12/4/23

CHAPTER 3

INTERNAL CONTROL

LEARNING OBJECTIVES
v Understand what internal control system is and its importance.
v Identify the components of internal control system.
v Understand limitation of internal control
v Learn the types of tests of controls.
v Know how to assess and document the level of control risk.

1
 12/4/23

Contents

1 INTERNAL CONTROL SYSTEM – AN OVERVIEW

2 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT

INTERNAL CONTROL SYSTEM – AN OVERVIEW

DEFINITION

COMMITTEE OF SPONSORING ORGANIZATION (COSO)

vCOSO’s Internal Control — Integrated Framework was

first developed in 1992

vCOSO updated the Framework in 2013

2
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

DEFINITION
Internal control is a process, effected by an entity’s board of
directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
- Effectiveness and efficiency of operations.
- Reliability of reporting.
- Compliance with applicable laws and regulations.
(COSO Framework,1992)

INTERNAL CONTROL SYSTEM – AN OVERVIEW

DEFINITION

PROCESS
Effectiveness
Board of and efficiency
Directors of operations

Internal
Managers Control Reliability of
reporting

Staffs Compliance
HUMAN with OBJECTIVES
applicable
Reasonable laws and
Assurance regulations

3
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

FIVE COMPONENTS OF INTERNAL CONTROL

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ENVIRONMENT

The control environment consists of the actions, policies, and

procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about
internal control and its importance to the entity.

4
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ENVIRONMENT

Ø Integrity and ethical values

Ø Commitment to competence
Ø Board of directors or audit committee
participation
Ø Organizational structure
Ø Accountability

INTERNAL CONTROL SYSTEM – AN OVERVIEW

RISK ASSESSMENT
Ø Identify factors that may increase risk
Ø Estimate the significance of the risk
Ø Assess the likelihood of the risk occurring
Ø Determine actions necessary to manage the risk
ü Acceptance: no action is taken
ü Avoidance: exiting the activities giving rise to risk
ü Reduction: action is taken to reduce risk likelihood or impact, or both.
ü Sharing: reducing risk likelihood or impact by transferring or otherwise sharing
a portion of the risk.

10

5
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES

Control activities are the policies and procedures, in addition to

those included in the other four control components, that help
ensure that necessary actions are taken to address risks to the
achievement of the entity’s objectives
In term of purpose, control activities can be:
ü Preventive: procedures that prevent misstatements before they
occur
ü Detective: procedures that detect misstatements after they occur

11

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES

In term of functions, the categories of control activities are:

1. Adequate separation of duties
2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

12

6
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES -
Adequate separation of duties
Separation implies the number of people being involved in the
accounting process. This makes it more difficult for fraudulent
transactions and accidental errors to be processed

Three fundamental functions that must be separated:

ü Authorization: the delegation of initiation of transactions and
obligations on the company’s behalf
ü Custody: physical control over assets or records
ü Recording

13

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES
Proper authorization of transactions and activities

Transaction Approval Policies

General Specific
Authorization Authorization

14

7
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES -
Adequate documents and records

Ø Prenumbered consecutively

Ø Prepared at the time of transaction

Ø Designed for multiple use

Ø Constructed to encourage correct preparation

15

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES
Physical control over assets and records

The most important type of protective

measure for safeguarding assets and
records is the use of physical precautions.
ü Petty cash should be kept locked in a fireproof safe.
ü Raw material inventory should be retained in a locked storeroom
with a reliable and competent employee controlling access.
ü Manufacturing equipment should be kept in an area protected by
security and fire alarms and kept locked when not in use.

16

8
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

CONTROL ACTIVITIES
Independent checks on performance (Performance review)

Independent checks on performance by a third

party not directly involved in the activity

ü Reviews of actual performance versus budgets;

ü Surprise checks of procedures
ü Periodic comparisons of accounting records and physical assets
ü Review of functional or activity performance

17

INTERNAL CONTROL SYSTEM – AN OVERVIEW

INFORMATION AND COMMUNICATION

The purpose of an accounting information

and communication system

Initiate
Report Maintain
Record Accountability
transactions
for Related Assets
Process

18

9
 12/4/23

INTERNAL CONTROL SYSTEM – AN OVERVIEW

MONITORING

Monitoring activities deal with management’s

ongoing and periodic assessment of the
quality of internal control performance…

to determine whether controls are operating

as intended and modified when needed.

19

INTERNAL CONTROL SYSTEM – AN OVERVIEW

LIMITATION OF INTERNAL CONTROL

v Cost vs. Benefit
v Human error
v Collusion
v Management override

20

10
 12/4/23

MANAGEMENT ASSERTIONS

Management assertions are implied or expressed representations by

management about classes of transactions and the related accounts and
disclosures in the financial statements.

