CHAPTER 6

Consideration of

INTERNAL
CONTROL
Group 3 | Presentation
NATURE OF
I NTE RNAL CONTRO L
PSA 315 defines internal control as the process designed
and effected by those charged with governance,
management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives
with regard to reliability of financial reporting,
effectiveness, and efficiency of operations and compliance
with applicable laws and regulations.
 COMPONENTS OF
INTERNAL CONTROL
CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES/PROCEDURES

INFORMATION AND COMMUNICATION

MONITORING
 CONTROL
ENVIRONMENT
The attitude of an organization’s management, its management
style, corporate culture and values are the essence of an
efficient control. If management believes control is important,
others in the company will observe the control policies and
procedures. If employees in the organization feel control is not
important to top management, it will not be important to them.
The control environment consists of the actions, policies and
procedures that reflect the overall attitudes of top management,
directors, and owners.
There are number of specific features or factors that usually contribute
to a successful control environment and which may be used as
indicators of the quality of the control environment of a particular
organization. The factors are:

• Commitment to integrity and ethical values

• Commitment to competence and quality
• Independence, integrity and openness at the board of director ’s
level
• Leadership in control by example (management philosophy and
operating style)
• An appropriate organizational structure
• Appropriate delegation of authority with accountability
• Appropriate human resource policies and practices
 COMMITMENT TO INTEGRITY
AND ETHICAL VALUES
The effectiveness of internal control cannot rise above the integrity
and ethical values of the people who create, administer and monitor
them. Integrity and ethical values of the enterprise and how they are
communicated to employees and reinforced in practice promotes
business and customer confidence and affects the way in which
company employees view their work. Setting a good example is not
enough. Top management should verbally communicate the entity’s
values and behavioral standards to employees.
 COMMITMENT TO
COMPETENCE AND QUALITY

A company’s control environment will be more effective if its

culture is one in which quality and competence are openly
valued. Competence is the knowledge and skills necessary to
accomplish tasks that define the individual’s job.
 INDEPENDENCE, INTEGRITY
AND OPENNESS AT THE BOARD
OF DIRECTOR’S LEVEL
The control environment and ‘tone at the top’ are significantly
influenced by the entity’s board of directors and audit committee. An
active and involved board of directors possessing an appropriate degree
of management, technical and other expertise coupled with the
necessary stature and mind-set so that it can adequately perform the
necessary governance, guidance and oversight responsibilities is critical
to effective internal control. Because the board must be prepared to
question and scrutinize management’s activities.
 LEADERSHIP IN CONTROL BY
EXAMPLE (MANAGEMENT
PHILOSOPHY AND OPERATING
STYLE)
A personal example set by top management and the board
provides a clear signal to employees about the company’s
culture and about the importance of control.
 AN APPROPRIATE
ORGANIZATIONAL
STRUCTURE

The entity’s organizational structure provides the

framework within which business activities are planned,
executed, controlled, and monitored.
 APPROPRIATE DELEGATION
OF AUTHORITY WITH
ACCOUNTABILITY
Appropriate delegations requires that the board surrender the
control of business decisions to executive managers and staff who
are closer to day-to-day business transactions. This delegation
does not involve the surrender of ultimate responsibility. Before it
can delegate, a board must take a positive decision to set limits on
what levels of risk are acceptable.
 APPROPRIATE HUMAN
RESOURCE POLICIES AND
PRACTICES
The most important element of control environment is personnel.
With trustworthy and competent employees, other controls can be
absent and reliable financial statements will still result. Honest,
efficient people are able to perform at a high level even when there
are few other controls to support them.
 RISK ASSESSMENT
Entity's business objectives cannot be achieved without some risks.
Business risk that the entity's business objective will not be attained as
a result of internal and external factors such as technological
developments, changes in customer demand, and economic changes.

