Study and Evaluation of Internal

Control
Objective
To identify and assess the risks of material misstatements, whether due to
fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including its internal control.
 
Internal Control
It is the process designed effected by those charged with governance,
management and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives.

 a process
 a tool used by management
 involves people
 provides reasonable assurance
 geared toward the achievement of the entity’s objectives

           
            Effective and Efficient use of Resources                               ¬
Operations
            Preparation of reliable FS                                                       ¬
Financial reporting
            Compliance with applicable laws and regulations                ¬
Compliance
 
Internal Control System
Consists all the policies and procedures related to internal control processes
adopted by the management of an entity to assist in achieving management’s
objectives.
 
Components of Internal Control (CaR MICe) (CRIME)

1. Control Activities

Policies and procedures which are the actions of people to implement the
policies, to help ensure that management directives identified as necessary to
address risks are carried out.
 
Type of Control Activities

1. Performance Reviews
2. Information Processing. It is performed to check accuracy completeness,
an authorization of transactions.
3. General IT- Controls. Relate to many applications and support the effective
functioning of application controls by helping to ensure the continued
proper operation of information systems.

Example:
System software acqui.
Change and maintenance
Access security

4. Application Controls. Apply to the processing of individual applications.

These control help to ensure that transactions occurred are authorized,
complete, accurately recorded and processed.

Example:
Checking the arithmetical accuracy of records
Reviewing accounts and trial balances

5. Physical Controls

Physical security of assets to prevent theft.

 

6. Segregation of duties
     Assigning of different people the responsibility of authorizing, recording,
and custody.
 
Policies and Procedures
Policy is establishing what should be done.
Procedures defines the step by step process of action.
 

2. Risk assessment Process

It is the process for identifying and responding to business risks and the
results thereof.

 Risk Assessment. It is the identification and analysis of relevant risks to

achievement of the objectives

Risk Identification

 Risks rises as objectives increasingly differ from pat performance

 An iterative process
 clean sheet of paper approach

Risk Analysis and Management

1. Estimate the significance of a risk

2. Assess the frequency of the risk
3. Consider How the risk should be managed

 professional judgment
 consideration of cost

3. Monitoring of Controls

 It is the process used to assess the quality of internal control performance

over time.
 It is done to ensure that controls continue to operate effectively.
Methods for Monitoring Controls
Ongoing Activities

 The greater the degree and effectiveness of ongoing monitoring, the less
need for separate evaluations.
 Example: When reconciling operating reports and financial reports,
significant inaccuracies are likely to be spotted quickly.

Communications from external parties corroborate internally generated

information.
Appropriate organizational structures and supervisory activities provide
oversight of control functions and identification of deficiencies.
 
Separate Evaluations

 Frequency of performing separate evaluations is a matter of

management’s judgment.

4. Information System and Communication

 Consist of:
 Infrastructure (physical and hardware component)
 software
 people
 procedures
 data
 Can be formal or informal

Information Quality (actaC)

 Information is:
 accessible
 current – latest available
 timely – is it there when required
 accurate
 Content is appropriate

Communication
Providing an understanding of individual roles and responsibilities pertaining
to internal control over financial reporting.

5. Control Environment

It sets the tone of an organization influencing the control consciousness of its

people.
*It is primarily responsible for the prevention and detection of fraud and error
rests with both those charged with governance and the management of an
entity.
 
Elements

1. Communication and enforcement of integrity and ethical values.

Integrity

 A prerequisite for ethical behavior in all aspects of an enterprise’s activities

2. Commitment to competence

Competence

 Reflect the knowledge and skills needed to accomplish tasks that define
the individual’s job.

3. Participation by those charged with governance

4. Management’s Philosophy and Operating Style
5. Organizational Structure

 Provides the framework within which its activities for achieving entity-wide
objectives are planned, executed, controlled, and monitored.

6. Assignment of Authority and Responsibility

7. Human Resources Policies and Practices

Internal Control Evaluation in Financial Statement Audit (D’DORM)

1. Obtaining an understanding of Client’s Internal Control (IPPID)

2. Preliminary Review
 Understanding the industry in which the entity operates to determine risk of
material misstatement

2. Identifying transaction cycles

3. Documentation of understanding of internal control (FIN)

 Narrative. Written description of phases of accounting system

 Internal Control Questionnaires. Consists of a series of questions to
identify control points and techniques and detect control deficiencies
 Flow charts. Interrelated symbols which diagram the flow of transactions
or events through a system.