1. Assertions about classes of transactions and events for the

period under audit

2. Assertions about account balances at period end

3. Assertions about presentation and disclosure

21

MANAGEMENT ASSERTIONS

Transactions and Events Account Balances Presentation and Disclosure

COMPONENTS
Occurrence Existence Occurrence and rights
OF INTERNAL and obligations
CONTROL
Completeness Completeness Completeness
Accuracy Valuation and Accuracy and
allocation valuation
Classification Classification and
understandability
Cutoff
Rights and
obligations

22

11
 12/4/23

MANAGEMENT ASSERTIONS
Assertions about Classes of transactions and events
transactions and events that have been recorded have occurred and
Occurrence
pertain to the entity.
all transactions and events that should have been recorded have
Completeness
been recorded.
amounts and other data relating to recorded transactions and
Accuracy
events have been recorded appropriately

Classification transactions and events have been recorded in the proper accounts

transactions and events have been recorded in the correct

Cutoff
accounting period.

23

MANAGEMENT ASSERTIONS

Assertions about Account Balances

Existence assets, liabilities, and equity interests exist

all assets, liabilities, and equity interests that should have been
Completeness
recorded have been recorded.
assets, liabilities, and equity interests are included in the financial
Valuation and
statements at appropriate amounts and any resulting valuation
allocation
adjustments are appropriately recorded.
Rights and the entity holds or controls the rights to assets, and liabilities are
obligations the obligation of the entity.

24

12
 12/4/23

MANAGEMENT ASSERTIONS

Assertions about Presentation and Disclosure

Occurrence and
Disclosed events and transactions have occurred and pertain to the
rights and
entity
obligations
all disclosures that should have been included in the financial
Completeness
statements have been included.
Accuracy and Financial and other information is disclosed appropriately and at
valuation appropriate amounts.
Classification and Financial and other information is appropriately presented and
understandability described and disclosures are clearly expressed

25

INTERNAL CONTROL IN A FINANCIAL AUDIT

PROCESS FOR UNDERSTANDING INTERNAL CONTROL

AND ASSESSING CONTROL RISK

26

13
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

1. OBTAIN AND DOCUMENT UNDERSTANDING OF

INTERNAL CONTROL

Auditing standards require auditors to obtain

an understanding of internal control for every audit.

Procedures to obtain an understanding:

Ø Design of internal controls
Ø Whether placed in operation
Ø Uses this information as a basis for the integrated audit

27

INTERNAL CONTROL IN A FINANCIAL AUDIT

1. OBTAIN AND DOCUMENT UNDERSTANDING OF

INTERNAL CONTROL

Auditing standards require auditors to obtain

an understanding of internal control for every audit.

Purposes:
Ø Identify types of potential misstatements and factors that affect
the risks of material misstatement
Ø Design the nature, timing and extent of further audit procedures

28

14
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

1. METHODS TO OBTAIN UNDERSTANDING OF

INTERNAL CONTROL

Ø Update and evaluate auditor’s previous

experience with the entity
Ø Inquiry of client personnel
Ø Inspection of documents and records
Ø Observation of entity activities and operations
Ø Perform walk-throughs of the accounting system

29

INTERNAL CONTROL IN A FINANCIAL AUDIT

1. DOCUMENT UNDERSTANDING OF INTERNAL

CONTROL

Internal control
Narrative questionnaire Flowchart

WALK - THROUGH

30

15
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

2. ASSESS CONTROL RISK

CONTROL RISK is:

ü The risk that a misstatement that could occur
ü In an assertion about a class of transaction, account balance or disclosure
and
ü That could be material, either individually or when aggregated with other
misstatements,
ü Will not be prevented, or detected and corrected, on a timely basis by the
entity’s internal control.

31

INTERNAL CONTROL IN A FINANCIAL AUDIT

2. ASSESS CONTROL RISK (Preliminary)

Identify inherent risk from understanding

client business
Whether internal control system of client
can prevent, detect or correct these inherent
risk

Estimate the preliminary control risk

32

16
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

The procedures to test effectiveness of controls

in support of a reduced assessed control risk
are called tests of controls.

33

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

Procedures for Tests of Controls

Inquire of Examine
client personnel documents,
records, reports

Reperform Observe
client control-related
procedures activities

34

17
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

Procedures for Tests of Controls

1. Consists of seeking information of

Inquire of knowledgeable persons inside or
client personnel
outside the entity.
2. Interviews concerning the effectiveness
of controls.

35

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

Procedures for Tests of Controls

Observe 1. Consists of looking at a process or

control-related
procedure being performed by others
activities

36

18
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

Procedures for Tests of Controls

Examine
documents, 1. Consists of examining records,
records, reports documents, or tangible assets.
(Inspection)

37

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS

Procedures for Tests of Controls

Reperform 1. perform the task done by an employee

client
procedures to verify the result of the transaction

38

19
 12/4/23

INTERNAL CONTROL IN A FINANCIAL AUDIT

3. TESTS OF CONTROLS
Control activities

YES
Evidence trail?

Inspection NO

Observation
Inquiry
Reperformance

39

INTERNAL CONTROL IN A FINANCIAL AUDIT

DECIDE PLANNED DETECTION RISK AND

DESIGN SUBSTANTIVE TESTS

The auditor uses the control risk assessment

and results of tests of controls to determine
planned detection risk and related substantive
tests for the audit of financial statements.

40

20
 12/4/23

Thank you!

41

21