CONSIDERATION OF INTERNAL CONTROL IN
A FINANCIAL STATEMENT AUDIT
INTERNAL CONTROL
START – SYSTEM – MANAGEMENT –
SUCCESS
PSA 315 (Redrafted)
Scope:
Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity
and Its Environment including its Internal Control
INTRODUCTION
The success of the business operations and
performance of the entity relies in its ability to
achieve operating and organizational goals and
objectives
How to attain these objectives and goals:
 Combined efforts of those charged with
governance, management, and
personnel within the entity
 A system to oversee the carrying out of
policies and procedures to achieve the
objectives and goals
Widely accepted concept in Audit Theory and
Practice:
The importance of the client's System of Internal
Control to generate reliable financial information
An excellent system of Internal Control that
includes adequate controls for:
 Providing reliable data
 Safeguarding assets and records
Result:
The amount of audit evidence to be accumulated
can be significantly less than when controls are
not adequate
INTERNAL CONTROL
Definition:
The process designed, implemented, and
maintained by those charged with governance,
management and other personnel to provide
reasonable assurance about the achievement of
an entity's objectives with regard to reliability of
financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws
and regulations.
Summary of definition
1. Policy & procedure adopted by:
 Those charge with governance
 Management
 employees
2. To achieve objectives of:
 Reliability of financial reporting
 Effective and efficient operation
 Compliance with applicable laws and
regulations
Internal Control is designed and implemented to
address identified business risks that threaten
the achievement of the entity's goals and
objectives.
Objectives of Internal Control:
 Reliability of entity's financial Reporting
 Effectiveness and Efficiency of
Operations
 Compliance with Applicable Laws and
Regulations
INTERNAL CONTROL
An internal control system consists of all the
policies and procedures adopted by management
of an entity to assist in achieving management's
objective of ensuring, as far as practice orderly
and efficient conduct of its using including
adherence to management policies the
safeguarding of assets, the prevention and
detection of fraud and error, the accuracy and
completeness of the accounting records, and the
timely preparation of reliable financial
information.
Functions of Internal Control:
 Preventive controls - deter problems
before they arise
 Detective controls - needed to discover
problem as they arise
 Corrective controls - remedy the
problems discovered with detective
controls
People responsible for effective Internal
Control:
 Management
 Those Charged with Governance
 Employees and Other Personnel
Internal Control Under the PSA
Elements of Internal Control:
 Control Environment (top)
 The Entity's Risk Assessment Process
(implemented by top)
 The Information System including
Business Processes and Communication
(library)
 Control Activities
 Monitoring of Control
Internal Controls: An Overview
Control Environment
The overall attitude, awareness, actions of those
charged with governance, management, and
employees on the system and its importance to
the entity.
 It sets the tone of an organization,
influencing the control consciousness
providing discipline and structure
 Governs behavior as envisioned in the
culture created by management and
directors
Control Environment
Some Factors:
• Communication and enforcement of
integrity and ethical values
• Commitment to competence
• Participation by those charged with
governance
• Management's philosophy and operating
style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and procedures
FACTORS THAT COMPRISE THE CONTROL
ENVIRONMENT
A. Communication and Enforcement of
Integrity and Ethical Values
➤ Integrity and ethical values include the
removal and reduction process to eliminate
temptation for personnel to commit fraud, illegal
acts
➤ Communication of values and behavioral
standards to personnel through policy statement
(example: code of conduct)
Management should establish ethical standards
that discourage employees from engaging in
dishonest, unethical, or illegal acts that could
materially affect the financial statements
B. Commitment to Competence
➤ Competence is the knowledge and Skills
necessary to accomplish jobs
➤ Management gives impetus on competence
level for a certain job.
➤ The objective is to accomplish the job at the
highest application of skill and competence.
➤ Management hires employees competent to
perform the task
C. Participation of Those Charged with
Governance
➤ Active involvement of the Directors in the
Control Consciousness
➤ Codes of Practice and Regulations are
adopted to ensure active involvement
➤ Oversight of the Design and Effective
operation of whistle blower procedures
➤ Review of the effectiveness of the entity's
Internal Control
Whistle Blower - A person who exposes
misconduct, alleged dishonesty or illegal activity
occurring in an organization.
D. Management's Philosophy and Operating
Style
❖Consideration and monitoring business risk
❖Conservative or aggressive selection from
alternative accounting principles
❖Consciousness and conservatism in
developing accounting estimates
❖Attitude toward information processing,
accounting function, personnel
❖Meeting budget, profit and established goals
affecting financial statements
E. Organizational Structure
 Assist the entity in meeting goals and
objectives
 Transactions are processed, recorded,
summarized, and reported accurately
and timely
 Refers to the framework that dictates
how activities are planned, executed,
controlled, and reviewed
 Considers key areas of authority and
responsibilities and appropriate lines of
reporting
 Depends on the size and nature of
activities
F. Assignment of Authority and
Responsibilities:
➤ Delineation of Authority and Functions
➤ No overlapping of Functions for Effective
attainment of objectives (Job descriptions)
G. Human Resource Policies and Practices:
➤ Policies on recruitment, orientation, training,
counseling
➤ Hiring Standards and Requirements to
achieve all these factors in Control Environment
LIMITATIONS OF THE CONTROL
ENVIRONMENT
• Not an absolute deterrent in Fraud
• Weaknesses in Control Environment undermine
effectiveness of Internal Control System
• Does not prevent or detect or correct a Material
Misstatement
However, it may influence evaluation of
effectiveness of other controls
Specific Examples of Control Environment: 9. New Accounting Pronouncements