Business risks are crucial to every organization. Management should

adopt policies and procedures that are designed to identify and analyze
the risks affecting the entity's business and to take appropriate action to
manage these risks. For audit purposes, the auditor is concerned only
with those risks that are relevant to the preparation of reliable financial
statements.
 CONTROL
ACTIVITIES/PROCEDUR
ES
Control activities are policies and procedures that help
ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives for operations,
financial reporting or compliance.
 CONTROL
ACTIVITIES/PROCEDUR
ES
Control procedures implements the control policies by
specific routine tasks, performed at particular times by
designated people, held accountable by adequate supervision
and evidence of performance. Control procedures entail three
fundamental functions which must be separated and
adequately supervised:
 CONTROL
ACTIVITIES/PROCEDUR
ES
• A u t h o ri z a t i o n i s t h e d e l e g a t i o n o f i n i t i a t i o n o f t ra n s a c t i o n s
a n d o b l i g a t i o n s o n t h e c o m p a n y ’s b e h a l f .
• C u s t o d y i s p h y s i c a l c o n t r o l o v e r a s se t s o r r e c o rd s.
• Recording is the creation of documentary evidence of a
t ra n sa c t i o n a n d i t s e n t r y in t o t h e a c c o u n ti n g r e c o r d s .
Control procedures are usually considered to fall into five
categories:

• Adequate segregation of duties;

• Proper authorization of transactions and activities;
• Physical custody control over assets and records;
• Independent checks on performance; and
• Adequate documents and records
 INFORMATION
AND
COMMUNICATIO
Every enterprise must capture pertinent information related
to both internal and external events and activities in both
N
financial and non-financial forms. The information must be
identified by the management as relevant and delivered to
people who need it in a form and time-frame that allows
them to carry out their control and responsibilities.
 INFORMATION
AND
COMMUNICATIO
Information systems produce reports containing

N
operational, financial and compliance-related information.
They deal not only with internally generated data, but also
information about external events necessary to make
informed business decisions and comply with external
reporting.
 MONITORING
Internal control systems need to be monitored; a process that
deals with ongoing or periodic assessment of the
effectiveness of their design and operation. By monitoring,
management can determine that internal controls are
operating as intended and that they are modified as
appropriate for changes in conditions.
 MONITORING
Internal control system changes over time. The way controls
are applied may evolve. Some procedures can become less
effective, or perhaps are no longer performed. This can be
due to the arrival of new personnel, the varying effectiveness
of training and supervision, time and resource constraints or
additional pressures.
 INTERNAL CONTROL
FOR SMALL BUSINESS
In small business, with very few office employees, it is difficult to have
proper segregation of duties or maintain a separate internal audit
department. Consequently, internal control systems in small business
tend to be weak compared to the internal control system of large
entities. These weaknesses, however, can be compensated if the owner/
manager actively participates in the operation of the business.
CONSIDERATION OF
I NTE RNAL CONTRO L
 CONSIDERATION OF
INTERNAL CONTROL
Auditors are not responsible for establishing and maintaining
and entity's accounting and control system: that is the
responsibility of the entity's management. Nevertheless, the
auditors should give adequate consideration to these controls
because the condition of the entity's control system s can have a
significant impact on the audit.
 CONSIDERATION OF
INTERNAL CONTROL
Consideration of the entity's internal control systems involve the
following steps:

• Obtaining understanding of the internal control;

• Documenting and understanding of accounting and
internal control systems;
• Assessing the level of control risks;
• Performing test controls;
• Documenting and assessing level of control risks
 UNDERSTANDING
INTERNAL CONTROL
The auditor should obtain sufficient understanding of the components of the
entity's internal control relevant to the audit. Obtaining an understanding of
internal control involves:
• evaluating the design of the control, and
• determining whether it has been implemented

An initial understanding of the design of the entity's internal control systems is

ordinarily obtained by:
• Making inquiries of appropriate individuals;
• Inspecting documents and records, and;
• Observing of entity's activities and operations.
 UNDERSTANDING
INTERNAL CONTROL
After obtaining sufficient knowledge about the design of the system, the
auditor should determine whether these controls have been implemented.
This is accomplished by performing a "walk - through" test. This task
involves tracing one or two transactions through the entire accounting
systems, from their initial recording at source to their final destination as a
component of an account balance in the financial statements. Walk - through
test also confirms the auditor's understanding of how the accounting systems
and procedures function.
 UNDERSTANDING
INTERNAL CONTROL
It is to be emphasized that the auditor is not required to obtain knowledge about the
operating effectiveness of the internal control when obtaining an understanding of the
entity's internal control system. At this stage of the audit, the auditor is basically
concerned about the design of the relevant control policies and porcedures whether such
controls are actually being applied.

