Chapter Four: internal Control

4.1 Introduction

4.2 The Meaning Of Internal Control

4.3 Means Of Achieving Internal Control

4.4 The Control Environment

4.5 Risk Assessment

4.6 Control Activities

4.7 Limitations Of Internal Control

4.8 The Auditors' Consideration Of Internal Control

1
 4.1 Introduction
three major objectives:
 1st , to explain the meaning and significance of internal control

 2nd , to discuss the major components of a client's internal control structure

 3rd , to show how auditors go about obtaining an understanding of internal

control to meet the requirements of the second standard of field work.
 As discussed in principles of accounting courses, internal control has attained
greatest significance in large-scale business organizations.
 Accordingly, dealing with the problem of achieving internal control in a small
business.

2
 4.2 The Meaning Of Internal Control
 D/nces of opinion have long existed about meaning & objectives of internal control.

 Many people interpret the term internal control as the steps taken by a business to
prevent fraud-both employee fraud and fraudulent financial reporting.
 Others, while acknowledging the importance of internal control for fraud
prevention, believe that internal control has an equal role in assuring control over
manufacturing and other processes.
 Such d/nces in interpretation also exist in the professional publications issued by the
AICPA, the Institute of Internal Auditors, Inc—and the Research Foundation of the
Financial Executives Institute.
 1990 and then that the various professional Organizations worked together to
develop a consensus on the nature and scope of internal control. 3
 Cont’d …..
 As a result of a number of instances of fraudulent financial reporting in the 1970 s

and early 1980s, the major accounting organizations' sponsored the National

Commission on Fraudulent Financial Reporting (the Tread way Commission) to

study the causal factors that are associated with fraudulent reporting, and to make

recommendations to reduce its incidence.

 The Commission made a number of recommendations that directly addressed

internal control.

 For ex, it emphasized the importance of a competent and involved audit committee,

an active and objective of internal audit function in preventing fraudulent practices.

4
 Cont’d ……
 It also called on the sponsoring organization to work together to integrate the

various internal control concepts and definitions to develop common criteria to

evaluate internal control.

 As result, Committee of Sponsoring Organizations (COSO) commissioned a

study for that purpose, and its report, titled Internal Control-Integrated

Framework, was issued in 1992.

The purposes of the study are to:

 Establish a common definition of internal control to serve needs of d/nt parties.

 Provide a standard against which business and other entities can assess their

control systems and determine how to improve them.

5
 cont’d ……..
 A Process is effected by the entity's board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the

achievement of objectives in the following categories:

 Effectiveness and efficiency of operations.

 Reliability of financial reporting.

 Compliance with applicable laws and regulations.

6
 The Study Defines Internal Control As:
 This definition is important to auditors b/se it is being incorporated into the Statements

on Auditing Standards that govern the auditors' consideration of internal control.

 COSO's definition of internal control (IC) emphasizes that internal control is a process,

or a means to an end and not an end in and of itself.

 process is effected by individuals, not merely policy manuals, documents & forms.

 By including the concept of reasonable assurance, the definition recognizes that no IC

structure can realistically provide absolute assurance that an organization's objectives

will be achieved.
 Reasonable assurance recognizes that the cost of an organization's internal control

should not exceed the benefits expected to be derived.

7
 Cont’d ….
 Finally, the definition of internal control is comprehensive in that it addresses
the achievement of objectives in the areas of operations, financial reporting,
and compliance with laws and regulations.
 It includes the methods by which top management delegates authority and
assigns responsibility for such functions as selling, purchasing, accounting,
and production.
 Internal control also includes the program for preparing, verifying, and
distributing to various levels of management those current reports and analyses
that enable executives to maintain control over the variety of activities and
functions that are used by a large organization.

8
 Cont’d ….
 The use of budgetary techniques, production standards, inspection
laboratories, time and motion studies, and employee training programs
involves engineers and many others far removed from accounting and
financial activities: yet all of these devices are a part of internal control.
 Although internal control is broadly defined, not all of the internal
control structure policies and procedures are relevant to an audit of
financial statements.
 Generally, the internal control structure policies and procedures that are
relevant to an audit are those that pertain (relate ) to the reliability of
financial reporting.
9
 Cont’d …..
 That is, those that affects the preparation of financial information for external

reporting purposes. However, other policies and procedures may be relevant if

they affect the reliability of data that the auditors use to apply auditing

procedures.

 For ex, controls applicable to no financial data that the auditors use in

performing analytical procedures (e.g. production statistics) may be relevant to

an audit.

 Also, internal control structure policies and procedures designed to safeguard

assets against loss from errors and irregularities are ordinarily relevant to an

audit.
10
4.3 Means Of Achieving Internal Control
 For purposes of financial statement audits, the policies and procedures

used by an entity to achieve internal control are referred to as the entity's

internal control structure,

 internal control structures vary significantly from one organization to the

next, Depending on such factors as the size, nature of operations, and

objectives of the organization for which the structure was designed.