1. Organizational Chart Specific Examples of Risk Assessment:

2. Corporate Governance
1. Relocation of Site
3. Board Risk Committees
2. Conversion to IT System
4. Internal Audit
3. New appointed Managers & Supervisors
5. Identification card
4. New Board Members
6. Company Uniforms
5. Branching
7. Working hours
6. Consolidation & Merger
8. Audit Committee
7. Overseas Expansion
Entity's Risk Assessment Process
INFORMATION SYSTEM
➤ Identification, Analysis, Management of risks
 Consists of Infrastructure (physical and
pertaining to preparation of Financial Statements
hardware components), Software,

➤ Identifying and responding to Business Risk People, Procedures, and Data

and results thereof.  Well designed Information System is

effective in reducing risks of Material
➤ Estimating the significance of the risk Misstatement
 Auditor should know, understand:
➤ Assessing the likelihood of their occurrence
- The process that affects significant balances
➤ Deciding about actions to address those risks
- How transactions are initiated
Entity's Risk Assessment Process
- How documents and records are generated
Relevant Risks include:
- How the documents and records flow to the
➤ External and internal events and
Financial Statements
circumstances that may occur
INFORMATION SYSTEM
➤ Adversely affect ability to initiate, record,
Consists of procedures and records
process and report financial data consistent with
established to:
the assertions in the financial statement
 Initiate, Record, Process and Report
Risks may arise from these circumstances:
entity transactions
1. Change in operating environment  Maintain accountability for the related
2. New personnel Assets, Liability, Equity
3. New or revamped information system  Resolve incorrect processing
4. Rapid growth transactions
5. New technology  Process and Account for system
6. New business models, products, or overrides or bypasses to controls
activities  Transfer information from transaction
7. Corporate Restructuring processing system to the general ledger
8. Expanded Foreign Operations
  Capture information relevant to financial
reporting other than transactions
 Ensure information to be disclosed is
accumulated, recorded, processed,
summarized and appropriately reported
in the financial statements
Journal entries - An entity's information system
includes the use of:
1. Standard Journal Entries
2. Required on a recurring basis to record
transactions.
Non-standard Journal Entries - To record non-
Standard transactions or adjustments
INFORMATION SYSTEM
Business Processes:
 Develop, Purchase, Produce, Sell, and
Distribute products and services
 Ensure compliance with Laws and
Regulations
INFORMATION SYSTEM
Consists of procedures and records
established to:
1. Identify and Record all valid transactions
2. Describe the transactions in detail for
proper classification
3. Measure the value of transactions for
proper monetary value
4. Determine the time period to record
transactions in the proper accounting
period
5. Present the transactions and disclosures
in the Financial Statements
Communication
 Providing and Understanding individual
roles and responsibilities pertaining to
Internal Control
 Takes forms as policy manuals,
accounting and financial reporting
manuals, memoranda
 Produced electronically or orally,
 Through the action of Management
Specific Examples of Information &
Communications:
1. Journal Entries
2. Accounting Cycle
3. Assertion level
4. Flow Chart
5. Classes of Transactions
6. IFRS/PFRS
7. Financial Statements
CONTROL ACTIVITIES
➤ Policies and procedures that help ensure that
management's directives are carried out.
➤ Various objectives applied at various
organizational and functional levels
Major categories of control activities:
1. Performance reviews (actual vs.
standard)
2. Information processing controls
3. Physical control and access to assets
4. Adequate documents and records
Performance Reviews:
➤ Actual performance with:
- Budget, forecast
- Prior period performance
- Competitor's data
- Tracking major initiative or cost reduction
program
➤ Investigative performance and corrective
actions
- Purchase price variances
- Percentage of returns
- Causes of anomalies committed
➤ Review of functional or activity
performance
INFORMATION PROCESSING CONTROLS
: Policies and Procedures designed to require
authorization of transactions and ensure the
accuracy and completeness of transaction
processing
Information Processing Controls
Classified as:
➤Application controls:
- Checking arithmetical accuracy or records
- Maintaining and reviewing accounts and trial
balance
- Automated controls thru edit checks of input
data
- Numerical sequence checks
- Manual follow-up of audit exceptions
➤General-IT Controls:
- Activities to prevent or detect errors or
irregularities
- Policies and procedures applications to support
the effective functioning of information system
- Controls that restrict access to programs or
data
- Controls over the implementation of new
releases of software applications
- Protections from hacking, piracy, unauthorized
access to data
Internal controls in accounting system to
achieve objectives:
 Transactions are performed in
accordance with management's proper
authorization
 Prompt booking or recognition of all
transaction and events in correct
amount, appropriate account, and proper
accounting period
 Access to assets is permitted only in
accordance with management's
authorization
