Internal Control (PSA 315)

Assessing control risk – process of evaluating the design and operating effectiveness of an entity’s
internal control as to how it prevents or detects material misstatements in the FS.

Assessed level of control risk – conclusion reached as a result of assessing control risk.

Nature of Internal Control

Internal Control – process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entity’s objectives with
regard to reliability of financial reporting effectiveness and efficiency of operations and compliance with
applicable laws and regulations.

Four Essential Concepts

1. Internal Control is a process.

2. Internal Control is effected by those charged with governance, management and other
personnel.
Management – to establish a control environment and maintain policies and procedures to
assist in achieving the entity’s objectives.
Governance – ensure the integrity of accounting and financial reporting systems through
oversight of management.
Staff personnel – perform their respective functions in order to accomplish the objectives of the
entity.

3. Internal Control can be expected to provide reasonable assurance of achieving the entity’s
objectives.
Reasonable assurance because of inherent limitations that may affect the internal control’s
effectiveness which includes:
 Management’s usual requirement that cost should not exceed benefits to be derived.
 Most internal control tend to be directed at routine transactions rather than non-
routine transactions.
 Potential of human error due to carelessness, distraction, mistakes of judgement and
the misunderstanding of instructions.
 Possibility of circumvention(avoiding) of internal controls through the collusion among
employees.
 Possibility of management overriding the internal control.
 Possibility that procedures may become inadequate due to changes in conditions,
compliance with procedures may deteriorate.
4. Internal Control is designed to help achieve the entity’s objectives.
Internal control is geared towards the achievement of the entity’s objectives in the following
categories:
 Effectiveness and efficiency of operations.
 Compliance with laws and regulations.
  Reliability of financial reporting.

In the audit of FS, the auditor is only concerned with policies and procedures within the
accounting and internal control systems that are relevant to the financial statement
assertions. The objective that is most relevant to the audit is the Financial reporting
objective.

Operational and compliance objectives may be relevant to the audit only if they relate to
data the auditor evaluates to determine the reliability of some financial statement
assertions.

Example:

Controls pertaining to non-financial data that the auditor uses in analytical procedures.

Components of Internal Control

Although internal control policies and procedures vary significantly from one entity to another, there are
essential components of internal control that must be established to provide reasonable assurance that
the entity’s objectives will be achieved.

1. Control Environment
2. Risk Assessment
3. Information and communication systems
4. Control Activities
5. Monitoring

Control Environment

It includes the attitudes, awareness, and actions of management and those charged with governance
concerning the entity’s internal control and its importance in the entity. The control environment also
includes the governance and management functions and sets the tone of an organization, influencing
the control consciousness of its people. It is the foundation for effective internal control, providing
discipline and structure.

Factors reflected in the control environment include:

 Integrity and ethical values

 Management philosophy and operating style
The auditor should assess the management attitudes towards financial reporting and their
emphasis on meeting projected profit goals because it will significantly influence the risk of
material misstatements in the FS.
 Active participation of those charged with governance
The entity must have an audit committee which will be responsible for overseeing the financial
reporting policies and practices of the entity.
 Commitment to competence
 The entity should consider the level of competence required for each task and translate it to
requisite knowledge and skills.
 Personnel policies and procedures
The entity must implement appropriate policies for hiring, training, evaluating, promoting, and
compensating entity’s personnel because the competence of the employees will bear directly to
the effectiveness of the entity’s internal control.
 Assignment of responsibility and authority/ Organizational structure
Organizational structure provides a framework for planning, directing, and controlling the
entity’s operations. Appropriate methods of assigning responsibility must be implemented to
avoid incompatible functions and to minimize the possibility of errors due to too much work
load assigned to an employee.

Risk Assessment

Entity’s business objectives cannot be achieved without some risks. Business risk is the risk that
the entity’s business objectives will not be attained as a result of internal and external factors such as
technological advancements, changes in customers demand and other economic changes.

For audit purposes, the auditor is concerned only with those risks that are relevant to the
preparation of reliable financial statements.

Information and Communication Systems

The information system relevant to financial reporting objectives, which includes the financial
reporting system, consists of the procedures and records established to initiate, record, process, and
report entity transactions (events and conditions) and to maintain accountability for the related assets,
liabilities, and equity.

An information system encompasses methods and records that:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary
value in the FS.
 Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.
 Present properly the transactions and related disclosures in the FS.