The auditor's understanding of internal control system should be adequate enough to:

• Identify types of potential misstatements can occur;

• Consider factors that affect the risk of material misstatements, and;
• Design the nature, timing, and extent audit procedures to be performed.
 DOCUMENTING THE AUDITOR'S
UNDERSTANDING OF INTERNAL
CONTROL
Subsequent to obtaining sufficient knowledge about the design and implementation of
the internal control, the auditor is required to document his understanding of
accounting and internal control systems. this documentation need not be in any
particular form. The extent of documentation may vary depending on the size and
complexity of the entity and the nature of the entity's internal control systems. Some
commonly used forms of documentation include:

• Narrative description of the entity's internal control;

• Flowchart that diagrams the flow of transactions and documents,
and;
• Internal control questionnaire providing management responses to
questions about internal control.
 ASSESSMENT OF
CONTROL RISK
The auditor's preliminary assessment of control risk may be at high level
(100%) or less than high level.

When the auditor's knowledge of the entity's internal control indicates that
internal control related to a particular assertion are not effective, the auditor
may simply control risk at a high level. Hence, no test of controls need to
performed and the auditor will rely primarily in substantive tests.

On the other hand, if the auditor believes that controls appear to be

reliable, the auditor should determine whether it is efficient to obtain
the evidence to justify an assessment of control risk at a lower level.
 ASSESSMENT OF
CONTROL RISK
If the auditor concludes that it is more efficient to rely on the entity's
internal control systems, the auditor would plan to assess control risk at
less than high level. For this purpose, the auditor should:

• Identify specific internal control policies or procedures that

are likely to prevent or detect and correct material
misstatement relevant to the financial statement assertion,
and;
• Perform test of control to determine the effectiveness of such
policies or procedures.
 PERFORMING OF
TEST OF CONTROLS
Irrespective of how effective internal control procedures may appear to be in
preventing material misstatements from occurring in the financial statements,
before the auditor can rely on them to reduce substantive tests, the auditor
must test these controls to obtain evidence that they are working effectively as
the preliminary assessment suggests.

Test of controls are performed to obtain evidence about the

effectiveness of the:
• Design the accounting and internal control systems;
• Operation of the internal controls throughout the
period.
NATURE OF
TEST OF CONTROLS

TIMING OF
TEST OF CONTROLS

EXTENT OF
TEST OF CONTROLS
 NATURE OF
TEST OF CONTROLS
Test of controls generally consists of one (or a combination) of the
following evidence gathering techniques-

INQUIRY

OBSERVATION

INSPECTION

REPERFORMANCE
NATURE OF
TEST OF CONTROLS

TIMING OF
TEST OF CONTROLS

EXTENT OF
TEST OF CONTROLS
 DOCUMENTING THE
ASSESSED LEVEL OF CONTROL
RISKS
The following table summarizes the documentation requirements for auditors when
considering internal control:

CONTROL RISK AT HIGH CONTROL RISK AT LESS

LEVEL THAN HIGH LEVEL

• Understanding of Internal
REQUIRED REQUIRED
Control

2. Conclusion REQUIRED
REQUIRED

3. Basis for the Conclusion REQUIRED NOT REQUIRED

COMMUNICATION OF
SIGNIFICANT
DEFICIENCIES OF
INTERNAL CONTROL
ANY QUESTIONS?
 THANK YOU

Chapter 6
• Ma. Rose Charlyn P. Rufin
• May Antonette L. Ty