 Existing assets is compared against
recorded assets at reasonable intervals
and appropriate actions are taken
against discrepancies
Control activities related to the transaction
process:
Proper authorization of transaction activities:
 Certain conditions to be met prior to
booking of transactions
 Flows from stockholders to governance
to management to subordinates
 Creation of accounting and auditing path
Segregation of duties:
➤Safeguards assets
➤ Ensures reliability of the accounting records
➤No one person to control an entire phase of
transaction
Physical control and access to assets:
1. Physical security of assets
2. Authorization for access to computer
programs and data files
3. Periodic counting and comparison with
control records
Adequate documents and records:
 Reasonable Assurance that all valid
transactions have been recorded
 Use of controlling accounts
 Proof of accuracy to assure correctness
of operation
Independent check on performance
Periodically compare the actual asset with the
recorded balance
 Periodic count of assets and comparing
the counts to the balances in the GL
account
 Examples: inventory count, bank
reconciliation
Segregation of Duties
To achieve optimum segregation of duties
and responsibilities, the following functions
should be performed by different employees:
1. Independent checks or internal audits
2. Custody of assets
3. Authorization of transactions
4. Recording of transactions
5. Execution of transactions
However, if it is impractical to segregate the
above functions, at a minimum, three
functions must be segregated:
1. Custody of Assets
2. Authorization of Transactions
3. Recording of Transactions
Specific Examples of Control Activities:
1. Warehousing
2. FIFO valuation method
3. Cash box
4. Cash vault
5. Non-detachable Equipment Label
6. Cashiering
7. Levels of authorization
Monitoring of Controls
The process that an entity uses to assess the
quality of internal control over time:
 To establish and maintain internal control
on an ongoing basis
 Whether controls are operating and
appropriate for changes
 Communication from external parties to
detect problems or areas for
improvement.
 Internal auditors evaluate the design and
operation of controls and communicate
strength and weaknesses
 Built into the normal activities of an entity
and include regular management and
supervisory activities
Specific Examples of Monitoring activities:
1. Management Fraud
2. Those Charge With Governance
Qualification
3. Annual Stockholders' Meeting
4. Proxy Voting
5. Audit Report
6. Improper disposal of documents
7. Document Retention Period
Limitations of Internal Control System
1. Errors by personnel
2. Collusion
3. Management override
4. Present conditions are not guaranteed in
the Future
5. Cost-Benefit Relationship
6. Controls are directed to routine
transactions rather than non-routine
transactions
Auditors are not responsible for establishing
and maintaining an entity's accounting and
internal control systems
This is the responsibility of the management
Nevertheless, Auditors should give adequate
consideration to these controls
Reasons:
1. The quality of the entity's control systems
have a significant impact on the Audit
2. There is a direct relationship between an
entity's objectives and the control it
implements to assure the attainment of
these objectives
Responsibilities of an Auditor:
1. Plan the audit sufficiently
2. Assess control risk
Means to accomplish the responsibilities:
 Obtain an understanding of accounting
and internal controls
 Use professional judgment to assess
audit risk
 Design audit procedures to reduce risk to
an acceptably low level
Objectives of the study of Internal Control:
 Plan the Audit
 Assess Control Risk:
1. Assess control risk below maximum;
2. Evaluate effectiveness of control
placed in operation
Assess control risk below Maximum: Identify,
in each assertion, the specific controls to prevent
or detect material misstatements
Evaluate effectiveness of existing controls:
Perform tests to determine if controls are applied
(This phase is not required in the planning stage)
Factors to consider in Risk Assessment
• Design of controls: Existence and
Applications
• Effectiveness of Control: How the controls
effectively function
STAGES OF STUDY AND EVALUATION OF
INTERNAL CONTROL
1. Obtaining an understanding the entity's
internal control structure
2. Assessing the preliminary level of control
risk
3. Obtaining evidential matter to support the
assessed level of control risk
4. Evaluating the results of evidential matter
5. Determining the necessary level of
detection risk
The Audit Process
1. Pre- Engagement
2. Audit Planning
3. Study & Evaluation of Internal Control
4. Substantive Testing
5. Completing the Audit
6. Issuance of the Audit Report
7. Post Audit Responsibilities
Obtaining an Understanding of the Entity's
Internal Control Structure
• Understanding the control environment
• Understanding control procedures
• Understanding the accounting and internal
control systems
• Documentation of understanding
Determining whether controls have been
implemented: Accomplished by performing
"walk through" test.
Walk-through test: Involves tracing one or two 3. Difficult to spot weakness in internal
transactions through the entire accounting control
systems, from their initial recording at source to
Audit Process
their final destination as a component of an
account balance in the financial statement Planning stage:

Documentation of the Auditor's 1. Appointment of auditors

Understanding of Internal Control: 2. Plan the audit
3. Understand client
1. Internal Control Questionnaire
4. Risk assessment
2. Flowcharts
5. Assess internal controls as effective?
3. Narrative description
4. Internal Control Checklist Yes: Test of controls
5. Decision tables
No: Report control weakness to client
Internal Control Questionnaire: Contains a
Evidence gathering stage:
series of questions designed to detect control
weaknesses. Test of controls: Internal controls are effective?

Advantages: Yes: Less substantive procedures

1. Presence or absence of all controls listed
2. Uniform attestation of system review
3. Guide to the audit staff
4. Detection of weakness and compliance
5. Easy to update
Disadvantages:
No: Report control weakness to client;
- More substantive procedures
Completion stage:
- Overall review of financial statements
- Audit report

1. Automatic and Routine OTHER WAYS (chronological order):

2. Controls listed are generalized
1. Background Research
3. Overlook pertinent control
2. Announcement Letter and Entrance
Flowcharts: Symbolic diagram of a specific part Conference
of the control system indicating sequential flow of 3. Survey Phase (planning and limited
data and/or authority testing)
4. Fieldwork
Advantages:
5. Exit Conference
1. Easily understood 6. Draft Report
2. Better overall picture of complex system, 7. Agency Comments (30 days)
3. Parallels EDP documentation 8. Final Report and Follow-up
4. Easy to update

