1

AUDITING AND ASSURANCE PRINCIPLE

Chapter 8: Understanding the Entity’s Internal Control

By

Miafe B. Almendralejo

Notre Dame of Midsayap College

College of Business and Accountancy
Midsayap, Cotabato
October 2022
 2

Chapter 8: Understanding the Entity’s Internal Control

1. Explain the importance of an effective system of internal control.

According to Cabarles et al. (2019), every organization, profit - oriented or not, exists to
accomplish some objectives, but there are many risks that may prevent from achieving those
objectives. To address these risks including risk of material misstatements of financial statements,
the entity establishes a system of internal control. Internal control compliance is put in place to
mitigate the risks to give the organization a better chance at achieving its objectives. Internal
controls are unique to every company and designed according to the company's size and structure.
Effective and efficient internal controls aim to meet company objectives and protect the company's
interests. Simply put, without an effective internal control system, the entity will not be able to
survive for long. (Cabarles et al. 2019)

Well designed internal control system keeps the organization operating efficiently and
effectively and the controls can help maintain compliance with regulations and ensure
organization’s resources are used for their intended purposes, minimizing the risk of misuse. Good
internal controls are essential to assuring the accomplishment of goals and objectives and still
protect employees and assets. Poor or excessive internal controls reduce productivity, increase the
complexity of processing transactions, increase the time required to process transactions and add
no value to the activities. It can significantly enhance the integrity of operations and improve
organizational outcomes and results to achieve sectoral goals.

The benefits of an internal control system include:

 Stronger accountability
 Ethical, economical, efficient and effective operations
 Improved ability to address risks to achieve general control objectives
 Better systems of responding to the needs of citizens; and
 Quality outputs and outcomes and effective governance.
 3

2. Relate understanding of internal control to risk assessment process.

For an effective audit, PSAs require the auditor to obtain an understanding of the entity’s
relevant internal control in order to identify and assess risk of material misstatement. (Cabarles et
al. 2019) Understanding internal controls will enlighten us that it is not only address risks to the
company but also reduce incurrences of unnecessary cost or effort. The goal in understanding your
company’s internal control is to evaluate whether you (management), with the oversight of those
charged with governance, have created and maintained a culture of honest and ethical behavior, as
well as assessing whether the control environment contains any deficiencies in established
processes. Risk assessment is the foundation of an audit. For auditors, it is how we come to
understand your company and plan our audit procedures to provide the most reliable information
for you and the users of your financial statements. As part of the understanding of internal control
the auditor should evaluate whether entity programs and controls that address identified risks of
material misstatement due to fraud have been suitably designed and placed in operation.

Internal controls and risk management are not goals in and of themselves. Rather, they are
the means a company can use to keep achieving its objectives in the modern business world.
Internal controls must always be considered when establishing and implementing corporate
initiatives to achieve objectives. Flaws in internal control can emerge when new initiatives are not
coordinated with risk management principles.

3. Discuss the audit procedures to obtain understanding of internal control.

 RAP or Risk Assessment Procedure

There are four steps under RAP that an auditor performs to obtain understanding of internal
control. It includes the following:

 Inquiring of Entity Personnel - the auditor's inquiries of management and others within
the entity are important because fraud often is uncovered through information received
in response to inquiries.
 4

 Observing the Application of Specific Control - the auditor may observe employees to
assure they are performing their tasks according to the appropriate regulations and
expectations. Auditors also observe business processes to evaluate internal controls.
Observing internal controls in the actual environment helps auditors determine the
effectiveness and efficiency of each internal control.
 Inspecting Documents and Reports - inspecting documents refers to the review of
relevant evidentiary documentation to test internal controls to determine whether
internal controls are effective and efficient. Relevant documents and records of the
entity should be inspected.
 Walkthrough Tests - A walkthrough provides a good understanding of the accounting
system and business processes, and helps to evaluate internal controls. The
walkthrough is the most effective way to understand the flow of transactions and the
likely sources of potential misstatement. (Zhang, 2016)

 Information Obtained in Prior Period Audits

The auditor should obtain sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the audit opinion.. Audit evidence, which is cumulative
in nature, includes audit evidence obtained from audit procedures performed during the course of
the audit and may include audit evidence obtained from other sources such as previous audits and
a firm’s quality control procedures for client acceptance and continuance.