 Yet certain features are essential to satisfactory internal control in almost

any large-scale organization.

11
 Five Components of internal control
The internal control structures of all large organizations include five
components:
(1) The Control Environment

(2) Risk Assessment

(3) The (Accounting) Information And Communication System;

(4) Control Activities

(5) Monitoring.

12
 1. The Control Environment
 The control environment sets the tone (quality) of an organization by
influencing the control consciousness of people.
 It may be viewed as the foundation for the other components of internal
control.
Control environment factors include:-
 Integrity and Ethical Values:
 Commitment to Competence:
 Board Of Directors or Audit Committee;
 Management's Philosophy and Operating Style:
 Organizational Structure:
 Human Resource Policies and Practices:
 Assignment Of Authority and Responsibility.
13
 Integrity and Ethical Values

 The effectiveness of the internal control structure depends directly upon the

integrity and ethical values of the personnel who are responsible for creating,

administrating, and monitoring that structure.

 Management should establish behavioral and ethical standards that discourage

employees from engaging in dishonest, unethical, or illegal acts

 To be effective, these standards must be effectively communicated by

appropriating means including official policies, cods of conduct, and by

instance.
 Another way to reduce the incidence of improper behavior is to remove or reduce the
temptations and incentives to engage in such behavior of preparing fraudulent financial
reporting and has placed under undue pressure to meet unrealistic performance goals

14
 Commitment to Competence

 To be considered competent, employees must possess the skills and knowledge

essential to the performance of their job.

 If employees are lacking in skills or knowledge, they may be ineffective in

performing their assigned duties.

 This is especially critical when the employees are involved in applying internal
control policies and procedures.

 Ideally management should be committed to hiring employees with appropriate

levels of education and experience, and providing them with adequate
supervision and training.

15
Board of Directors or Audit Committee
 The control environment of an organization is significantly influenced by the
effectiveness of its board of directors or the audit committee.
 Factors that bear on the effectiveness of the board or audit committee include
the extent of its independence from management, the experience and stature of
its members, the extent to which it raises and pursues difficult questions with
management, and its interaction with the internal and external auditors.
 the audit committee of the board of directors should be composed of neither
outside directors, who are neither officers nor employees of the organization.
 This enables the audit committee to be effective at overseeing the quality of the
organization's financial reports, and acting as a deterrent to management
override of internal controls and to management fraud.
16
Management Philosophy and Operating Style
 Mgmts differ in both their philosophies toward F/reporting and their attitudes

toward taking business risks.

 Some mgmt is extremely aggressive in F/reporting & place great emphasis

exceeding earnings projections & may be willing to undertake activities of high

risk with prospect of high return but Other may be conservative & risk averse.
 These differing philosophies and operating styles may have an impact on the

overall reliability of the financial statements.

 Internal controls in an informal organization are often implemented by face-to-
face contact between employees and management.
 A more formal organization will establish written policies, performance reports,
and exception reports to control its various activities.
17
 Organizational Structure

 Another control environment factor is entity's Organizational structure.

 A well-designed organizational structure provides a basis for planning,

directing, and controlling operation.

 It divides authority, responsibilities, and duties among members of an

organization by dealing with such issues as decision making and appropriate

segregation of duties among the various departments.

 When mgmt decision making is centralized and dominated by one individual,

that individual's moral character is extremely important to the auditors.

 When a decentralized style is used, procedures to monitor the decision making

of the many managers involved become equally important

18
 The organizational structure of an entity should separate responsibilities for

• (1) authorization of transactions,

• (2) record keeping for transactions, and

• (3) custody of assets.

 In addition to the extent possible, execution of the transaction should be

segregated from these other responsibilities.
 The effectiveness of such structure is usually obtained by having designated
department heads who are evaluated on the major departments should be of
equal rank and should report directly to the president or to an executive vice
president.

19
Responsibilities of Finance and Accounting Departments

 Finance and accounting are the two departments most directly involved in the financial

affairs of a business enterprise.

 The division of responsibilities between these departments illustrates the separation of the

accounting function from operations and also from the custody of assets.

 the finance departments are responsible for financial operations and custody of liquid

assets.

 include planning future cash requirements, establishing customer credit policies, and

arranging to meet the short-and long-term financing needs of the business

 In short, it is the finance department that conducts financial activities.

 The accounting department, under the authority of the controller, is responsible for all

accounting functions and the design and implementation of internal control.

20
 Human Resource Policies and Procedures
 Ultimately, the effectiveness of an internal control structure is affected by the

characteristics of the organization's personnel.