4. Performing a Transaction

 Walk through. To verify documentations and to familiarize the auditor with

the audit trail.

Assertions about classes of transactions and events for the period

under audit

1. Occurrence – transactions recorded have occurred and pertain to the entity

2. Completeness – Transactions that should have been recorded have been
recorded
3. Accuracy – amount of transactions recorded have been recorded properly
4. Cut-off – transactions have been recorded in the correct accounting period
5. Classification – transactions have been recorded in the proper accounts

Assertions about account balances at the period end

1. Existence – A, L, E interests exists

2. Rights and Obligations – the entity holds or controls the assets and
liabilities are the obligations of the entity
3. Completeness – all A, L, E that should have been recorded have been
recorded
4. Valuation and Allocation – A, L, E interests are included in the FS at
appropriate amounts and any resulting valuation or allocation adjustments
are appropriately recorded.

Assertions about presentation and disclosure

1. Occurrence and rights and obligations – disclosed events that should have
been included have been included
2. Completeness – all disclosures that should have been included have been
included
3. Classification and Understandability – financial and other information are
disclosed fairly and at appropriate amounts

2. Make a preliminary assessment of control risk

Control risk

 the combined assessment of control risk and inherent risk shall be the
basis for determining the nature, timing and extent of substantive test

 HIGH Control Risk Assessment

 high likelihood that significant misstatements exists in the FS because
internal controls are inadequate and cannot be relied upon
 LESS THAN HIGH Control Risk Assessment

3. Determine the Appropriate Response to the Assessed Risks

Overall Responses
Financial Statement Level

 the auditor should determine overall responses to assessed risks in order

to reduce audit risk to an acceptable low level

Assertion level

 design and perform further audit procedures (tests of controls and

substantive tests) to respond to assessed risks

 HIGH Preliminary Control Risk Assessment

 response should be to adopt the audit approach that relies primarily on
substantive tests (no reliance approach)
 LESS THAN HIGH Premium CRA
 the auditor anticipates using (reliance approach)
 two sets of audit programs are prepared

1. Rest of controls audit program

2. Substantive test audit program

Effect on
Preliminary Control Risk
Acceptable Audit Approach TOC? ST?
Assessment
Detection Risk

High | Maximum Decrease No Reliance No Yes

Less than High | Below

Increase Reliance Yes Yes
Maximum

CR  :  ¯DR

Tests of Controls

 used to test the effectiveness of the design or operation of a client’s

internal control policy or procedure is support of a “less than high” control
risk assessment
 applied only to those accounts on which the auditor intends to rely when
designing substantive tests of account balances

Control Deviations

 differences between what was expected and what actually occurred

Timing of tests of controls

 depends on the auditor’s objective and determines the period of reliance

on those controls

Extent of test of controls

reliance on the operating effectiveness of controls in the assessment of risk:
auditor’s test of controls
 rate of expected deviation from control
The auditor designs tests of controls to obtain sufficient appropriate audit
evidence that the controls operated effectively throughout the period of
reliance.

4. Reassess Level of Control Risk

Effect of Reassessment of Control Risk on the Audit Approach

 

Reassessment of Control Effect on ST Audit

Audit Approach
Risk Program

Less effective
procedures
CR assessment remains
at less than high | below Reliance Approach Interim testing may be
the maximum appropriate
Lower sample sizes

More effective
procedures
CR assessment is
Switch to No Reliance
changed to High or Tests moved to nearer or
Approach
Maximum at the year-end
Larger sample sizes

 
Documentation Requirements

Should the auditor document the…

Risk Assessment Basis for the

Understanding of Control Risk
control risk
Internal Control Assessment
assessment

High YES YES NO

Less than High YES YES YES

5. Determine the Nature, Timing and Extent of Substantive Tests

¯  assessed level of control risk

¯  evidence the auditor needs from substantive
tests

 
Regardless of the assessed levels of control risk, the auditor should perform
some substantive tests for significant account balances and transaction
classes
 
Nature of Tests of Control

1. Inquiry of client personnel

2. Observation of the application of policies and procedures
3. inspection (examination of documents)
4. Reperformance or recalculation