 Discussions among the Audit Teams

Discussions among the engagement team is also called as “brainstorming” and it is critical
to an effective and efficient audit. The members of the engagement team should discuss the
susceptibility of the entity’s financial statements to material misstatements. The discussion
provides an opportunity for more experienced engagement team members, including the
engagement partner, to share their insights based on their knowledge of the entity, and for the team
members to exchange information about the business risks to which the entity is subject and about
how and where the financial statements might be susceptible to material misstatement.
 5

4. Discuss the nature of internal control.

Internal controls are processes designed, implemented, and maintained by those charged
with government, management, and other personnel to provide reasonable assurance about the
achievement of an entity’s objective with regard to reliability of financial reporting, effectiveness
and efficiency of operations, and compliance with applicable laws and regulations. (Cabarles et al.
2019) Also, to help safeguard an organization and minimize risk to its objectives, protect assets,
and ensure accuracy of records.

The ultimate purpose of internal control is to address entity's business risks. Business risk
refers to a risk resulting from significant conditions, events, circumstances, actions, or inactions
that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or
from the setting of inappropriate objectives and strategies. (Cabarles et al. 2019)

Hence, the following concepts about internal control can be deduced:

 Internal control is a process. Internal control is neither an end in itself nor a one-off
event, but a series of activities that allows an entity's unit to function effectively.
 Internal control is effected by people. All entity personnel are involved with internal
control; that is, from management formulating business objectives and strategies, as
overseen by TCWG, to security guards safeguarding the entity's premises. They
establish objectives and put controls in place.
 Internal control can only be expected to provide reasonable assurance, not absolute
assurance. As the saying goes: "There is no perfect system." The likelihood that
internal control addresses business risks is affected by inherent limitations.

5. Explain components of an effective internal control system.

There are five interrelated components of an internal control framework and these
components make up the minimum level of internal control a chapter needs to have in place and
are the basis against which internal control is evaluated.
 6

 Control Environment

It refers to the functions, attitudes, awareness, and actions of TCWG and management
concerning the internal control and its importance. The control environment, as established by the
organization's administration, sets the tone of an institution and influences the control
consciousness of its people. Leaders of each department, area or activity establish a local control
environment. This is the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include:

 Integrity and Ethical Value

 The Commitment to Competence
 Management’s Philosophy and Operating Style
 The Way Management Assigns Authority and Responsibility, Organizes and Develops
its People
 Human Resource Policies and Practices

 Risk Assessment Process

Risk assessment is the identification and analysis of relevant risks to achievement of the
objectives, forming a basis for determining how the risks should be managed. Because economics,
regulatory and operating conditions will continue to change, mechanisms are needed to identify
and deal with the special risks associated with change.

Chapter Leadership should be aware of potential high-risk areas and should look for high risk
where:

 There is a susceptibility to or history of waste, fraud, or errors

 Changes in the chapter’s organizational structure, systems, or personnel
 Controls have not been reviewed for a substantial period of time
 7

The process of identifying and analyzing risk is an ongoing process and is a critical
component of an effective internal control system. Attention must be focused on risks at all levels
and necessary actions must be taken to manage. Risks can pertain to internal and external factors.
After risks have been identified they must be evaluated.

Risk Assessment also assist whether the entity has a process of:

 Identifying business risks

 Estimating the significance of risks
 Assessing likelihood occurrence; and
 Deciding actions to address those risks.

 Information System and Communication

Pertinent information must be identified, captured and communicated in a form and time
frame that enables people to carry out their responsibilities. Effective communication must occur
in a broad sense, flowing down, across and up the organization. All personnel must receive a clear
message from top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual activities relate
to the work of others. They must have a means of communicating significant information upstream.