 Thus, management's policies and practices for hiring, training, evaluating,

promoting, and compensating employees have a significant effect on the

effectiveness of the control environment.

 Effective human resource policies often can mitigate other weaknesses in the

control environment.

 Effective human resource management is not a guarantee against losses from

dishonest employees and is often the most trusted employees who engineer

large embezzlements.
21
 Assignment of Authority and Responsibility

 Personnel within an organization need to have a clear understanding of their

responsibilities and the rules and regulations that govern their action.

 Therefore, to enhance the control environment, management develops

employee job descriptions and clearly defines authority and responsibility

within the organization.

 Policies also may be established describing appropriate business practices,

knowledge and experience of key personnel, and the use of resources.

22
 2. Risk Assessment
 When considering the F/reporting objective, these risks include the threats to preparing

financial statements in accordance with generally accepted accounting principles.

For ex, the following factors might be indicative of increased financial reporting risk:

 Changes in the organization's regulatory or operating environment

 Changes in personnel.

 Implementation of a new modified information system.

 Rapid growth of the organization

 Changes in technology affecting production process or information systems.

 Introduction of new lines of business, products, or processes.

 Auditors are concerned only with the levels of inherent risk and control risk that affect

the organization's ability to produce F/statements that are in accordance with GAAPs
23
3. Accounting Information & Communication System

 Information and communication systems capture, process, and report information to be

used by parties both within and outside the organization.
 An organization's accounting information system consists of the methods and records
established to identify, assemble, analyze, classify, record, and report an entity's
transactions and to maintain accountability for the related assets.

Accordingly, an accounting information system should:

 Identify and record all valid transactions.

 Describe transactions on a timely basis in detail to permit proper classification for

F/reporting.
 Measure value of transactions in a manner that permits recording their proper monetary value

 Determine the time period in which transactions occurred

 Present properly the transactions and related disclosures in the F/statements.

24
 Conted …….
 In addition to the typical system of journal, ledgers, and other record keeping

devices, an accounting information system should include a chart of accounts

and manual of accounting policies and procedures as aids for communication

of polices.
 A chart of accounts is a classified listing of all accounts in use accompanied by

detailed descriptions of the purpose and content of each.

 chart accounts and manual of accounting policies and procedures should

provide clear guidance that will allow proper and uniform handling of

transactions.
 Personnel that process information should understand how their activities
relate to the work of others, and the importance of reporting exceptions and
other unusual items to an appropriate level of management. 25
 4. Control Activities
 Control activities are policies and procedures that help to ensure the
management directives are carried out.
 Those policies and procedures help to ensure that the actions are taken
to address the risks that face the organization.
 While there are many different types control activities performed in an
organization, only the following type are generally relevant to an audit
of the organization's financial statements:
 Performance reviews.
 Information processing.
 Physical controls.
 Segregation of duties.
26
 Performance Reviews

These controls include:

 reviews of actual performance as compared to budgets, and forecasts

 prior period performance; relating different sets of data to one another;

 performing overall reviews of performance reviews

 provide management with an overall indication whether personnel at various

levels are effectively pursuing the objectives of the organization.

 By investigating the reasons for unexpected performance, management may

make timely changes in strategies and plans, or take other appropriate

corrective action.

27
 Information Processing

 A variety of control activities are performed to check the accuracy, completeness, and

authorization of transactions.

 The two broad categories of information processing controls include general controls,

which apply to all information-processing activities, and application controls, which

apply only to a single application.

 For example, general controls include those that restrict access to the entire accounting

information system.

 To understand the nature of application controls. Consider the controls over payroll that

help to ensure that (1) only authorized payroll transactions are processed, and (2)

authorized payroll transactions are processed completely and accurately

28
 Contd’ …………
 An important aspect of information processing controls is the proper

authorization of all types of transactions. Authorization of transactions may be

either general or specific.

 General authorization occurs when management establishes criteria for

acceptance of a certain type of transaction.

 For example, top management may establish general price lists and credit

policies for new customers.

Transactions with customers that meet these criteria can then be approved by the

credit department.
 Specific authorization occurs when transactions are authorized on an individual

basis. 29
 An internal control device of wide applicability is the use of serial numbers on

documents. Serial number of provide control over the number of documents

issued.

 Checks, tickets, sales invoices, purchase order, stock certificates, and many

other business papers can be controlled by using serial numbers

 For some documents such as checks, it may be desirable to account for the

sequence used by a monthly or weekly inspection of the documents issued.

 For other documents, as in the case of serially numbered admission tickets,

control may be achieve by noting the last serial number issued each day, and

thereby computing the total value of tickets issued during the day 30
 Physical Control

 These control activities include the physical over both records and other assets.

