perform 4 below
Substantive tests maximum level
Effect of the reassessment of control risk on the audit approach
Reassessment of Control Risk Audit Approach Effect on Substantive Test
CR assessment remains at Less than Reliance approach  Less effective procedures
High  Interim testing may be
appropriate
 Smaller sample size
CR assessment is changed to High Switch to no Reliance approach  More effective procedures
 Tests nearer or at year-end
 Larger sample size

Documentation requirements
Control Risk Assessment Understanding of Control risk assessment Basis for the control risk
internal control assessment
High Yes Yes No
Less than high Yes Yes Yes