Information System and Communication also assessing about:

 Transactions significant to F/S

 How transactions are initiated
 Accounting records and support
 Manner of processing transactions
 Financial reporting process and communication roles
 8

 Control Activities

Control activities are the policies and procedures that help ensure management directives
are carried out such as:

 Performance Reviews
 Information Processing
 Physical Controls
 Segregation of Duties

They help ensure that necessary actions are taken to address risks to achievement of the
entity's objectives. Control activities occur throughout the organization, at all levels, and in all
functions. They include a range of activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets and segregation of duties.

 Monitoring

Internal control systems need to be monitored - a process that assesses the effectiveness of
internal control or the quality of the system's performance over time. Ongoing monitoring occurs
in the ordinary course of operations, and includes regular management and supervisory activities,
and other actions personnel take in performing their duties that assess the quality of internal control
system performance.

The scope and frequency of separate evaluations depend primarily on an assessment of

risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should
be reported upstream, with serious matters reported immediately to top administration and
governing boards. Internal control systems change over time. The way controls are applied may
evolve. Once effective procedures can become less effective due to the arrival of new personnel,
varying effectiveness of training and supervision, time and resources constraints, or additional
pressures.
 9

6. Explain the two levels of internal control.

Internal controls are broadly categorized as entity-level or pervasive and transaction-level

or specific controls.

 Entity - Level (Pervasive) Control

Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout
the organization to mitigate risks threatening the organization as a whole and to provide assurance
that organizational objectives are achieved. (Fritzgerald, 2020) Entity-level controls are the
overriding controls for overseeing that management directives pertaining to the organization as a
whole are implemented and enforced.

These controls relate to entity’s overall operations. They typically address governance and
management and serve to establish the control environment or “tone at the top”. Entity-level
controls are the overriding controls for overseeing that management directives pertaining to the
organization as a whole are implemented and enforced. They may also be considered as higher-
level controls that are more general in nature or impact a broader audience. These controls define
an organization’s corporate culture and values.

They also relate to internal values as well as external forces such as laws, regulations, and
professional standards. The entity-level controls impact the way in which personnel operate and
operational processes are designed and implemented. (Fritzgerald, 2020)

 Transaction - Level (Specific) Controls

These are specific processes/controls designed to ensure that transactions are appropriately
recorded, accounting records are maintained accurately, receipts and expenditures are properly
authorized and unauthorized transactions are timely prevented or detected. (Cabarles et al. 2019)
 10

7. Explain the audit procedures in evaluating entity-level controls.

According to Cabarles et al. (2019), the auditor follows a top-down approach to

understanding internal control (i.e ., pervasive to specific controls) as entity-level controls provide
the foundation for all the other components of internal control. There is no point understanding
specific controls when pervasive controls are ineffective. For example, an entity may have
effective purchasing system, but if the bookkeeper is incompetent (a poor control environment),
many errors could still occur. Testing pervasive controls tend to be more subjective than testing
specific controls. Similar tests could be designed for other pervasive controls.

8. Discuss the typical transaction cycles of an entity.

Auditors traditionally obtain understanding of controls through the entity's transaction

cycles. Transaction cycles refer to certain business processes in which related transactions are
grouped. (Cabarles et al. 2019)

Understanding Internal Control Through Transaction Cycles transaction cycles are:

 Revenue and Receipt Cycle - refers to the processes of receipt of customer order,
extension of credit to customers, shipment of goods or rendering of services to
customers, and receipt cash.
 Purchasing and Payment Cycle - also known as “purchase to pay” business process.
This cycle relates to purchase and payment of goods and services to vendors.
 Personnel and Payroll Cycle - this cycle pertains to the processes of hiring employees,
receipt of their service, and payment of their compensation.
 Inventory and Production Cycle - encompasses the production of raw materials to
finished products for sale.
 Financing and Investing Cycle - two major business functions associated with this
cycle are receiving capital funds from investors and using capital funds for operations
or investing those funds temporarily until needed operations.
 11

9. Explain the internal considerations in smaller entities.

According to Cabarles et al. (2019), internal control varies with entity's size and complexity.
Smaller entities simpler processes and procedures to achieve their objectives. There are often few
employees because of resources constraint, which may limit:

 Segregation of Duties; and

 Paper Trail of Documentation.