 Safeguarding of records may include maintaining control at all times over

issued pre-numbered documents, as well as other journals and ledgers, and
restricting access to computer programs and data files.
 Only individuals who are authorized should be allowed access to the
company's assets.
 Direct Physical access to assets may be controlled through the use of safes,
locks, fences, and guards
 Periodic comparisons should be made between accounting records and the
physical assets on hand.

31
 Segregation of Duties

 no one dept. or person should handle all aspects of a transaction from beginning end.
 no one individual should perform more than one functions (authorizing transactions,

recording transactions, and maintaining custody over asset)

 Top management may authorize the sale of merchandise at specified credit terms to

customers who meet certain requirements.

 credit dept may approve the sales transactions by ascertaining that the extension of

credit and terms of sale are in compliance with company policies.

 once the sale is approved, the shipping dept executes the transaction by obtaining

custody of the merchandise from the inventory stores dept and shipping it to the

customer.
 Accounting dept uses copies of documentation created by the sales, credit, and shipping

departments as a basis for recording the transaction and billing the customer.
32
4.7 Limitations Of Internal Control
 Internal control can do to protect against both errors and irregularities and ensure the
reliability of accounting data.
 Still, there is existence of inherent limitations in any internal control structure, Mistakes
may be made in the performance of internal control policies and procedures
 as a result there is misunderstanding of instructions, mistakes of Judgment,
carelessness, distraction, or fatigue,
 Finally, control activities dependent upon separation of duties may be circumvented by
collusion among employees.
 The extent of the internal controls adopted by a business also is limited by cost
considerations.
 It is not feasible from a cost standpoint to establish a control structure that provides
absolute protection from fraud and waste; reasonable assurance in this regard is the best
that generally can be achieved.
33
4.8 The Auditors' Consideration Of Internal Control
 The second standard of fieldwork states: A Sufficient understanding of the
internal control structure is to be obtained to plan the audit and to determine
the nature, timing, and extent of the tests to be performed.
 The auditors' understanding of their clients' internal control provides a basis
both to
 (1) Plan the audit, and (2) assess control risk

 In planning an audit it is essential that the auditors have a sufficient

understanding of the client's internal control structure.
 This encompasses both and understanding of the design of the policies,
procedures, and records, and knowledge of whether they have been placed in
operation by the client.
34
 Cont’d …
 The auditors' consideration of the internal control also provides a basis for their
assessment of Control Risk - the risk that material misstatements will not be prevented
or detected by the client's internal control structure.
 If the auditors determine that the client's internal control is effective, they will assess
control risk to be low.
 They can then accept a higher level of detection risk, and substantive testing can be
decreased. Conversely, If internal controls are weak, control risk is high and the auditors
must increase the scope of their substantive tests to limit the level of detection risk.
 Therefore, the auditors' the auditor's understanding of internal control is a major factor in
determining the nature, timing, and extent of substantive testing necessary to verify the
financial statement assertion.

35
Obtaining and Understanding of the Internal Control Structure

 In every audit the auditors must obtain an understanding of the internal control

structure sufficient to plan the audit.

In planning the audit, the knowledge is used to:

 1. Identify types of potential misstatements.

 2. Consider factors that affect the risk of material misstatement.

 3. Design substantive tests.

 In making a judgment about the necessary understanding of the internal control

structure, the auditors consider knowledge related to the above three factors

36
 Cont’d …….
 Auditors also consider their assessment of inherent risk,
judgments about materiality and the nature of the entity's
operations.

 In any case the auditors' understanding of the internal

control structure must encompass the:
 control environment,

 risk assessment,

 the accounting information and communications system,

 control activities, and monitoring.

37
 The Control Environment

 The auditors must obtain sufficient knowledge to understand

management's attitudes, awareness, and actions concerning

the control environment.

Risk Assessment:
 auditors must obtain sufficient knowledge of the risk assessment process

to understand how management considers risks relevant to financial

reporting objectives, estimates their significance, assesses the likelihood

of their occurrence, and decides on actions to address those risks.

38
 The Accounting Information and Communication System:
 To understand the accounting information system, the auditors must first
understand the major type of transaction engaged in by the entity.
 Next, the auditors must become familiar with the treatment of those
transactions. Including how they are initiated, the related accounting records,
and the manner in which the transactions are processed.
 Finally, auditors must understand the F/reporting process used to prepare
F/statements, including the approaches used to develop accounting estimates.
 In obtaining an understanding of the client's accounting information system and
the related control activities, auditors generally find it useful to divide the
overall system into its major transaction cycles.
 term transaction cycle refers to the polices and the sequence of procedures for
processing a particular type of transaction.
39
For ex, the accounting system in a manufacturing business might be subdivided into
the following major transaction cycles:

 1. Revenue (or sales and collections) cycle- including procedures and policies
for obtaining orders from customers, approving credit, shipping merchandise,
preparing sales invoices (billing ) recording revenue and accounts receivable,
and handling and recording cash receipts.
 2. Acquisition (or purchases and disbursements) Cycle- including procedures
and policies for initiating purchases of inventory, other assets, and services;
placing purchase orders, inspecting good upon receipt, and preparing receiving
reports; recording liabilities to vendors; authorizing payment; and making and
recording cash disbursements.
 3. Conversion (production ) cycle - including procedures and policies for string
materials, placing materials in to production, assigning productions costs to
inventories and accounting for the cost of good sold. 40
Cont’d …
 4. Payroll cycle - including procedures and policies for hiring terminating,

and determining pay rates; timekeeping; computing gross payroll, payroll

taxes, and amount withheld from gross pay; maintaining payroll records

and preparing and distributing paychecks.

 5. Financing cycle - including procedures and policies for authorizing,

executing, and recording transactions involving bank loans, leases, bonds

payable, and capital stock.

 6. Investing cycle - including procedures and policies for authorizing,

executing, and recording transactions involving investments in fixed assets

and securities.
41
 Monitoring
 Finally, the auditors should obtain a sufficient understanding of the entity's

monitoring methods relating to financial reporting to understand how those

activities are used to initiate actions to address inadequate performance.

 The auditors will also consider how the work of the internal auditors

contributes to the internal control structure.

Sources of Information about Internal control:

 Auditors obtain information about internal control by inquiry of appropriate

client personnel, inspecting various entity documents and records, and

observing control activities and operations as they are performed.

42
 Auditors may ascertain the duties and responsibilities of client personnel by inspecting

organization charts and job descriptions, and interviewing client personnel.

 Many clients have procedures manuals and flowcharts describing the approved practices

to be followed in all phases of operations.

 Another excellent source of information is in the reports, working papers, and audit

programs of the client's internal auditing staff.

 The auditors' understanding of the internal control structure encompasses not only the

design of the policies and procedures, but also whether they have been placed in

operation.

 The term placed in operation means that the policy or procedure actually exists and is in

use; that is, it does not just exist in theory or on paper.

43
• While obtaining understanding of internal control, the auditors may also obtain

evidence about the operating effectiveness of various controls.

 Operating effectiveness deals with:

– (1) how a control is applied,

– (2) the consistency with which it is applied, and

– (3) who applies the control.

44
 The distinction between knowing that a control has been placed in operation

and obtaining evidence on its operating effectiveness is important.

 To properly plan the audit, auditors are required to determine that the major

controls have been placed in operation they are not required to evaluate their

operating effectiveness.

 However, if the auditors wish to assess control risk at a level lower than the

maximum, they must have evidence of the operating effectiveness of the

controls.

45
Document the Understanding of the Internal Control Structure

 As the independent auditors obtain a working knowledge of the internal

control structure to plan the audit, they must document the information in their
working papers.
 The from and extent of this documentation is affected by the size and
complexity of the client, as well as the nature of the client's internal control
structure.
 The documentation usually takes the from of internal control questionnaires,
written narratives, or flowcharts.

46
 Internal Control Questionnaire:
• The traditional method of describing an internal control structure is to fill in a standardized

internal control questionnaire.

• The questionnaire usually contains a separate section for each major transaction cycle enabling the

work of completing the questionnaire to be divided conveniently among several audit staff

members.

• Most internal control questionnaires are designed so that a "no" answer to a question indicates a

weakness in internal control.

• In addition, questionnaires may provide for a distinction between major and minor control

weaknesses, indication of the sources of information used in answering questions, and explanatory

comments regarding control deficiencies.

47
• A disadvantage of standardized internal control questionnaires is their lack of flexibility.

• They often contain many questions that are "not applicable" to specific systems,

particularly systems for small companies.

• Also the situation in which internal control strength compensates for a weakness in the

structure may not be obvious form examining a completed questionnaire.

• An internal control questionnaire is intended as a means for the auditors to document

their understanding of internal control.

• If completion of the questionnaire is regarded as an end in itself, there may be a

tendency for the auditors to fill in the "yes" and "no" answers in a mechanical manner,

without any real understanding or study of the transaction cycle.

• For this reason, some public accounting firms prefer to use written narratives or

flowcharts in lieu of, or in conjunction with, questionnaires. 48

• Written Narrative of Internal Control: Written narratives are memoranda that
describe the flow of transaction cycles, identifying the employees performing various
tasks, documents prepared, records maintained, and the division of duties.
• Flowcharts of Internal Control: Many CPA firms consider systems flowcharts to be
more effective than questionnaires or narrative descriptions in documenting their
understanding of a client's accounting information system and the related control
activities.
• A systems flowchart: is a diagram- a symbolic representation of a system or a series of
procedures with each procedure shown in sequence.
 To the experienced reader a flowchart conveys a clear image of the system, showing the
nature and sequence of procedures, division of responsibilities, sources and distribution
of documents, and types and location of accounting records and files.