Disadvantages:

1. Requires Higher level of knowledge

2. Takes time to prepare
Narrative Description: Written description of a
particular phase or phases of a Control System
Advantages:
1. Flexible and swift tailor-made
2. detailed analysis makes the auditor
understand the system
Disadvantages:
1. May lack the ability to describe correctly
and concisely
2. Needs more time and careful study
3. Poorly written narrative may mislead the
audit objectives.
INTERNAL CONTROL CHECKLIST
This contains a detailed enumeration of the
methods and practices which characterize good
internal control or of item to be considered in
reviewing internal control.
The checklist basically provides only a guide to
review the internal control of the auditee and
does not represent a record of the auditor's
findings. In most cases therefore, this tool is used
together with the narrative approach.
HOW ADEQUACY OR INADEQUACY OF
INTERNAL CONTROL AFFECTS AUDIT
PROCEDURES
- It should be remembered that the purpose of an
audit engagement is to determine whether the
financial statements are fairly presented in
accordance with financial reporting standards.
- The audit is not specifically designed to search
for errors or irregularities although during the
study and evaluation of internal accounting
control system and the performance of
substantive tests, errors or irregularities may be
discovered.
- The auditor must consider the audit implication
when errors or irregularities are likely to exist.
- Initially, discussion with management personnel
may be made. If it appears that material errors
and irregularities could occur, this fact must be
communicated to the board of directors
FIVE COMPONENTS AND THE PRINCIPLES
REPRESENTATIVE OF THE FUNDAMENTAL
CONCEPTS ASSOCIATED WITH THE
COMPONENT
1. Control Environment
Description: The collective effect on an entity's
board, management, and owner's on
establishing, enhancing, or mitigating the
effectiveness of control policies or procedures.
The control environment sets the tone and
provides discipline and structure.
Applicable Principles:
1. Demonstrates a commitment to integrity and
ethical values.
2. Demonstrates independence of the board of
directors from management and exercises
oversight for the development and performance
of internal control.
3. Establishes, with board oversight, structures,
reporting lines, and appropriate authorities and
responsibilities in pursuit of objectives.
4. Demonstrates a commitment to attract,
develop, and retain competent individuals in
alignment with objectives.
5. Holds individuals accountable for their internal
control responsibilities in the pursuit of
objectives.
2. Risk Assessment to the achievement of preparing reliable financial
statements. Control activities pertain to
Description: Management's efforts to identify,
performance physical controls, and segregation
analyze, and manage risks pertaining to the
of duties.
preparation of financial statements.
Applicable Principles:
Applicable Principles:
1. Selects and develops control activities that
1. Specifies objectives with sufficient clarity to
contribute to the mitigation of risks to the
enable the identification and assessment of risks
achievement of objectives to acceptable levels.
relating to objectives.
2. Selects and develops general control activities
2. Identifies risks to the achievement of its
over technology to support the achievement of
objectives across the entity and analyzes risks as
objectives.
a basis for determining how the risks should be
managed. 3. Deploys control activities through policies that
establish what is expected and in procedures that
3. Considers the potential for fraud in assessing
put policies into action.
risks to the achievement of objectives.
5. Monitoring
4. Identifies and assess changes that could
significantly impact the system of internal control. Description: The process an entity uses to
assess the quality of internal control over time
3. Information and Communication
Applicable Principles:
Description: The entity's information system and
procedures for communicating matters related to 1. Selects, develops, and performs ongoing
the processing of accounting data. This and/or separate evaluations to ascertain whether
component generates the financial statements. the components of internal control are present
and functioning.
Applicable Principles:
2. Evaluates and communicates internal control
1. Obtains or generates and uses relevant,
deficiencies in a timely manner to those parties
quality Information to support the functioning of
responsible for taking correction action, including
other components of internal control.
senior management and the board of directors,
2. Internally communicates Information, including as appropriate.
objectives and responsibilities for internal control,
necessary to support the functioning of other
components of internal control.

3. Communicates with external parties regarding

matters affecting the functioning of other
components of internal control.

4. Control Activities

Description: Policies and procedures to ensure

that necessary actions are taken to address risks