Internal control in such entities often pertains to control environment (commitment to

ethical values, competence, attitude toward control, and its day to day actions) as opposed to
specific controls. However, the presence of highly involved owner-manager is often a control
strength and weakness. The control strength is that the person will be knowledgeable about all
aspects operations, and it is highly unlikely that material misstatements will not be addressed. The
control weakness is that there is an opportunity provided to person to override the internal control
for his/her own benefit.

10. Discuss the scope of auditor's understanding of internal control.

The auditor obtains only understanding of internal control relevant to audit which typically
relate to financial reporting objectives that address ROMM. For example, an airline's automated
controls that maintain flight schedules and unlikely relevant being operational in nature.
Additionally, a furniture manufacturer's controls for incidental sales of scrap materials that
accounts for less than 1% of total sales are unlikely to be relevant being immaterial, even these
relate to financial reporting objectives. (Cabarles et al. 2019)

Factors relevant to auditor’s judgment include:

 Materiality and significance of risk

 Size and nature of entity
 How a specific control prevents, or detects and corrects, material misstatement.
 12

11. Discuss the extent of auditor's understanding of internal control.

According to Cabarles et al. (2019), when obtaining an understanding of a control, the

auditor evaluates the design and implementation (D&I)-not the operating effectiveness (0E)-of a
control. The exhibit below compares understanding and testing, involving the D&l and OE, of a
control, and the audit procedures that address them.

 Evaluating D&I of a control (addresses by RAP) – considering whether the control is

capable of preventing or detecting and correcting, material misstatements, and
ascertaining it exists and the entity uses it.
 Testing OE of a control ( addressed by TOC) – evaluating whether the properly designed
and utilized control operates effectively in preventing, or detecting and correcting,
material misstatements.

The auditor first evaluates the design of a control before the implementation there is no
point assessing its implementation if it is not effectively designed. The auditor needs to evaluate
implementation aspect because, sometimes, a control may be properly designed but not actually
utilized. Hence, the auditor understanding covers both form (design) and substance
(implementation) control. (Cabarles et al. 2019) Evaluating D&l of a control is not sufficient to
test its OE, unless operating consistently because of IT automation. For example, evaluating D&l
of a control at a point in time does not provide evidence about its OE at other times. However, the
auditor may decide that it is efficient to test the OE of a control at the same time as evaluating its
D&I

12. Discuss the techniques to document auditor's understanding of internal control.

Audit documentation should be prepared in sufficient detail to provide a clear

understanding of its purpose, source, and the conclusions reached. Documentations in the working
papers may take the form of completed questionnaires, flowcharts, decision tables, and narrative
memoranda. Documentation of understanding of internal control includes three commonly used
methods such as:
 13

 Narrative

A narrative is a written description of a internal control, a proper narrative of an accounting

system and related controls include four characteristic:

 The origin of every document and record in the system

 All processing that takes place
 The disposition of every document and record in the system
 An indication of the controls relevant to the assessment of the controls relevant to the
assessment of control risk.

A narrative provides useful supplement to flowcharting documentation by detailing

existing practices. Independently, however narrative description do not serve as an effective tool
for process description - they can be lengthy and difficult to review, and typically are not
considered user friendly.

 Flowchart

An internal control flowchart is a system, of symbolic, diagrammatic, representation of the

client’s documents and their sequential flow in the organization. An adequate flowchart includes
some four characteristics identified for narratives.

A well prepared flowcharts are advantageous primarily because they provide a concise
overview of the clients system, which helps auditors to identify controls and deficiencies in the
clients system.

A flowchart provides a visual depiction of the entire accounting information system.

therefore, it more easily provides a system in its entirety. However control weaknesses do not
always standout. The auditor has to be able to walkthrough the system and spot locations where
weaknesses are present. Flowcharts have two advantages over narratives, typically, they are easier
to read and easier to update.
 14

 Internal control Questionnaire

An internal control questionnaire asks a set of questions about controls in each audit area
as a means of indicating to the auditor aspects of internal control that may be inadequate. In most
instances, it is designed to require a ‘yes’ or ‘no’ response, with no responses indicating potential
control deficiency. An effective ICQs documents comprise a carefully structured logically
sequenced series of questions that help auditors document processes and highlight control gaps,
strengths and deficiencies within a system. The two main disadvantages of questionnaires are their
inability to provide an overview of the system and their inapplication for some audits, especially
smaller ones.