49
• Flowcharts usually begin in the upper let- hand corner; directional flow lines
then indicate the sequence of activity.
• The normal flow of activity is from top to bottom and from left to right.

• The advantage of a flowchart over a questionnaire or a narrative is that a

flowchart provides a clearer, more specific portrayal of the client's system.
• There is less opportunity for misunderstanding, blank spots, or ambiguous
statements when one uses lines and symbols rather than words to describe
internal control.
• Furthermore, in each successive annual audit, updating a flowchart is a simple
process requiring only that the auditors add or change a few lines and symbols.

50
• A flowchart may not provide so clear a signal that a particular internal Control is absent or is not being properly

enforced.

• For that reason, some CPA firms use both flowcharts and questionnaires to describe internal control. The

flowchart clearly depicts the system, while the questionnaire serves to remind the auditors of controls that should

be present in the system

• Walk -Through Test: After describing internal control in their working papers, the auditors will generally verify

that the system has been placed in operation by performing a walk- through of each transaction cycle.

• walk-through refers to tracing several transactions (perhaps only one or two) through each step in the cycle.

• To perform a walk-through of the sales and collection cycle, for example, the auditors might begin by selecting

several sales orders and following the related transactions through the client's sequence of procedures.

• The auditors would determine whether such procedures as credit approval, shipment of merchandise, preparation

of sales invoices, recording of the accounts receivable, and processing of the customers' remittances were

performed by appropriate client personnel and in the sequence indicated in the audit working papers.

• If the auditors find that the system functions differently from the working paper description. they will amend the

working papers to describe the actual system.

51
 Assess Control Risk

 Assessing control risk involves evaluating the effectiveness of a client's internal

control policies and procedures in preventing or detecting material misstatements
in the financial statements.
 the independent auditors' work involves gathering and evaluating evidence about
the major financial statement assertions - existence or occurrence; completeness;
rights and obligations; valuation or allocation; and presentation and disclosure.
 Therefore, the auditor's asses control risk in terms of these five assertions.

 It may be summarized as the following steps: (a) determine the planned assessed
level of control risk, (b) design and perform additional tests of controls, (c)
reassess control risk and modify planned substantive tests, and (d) document the
assessed level of control risk.
52
Determine the Planned Assessed Level of Control Risk

 After documenting their understanding of internal controls, the auditors will determine a
planned assessed level of control risk for the various financial statement assertions.
 For assertions with weaker internal controls, the auditors may simply plan to assess
control risk at the maximum level, and no tests of the related controls need to be
performed.
 For financial statement assertions that appear to have more effective controls, the
auditors may plan to assess control risk at a lower level.
 To assess control risk at less than the maximum level for a particular assertion, the
auditors must:
 Identify those internal control structure policies and procedures that are likely to prevent
or detect material misstatements of the assertion.
 Perform tests of controls to evaluate the effectiveness of such policies and procedures.

53
• The auditors' planned assessed level of control risk is used to develop the initial audit
program of substantive testing.
• For assertions with a high planned assessed level of control risk, the auditors will plan
substantial substantive procedures. Planned substantive procedures can be restricted or
eliminated for assertions with a low planned assessed level of control risk.
• Therefore, in making decisions about the planned assessed levels of control risk, the
auditors must consider the trade-off between tests of controls and substantive testing.
• Tests of controls allow the auditors to reduce their assessments of control risk, which, in
turn, allows them to reduce the time spent performing substantive procedures.
• For each test of control, the auditors must ask themselves, "Is the time required to
perform the test justified in terms of its resulting decrease in the scope of substantive
testing?"

54
• Design and Perform Additional Tests of Controls: The auditors may have
gathered some evidence about the effectiveness of certain policies and
procedures while they obtained an understanding of the client's internal control
structure. In some audits, especially those involving small clients, these
preliminary tests of controls may be adequate to support the auditors' planned
assessed level of control risk. In these cases the auditors need not perform
additional tests of controls and may proceed directly to documenting their
assessed level of control risk and completing the planned substantive tests.
However, for many audits additional tests of controls are necessary to support
the auditors' assessed level of control risk. The auditors will use their
understanding of the internal control structure to design these additional tests of
controls. 55
• The audit procedures used to test the effectiveness of internal
control policies and procedures include:
 (1) inquiries of appropriate client personnel,
 (2) inspection of documents and reports,

 (3) observation of the application of accounting policies or procedures, and

 (4) re-performance of the policy or procedure.

• Tests of controls focus on the performance of policies and

procedures rather than on the accuracy of financial statement
amounts.

