PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1

Lecture Notes

Lesson 4: Internal Control

 Consideration of Internal Control
 Test of Control

Lecture Notes

Internal Control
1. Internal control is the process designed, implemented and maintained by those charge with
governance, management and other personnel to provide reasonable assurance about the
achievement of an entity’s objective with regard to:

a. Reliability of financial reporting

b. Effectiveness and efficiency of operation
c. Compliance with applicable laws and regulation

Components of Internal Control

1. Control Environment
The control environment includes the governance and management function and the attitude,
awareness, and actions of those charge with governance and management concerning the
entity’s internal control and its importance in the entity.

Elements of control environment:

a. Communication and enforcement of integrity and ethical values
b. Commitment to competence
c. Participation by those charge with governance
d. Management philosophy and operation style
e. Organizational structure
f. Assignment of authority and responsibility

The auditor shall obtain an understanding of the control environment. As part of obtaining
this understanding, the auditor shall evaluate whether:
a. Management, with the oversight of those charge with governance, has created and
maintained the culture of honesty and ethical behavior; and
b. The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control, and whether
those other components are not undermined by deficiencies in the control
environment.
PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1
Lecture Notes

2. Risk Assessment Process

The auditor shall obtain an understanding of whether the entity has process for:
a. Identifying business risk relevant to financial reporting objectives
b. Estimating the significance of the risk
c. Assessing the likelihood of their occurrence; and
d. Deciding about actions to address those risks

3. Information System

The auditor shall obtain an understanding of the information system, including the related
business process, relevant to financial reporting including the following areas:

 Classes of transaction in the entity’s operations that are significant to the

financial statements
 The procedures, with both IT and manual system, by which those transactions
are initiated, recorded, processed, corrected as necessary, transferred to the
general ledger and reported in the financial statements
 The related accounting records, whether electronic or manual, supporting
information and specific accounts in the financial statements that are used to
initiate, record, process and report transactions’ this includes the correction of
incorrect information and how information is transferred to the general ledger.
 How the information system captures events and conditions, other than
transactions, that are significant to the financial statements
 The financial reporting process used to prepare the entity’s financial statements
including significant accounting estimates and disclosures
 Controls surrounding journal entries, including non-standard journal entries used
to record non- recurring, unusual transaction or adjustments

The auditor shall obtain an understanding of how the entity communicates financial reporting
roles and responsibilities and significant matters relating to financial reporting, including:
 Communication between management and those charge with governance; and
 External communication, such as those with regulatory authorities
PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1
Lecture Notes

4. Control Activities

Control activities are the policies and procedures to help ensure that management directives
are carried out. Example of control activities include those relating to the following:

 Authorization and approval

 Performance reviews and reconciliations
 Information processing
 Physical controls
 Segregation of duties

The auditor shall obtain a sufficient understanding of control activities to:

 Assess the risk of material misstatements at the assertion level;
 Design further audit procedures responsive to assessed risks

5. Monitoring of controls

Monitoring of controls involves assessing the design and operation of controls on a timely basis
and taking the necessary corrective actions modified fir changes in conditions.

Monitoring controls includes (or in combination):

 Ongoing monitoring activities
 Specific/ Separate Evaluation

Elements of Internal Control

C ontrol Activities
R isk Assessments
I nformation system
M onitoring
E nvironment (Control Environment)
 PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1
Lecture Notes

Consideration of Internal Control and Tests of Controls (Refer to the notes below)

Obtain Understanding of the

Client’s Internal Control (Note 1)

Document the Conduct the initial assessment

understanding of of control risk (Note 3)
internal control (Note 2)

HIGH LOW
(Note 3.1) (Note 4)

Perform Substantive Perform Test of

Test Procedures Controls (Note 5)
(Note 3.2)

Effective Ineffective
(Note 5.1) (Note 5.2)

Revise the initial

assessment of control
risk from LOW to
HIGH (Note 5.2)

*Scope of substantive *Scope of substantive test

test (N,T,E) (N,T,E)

Nature- Less effective Nature- Less effective to more

Timing- Perform at effective
interim Timing- Perform at year end
Extent- Smaller samples instead of interim
size Extent- from smaller samples
to larger samples size
*always consider the assessment of inherent risk
PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1
Lecture Notes

Note 1
When obtaining understanding of controls that are relevant to the audit, the auditor shall:
1. Identify the risks which need to be mitigated by the client’s internal control.

“What risk, if not mitigated by internal control could result in material

misstatement in the financial statements?”

2. Evaluate the design of those controls

“Are there controls individually or in combination with other internal controls

capable of preventing and detecting material misstatements?”

The auditor can obtain an understanding about the design of the client’s internal control
by performing inquires, inspection, and observation

3. Determine whether these controls are implemented

“Does the control exist and is the entity using them?”

The auditor can perform the “walk-through test”. This test involves tracing a
transaction step-by-step through the accounting system from its inception to the final
destination as part of the financial statements

Note 2
The auditor should document his/ her understanding of the client’s internal control policies and
procedures. Documentation can take various forms, including flowcharts, policy and procedure
manuals, internal control questionnaire, and narrative descriptions. No specific form of
documentation is required by the standards and the extent of documentation may vary
depending on the nature, size and complexity of the entity’s internal control system.

Note 3
The auditor should make his/her initial assessment of control risk based on the information
obtained from understanding the design of the client’s internal control and its implementation

Note 3.1
If based on the auditor’s knowledge about the client’s internal control, it appears that the
internal controls are unreliable in preventing and detecting material misstatements, the auditor
may assess control risk at a high level.

Note 3.2:
If control risk is assessed at a high level, the auditor will rely on substantive test procedures to
obtain audit evidence
PRE 302 –AUDITING AND ASSURANCE: Concepts and Application 1
Lecture Notes

Note 4
The auditor may assess control risk at low level, if it appears that the internal controls are
reliable in preventing and detecting material misstatements. With this assessment, the auditor
shall perform test of controls to determine the effectiveness of controls the auditor plans to
rely upon.

Note 5
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit
evidence whether those controls the auditor plans to rely upon are effective or ineffective.

Performing tests of control includes inquiry, inspection observation, and reperformance to

provide the auditor information about:
 How the controls were applied
 When the controls were applied
 Consistency of application
 By whom or by what means they were applied

Note 5.1
Based on the results of the tests of control, the auditor evaluates that the internal controls are
operating effectively. The conclusion reached as a result of this evaluation is called the
assessed level of control risk (final). The auditor uses the assessed level of control risk
(together with the assessed level of inherent risk) to determine the acceptable level of
detection risk that will affect the scope (N,T,E) of substantive test procedures.

The result of test of controls helps to reduce substantive audit procedures by relying on the
client’s internal controls. This is when auditors believe the client’s internal controls work
effectively in preventing or detecting the risks of material misstatements.

Note 5.2
Conversely, if based on the results of the tests of control, the auditor evaluates that the internal
controls are ineffective; the auditor should revise the initial assessment of control risk from low
to high. This result will let the auditor consider modifying the scope (N,T,E) of substantive test
procedures.

NEXT TOPIC:
 Substantive Testing
 Audit Evidence