13. Discuss the significance of walkthrough tests.

Walkthrough test involves tracing transactions through the information system relevant to
financial reporting. For example, tracing three purchases from purchase order to F/S reporting for
inquiry and observation. (Cabarles et al. 2019)

The test can reveal system deficiencies and material weaknesses that would need to be
rectified by the organization as soon as possible. Walkthroughs tell us where risks are so we can
plan our engagements to detect material misstatements. Additionally, they allow us to add value
to our audits. Clients want more than just an opinion. They desire to keep assets safe and to
maintain accurate records. Well written management letters that highlight control weaknesses
allow you to do just that.

Walkthrough tests are normally done after initially documented understanding d

transaction cycles to confirm auditor's understanding and verify "what can go wrongs" (WCGWs)
that are potentially ROMM. Walkthrough tests should be done every audit year to determine
relevance o prior periods information intended to be used for the current year.
 15

14. Explain the deficiencies of internal control.

The auditor shall determine whether internal control deficiencies have been identified. A
deficiency in internal control over financial reporting exists when the design or operation of a
control does not allow management or employees, in the normal course of performing their
assigned functions, to prevent or detect misstatements on a timely basis. Deficiency in internal
control exists when a control is unable to prevent, or detect and correct, F/S timely or a necessary
control is missing.

A control may have deficiency in its (a) design or (b) operation. A design deficiency exists
when a necessary control is (a) missing or (b) existing but not properly designed. An operation
deficiency exists when a properly designed control (a) does not operate as designed, or (b) the
person performing the control does not possess the necessary authority or competence. The auditor
could uncover operation deficiency during the performance of TOC.

According to Cabarles et al. (2019), the auditor shall timely communicate significant
deficiencies and material weaknesses in internal control in writing to management and TCWG.
This communication is typically contained in a management letter ( the "by-product" of audit)
together with auditor's constructive suggestions not included in the auditor's report.
 16

References

An Audit of Internal Control. (2022). Public Company Accounting Oversight Board. Retrieved
October 7, 2022, from https://pcaobus.org/oversight/standards/archived-standards/pre-
reorganized-auditing-standards-interpretations/details/

Cabarles, L. R., Ocampo, R.R., Valdez, R.M. (2019). Auditing: A risk-based approach part 1 -
theory, 838 Padre Campa St., Sampaloc, Manila: Domedane Publisher

Fitzgerald, N. (2020, June 23). Entity Level Controls: Five issues caused by weak or non-existent
controls in place. Retrieved October 7, 2022, from
https://blog.freedmaxick.com/summing-it-up/entity-level-controls-//

Internal Control Compliance: 7 Reasons to Maintain Your Program. (2018, April 17) AuditBoard
Inc. Retrieved october 7,2022, from https://www.auditboard.com/blog/7-reasons-to-
maintain-your-internal-controls-compliance-program/

Mcgrady, CJ. (2018, November 20). Understanding audit risk assessment procedures. Retrieved
October 7, 2022, from https://www.hhcpa.com/blogs/audit-accounting/audit-risk-
assessment-procedures/

Risks of Material Misstatement. (2010, December 15). Public Company Accounting Oversight
Board. Retrieved October 7, 2022, from https://pcaobus.org/oversight/standards/archived-
standards/pre-reorganized-auditing-standards-interpretations-details/

The importance of good internal controls (n.d.) Office of internal audit, University of Florida.
Retrieved October 7, 2022, from http://www.oia.ufl.edu/home/information-and-
resources/internal-controls/the-importance-of-good-internal-controls/

Zhang, E. (2016, May 18). How to Test Your Internal Controls. Retrieved October 7, 2022, from
https://www.carrtegra.com/2016/05/test-internal-controls/