56
 To illustrate this distinction, assume that the client has implemented the control of
requiring a second person to review the quantities, prices, extensions, and footing of
each sales invoice.
 The purpose of this control is to prevent material errors in the billing of customers and
the recording of sales transactions. A substantive test of financial statement amounts
might involve selecting a sample of recorded sales transactions to determine that they
have been properly recorded and included in the year's total sales.
 To test the effectiveness of this control, the auditors may make inquiries of client
personnel and observe application of the procedure.
 They might also select a sample of, say, 30 sales invoices prepared throughout the
year. They would inspect the invoice copy for the initials of the reviewer, and re-
perform the procedure by comparing the quantities to those listed on the related
shipping documents, comparing unit prices to the client's price lists, and verifying the
extensions and footings.
 The results of this test provide the auditors with evidence as to the existence and
valuation of the recorded sales and accounts receivable.

57
 If numerous deviations from the control procedure are found, the auditors will expand

their substantive procedures with respect to existence and valuation of accounts

receivable and sales transactions.

 The control described above leaves documentary evidence of performance, the reviewer's

initials that allow it to be tested by sampling.

 Controls that do not leave documentary evidence of performance must be tested entirely

through observation by the auditors and inquiry of client personnel.

 Segregation of duties, for example, is tested by observing the client's employees as they

perform their duties, and inquiring as to who performed those duties throughout the

period under audit.

 The auditors also should determine whether employees performed incompatible

functions when other employees were absent from work on sick leave or vacation.
58
 Reassess Control Risk and Modify Planned Substantive Tests:
After the auditors have completed the tests of controls, they are in a
position to reassess control risk based on the results of the tests. The
results of the tests of controls may reveal that the level of control risk
is actually higher than the planned level. If this is the case,
modifications must be made in the nature, timing, and extent of the
planned substantive tests in the audit program. For example, the
auditors may decide to increase the extent of their substantive testing,
or perform certain substantive tests at year-end rather than at an
interim date.

59
• Document the Assessed Level of Control Risk: The auditors
assessed level of control risk will have identified the financial
statement assertions with maximum control risk, and those
assertions for which control risk is considered to be less than the
maximum level.
• The auditors must document these conclusions in their working
papers. They must also describe the basis for all assessments that
are at less than the maximum level.
• A working paper is often used to summarize the auditors'
assessments of control risk and the resulting modifications in
substantive tests.
• Notice that the extensions and limitations of audit procedures are
described in detail to facilitate completion of the final version of
the audit program.
• The auditors' consideration of internal control is very complex. 60
Consideration of the Work of Internal Auditors
• Many of the audit procedures performed by internal auditors are similar in nature to those employed by independent
auditors. This raises the question of how the work of the internal auditors affects the independent auditors' work.
The Auditing Standards Board has addressed this issue in SAS No. 65 (AU 322), "The Auditor's Consideration of
the Internal Audit Function in an Audit of Financial Statements."
• Because the internal audit function is an important aspect of the client's monitoring system, the independent auditors
consider the existence and quality of the function in their assessment of the client's internal control structure.
Through its contribution to internal control, the work of the internal auditors may reduce the amount of audit testing
performed by the independent auditors.
• The independent auditors begin by obtaining an understanding of the work of the internal auditors to determine its
relevance to the audit. They make inquiries about such matters as the internal auditors' activities and audit plans. If
the independent auditors conclude that the internal auditors' work is relevant and that it would be efficient to
consider it, they assess the competence and objectivity of the internal audit staff, and evaluate the quality of their
work.
• In evaluating the competence of the internal auditors, the independent auditors consider the educational level,
professional experience, and professional certifications of the internal audit

61
• staff. They also investigate the internal auditors' policies, programs, procedures, working

papers, and reports, and the extent to which the internal auditors' activities are supervised

and reviewed. Objectivity is evaluated by considering the organizational status of the

director of internal audit, including whether the director reports to an officer of sufficient

status to ensure broad audit coverage, and has direct access to the audit committee of the

board of directors. The internal auditors' policies for assigning independent staff to audit

areas are also reviewed.

• If, after assessing competence and objectivity, the independent auditors intend to use the
internal auditors' work, they will evaluate and test their work. The evaluation includes a
review of the scope of the internal auditors' work, and the quality of their programs and
reports. This investigation and evaluation provides the independent auditors with a sound
basis for determining the extent to which the work of the internal auditors allows them to
limit their own audit procedures.

62
• In addition to reducing the extent of the independent auditors' substantive
procedures, the internal auditors' work may affect the independent auditors'
procedures when obtaining an understanding of the client's internal control
structure and assessing risk. For example, the independent auditors may use
the internal auditors' documentation of the internal control structure. The
internal auditors also may provide direct assistance to the independent
auditors in preparing working papers and performing certain audit procedures.
However, the independent auditors should not over rely on the internal
auditors' work; they must obtain sufficient, competent, evidential matter to
support their opinion on the financial statements. Regardless of the extent of
the internal auditors' work, the independent auditors must perform direct
testing of those financial statement assertions with a high risk of material
misstatement. Judgments about assessments of inherent and control risks, the
materiality of misstatements, the sufficiency of tests performed, and other
matters affecting the opinion must be those of the independent auditors. Also,
the independent auditors should be directly involved in evaluating audit
evidence that requires significant subjective judgment.

63
 Communication of Control Structure Related Matters

• Establishing and maintaining an effective internal control structure is an important

responsibility of management. However, the auditors may provide assistance by

communicating significant deficiencies in the internal control structure identified by their

procedures, along with the auditors' recommendations for corrective action. This is a

service in addition to issuance of the audit report. SAS 60 (AU 325), "Communication of

Internal Control Structure Related Matters Noted in an Audit" uses the term reportable

conditions to refer to those matters that must be communicated by the auditors to the audit

committee of the board of directors (or an individual or group with equivalent

responsibility if no audit committee exists).

• A reportable condition is a significant deficiency in the design or operation of the internal control

that could adversely affect the organization's ability to record, process, summarize, and report financial

data. Reportable conditions may be communicated orally, but they are usually set forth in a letter.
64
• A reportable condition may be of such magnitude as to be considered a material weakness in internal

control; that is, a condition that results in more than a relatively low risk of material misstatement of

the financial statements. While the auditors are not required to identify those reportable conditions that

are material weaknesses, they may do so if requested by the client. A written communication may

indicate that the auditors found no material weaknesses, but one should never be issued that states that

the auditors identified no reportable conditions.

• Auditors often communicate operational suggestions and less significant weaknesses in greater detail

to management in a report called a management letter. This report serves as a valuable reference

document for management and may also serve to minimize the auditors' legal liability in the event of a

defalcation or other loss resulting from a weakness in internal control. Many auditing firms place great

emphasis upon providing clients with a thorough and carefully considered management letter. These

firms recognize that such a report can be a valuable and constructive contribution to the efficiency and

effectiveness of the client's operations. The quality of the auditors' recommendations reflects their

professional expertise and creative ability and the thoroughness of their investigation. 65
• Internal Control in the Small Company
• The preceding discussion of internal control and its consideration by the independent auditors has been
presented in terms of large corporations. In the large concern excellent internal control may be
achieved by extensive segregation of duties so that no one person handles a transaction completely
from beginning to end. In the very small concern, with only one or two office employees, there is little
or no opportunity for division of duties and responsibilities. Consequently, internal control tends to be
weak, if not completely absent, unless the owner/manager recognizes the importance of internal control
and participates in key activities.
• Because of the absence of strong internal control in small concerns, the independent auditors must rely
much more on substantive tests of account balances and transactions than is required in larger
organizations. Although it is well to recognize that internal control can seldom be strong in a small
business, this limitation is no justification for ignoring available forms of control. Auditors can make a
valuable contribution to small client companies by encouraging the installation of such control
procedures as are practicable in the circumstances.

66
• The following specific practices are almost always capable of use in even the smallest business:
• Record all cash receipts immediately.
– For over- the- counter collections, use cash registers easily visible to customers. Records register readings daily.
– Prepare a list of all mail remittances immediately upon opening the mail and retain this list for subsequent comparison with bank
deposit tickets and entries in the cash receipts journal.

• Deposit all cash receipts intact daily.

• Make all payments by serially numbered checks, with the exception of small disbursements from petty cash.
• Reconcile bank accounts monthly and retain copies of the reconciliation's in the files.
• Use serially numbered sales invoices, purchase orders, and receiving reports.
• Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and
receiving reports.
• Balance subsidiary ledger with control accounts at regular intervals, and prepare and mail customers' statements
monthly.
• Prepare comparative financial statements monthly in sufficient detail to disclose significant variations in any
category of revenue or expense.

67
• Adherence to these basic control practices significantly reduces the risk of material
error or major defalcation going undetected.
• If the size of the business permits a segregation of the duties of cash handling and
record keeping, a fair degree of control can be achieved.
• If it is necessary that one employee serve as both accounting clerk and cashier, then
active participation by the owner in certain key functions is necessary to guard against
the concealment of fraud or errors.
• In a few minutes each day the owner, even though not trained in accounting, can create
a significant amount of internal control by personally (1) reading daily cash register
totals, (2) reconciling the bank account monthly, (3) signing all checks and canceling
the supporting documents, (4) approving all general journal entries, and (5) critically
reviewing comparative monthly statements of revenue and expense

68