Communication involves providing an understanding of individual roles and responsibilities

pertaining to internal control over financial reporting. It can be made electronically, orally, and
through the actions of management. It can take such forms as policy manuals, accounting and
financial reporting manuals, and memoranda.
Control Activities

Control activities are the policies and procedures that help ensure that management directives
are carried out. Specific control procedures that are relevant to FS audit are:

 Performance Reviews
It is the review and analyses of actual performance versus budgets, forecasts, and prior period
performance; relating different sets of data to one another.
 Information processing
It includes checking of accuracy, completeness, and authorization of transactions.
 Physical Controls
It encompasses the physical security of assets, including adequate safeguards such as secured
facilities over access to assets and records; authorization for access to computer programs and
data files; periodic counting and comparison with amounts shown on record controls.
 Segregation of duties

Monitoring

Process of assessing the quality of internal control performance over time. It involves assessing
the design and operation of controls on a timely basis and taking necessary corrective actions.
Monitoring is done to ensure that controls continue to operate effectively.

 Ongoing monitoring
Normal recurring activities of an entity and include regular management and supervisory.
 Separate evaluations
Monitoring activities that are performed on a non-routine basis, such as functions performed by
internal auditors.

Internal Control for a small business

Small businesses tend to have weaker internal control systems compared to larger entities. It
can be compensated if the owner/manager actively participates in the operations of the business.

Consideration of Internal Control

Auditors are not responsible for establishing and maintaining an entity’s accounting and internal
controls systems, it is the entity’s management. But the auditor should give adequate consideration to
these controls. The following steps are the consideration of the entity’s internal control systems:

1. Obtain understanding of the internal control.

2. Document the understanding of accounting and internal control systems.
3. Assess the level of control risk.
4. Perform test of controls.
5. Document the assessed level of control risks.

Understanding of Internal Control

It involves:

 Evaluating the design of a control

It includes considering whether the control (individually or in combination with other controls) is
capable of effectively preventing, or detecting and correcting, material misstatements.
 Determining whether it has been implemented
It means that the control exists and that the controls have been placed in operation.

Initial understanding of the design of the entity’s internal control is obtained by:

1. Making inquiries of appropriate individuals

2. Inspecting documents and records
3. Observing of entity’s activities and operations.

After obtaining sufficient knowledge about the design, the should determine whether these are
implemented. It is accomplished by performing walkthrough-test, it involves tracing one or two
transactions through the entire accounting systems, from their source to their account balance in the
FS.

It is not required for the auditor to obtain knowledge about the operating effectiveness of the internal
control, but it is required to obtain an understanding of the internal control.

The auditor uses the understanding of internal control to:

1. Identify types of potential misstatements that can occur.

2. Consider factors that affect the risk of material misstatements.
3. Design the nature, timing, and extent audit procedures to be performed.

Documenting the auditor’s understanding of internal control

 The documentation need not be in any particular form.

 The extent of documentation may vary depending on the size and complexity of the entity and
nature of the entity’s internal control systems.

Commonly used forms of documentation:

1. Narrative description of the entity’s internal control

2. Flowchart that diagrams the flow of transactions and documents
3. Internal control questionnaire providing management’s responses to questions about internal
control.

Assessment of Control Risk

 The auditor’s preliminary assessment of control risk may be at a high level (100%) or less than
high level.
  When the auditor assess that the internal control is NOT EFFECTIVE, the auditor may assess the
control risk at HIGH LEVEL, no test of controls need to be performed. The auditor may rely only
to substantive test.
 When the control appears to be RELIABLE, the auditor should determine if it is efficient to obtain
evidence to justify an assessment of control risk at a lower level.

When the auditor concludes that it is MORE EFFICIENT to rely on internal control system, the auditor
would plan to assess control risk at less than high level. The auditor should:

1. Identify specific internal control policies or procedures that are likely to prevent or detect and
correct material misstatement relevant to FS assertion
2. Perform test of control to determine the effectiveness of such policies or procedures.

Performing tests of controls

 Performed to reduce substantive tests

 Performed to obtain evidence that they are working effectively as the preliminary assessment
suggests.
 The auditor will only test those controls that he or she plans to rely upon.
 Performed to support any assessment of control risk at less than high level.
 The lower the assessment risk, the more support the auditor should obtain.
 The greater the reliance, the more extensive the test of controls need to be performed.

Test of controls are performed to obtain evidence about the effectiveness of the:

1. Design of the accounting and internal control systems

2. Operation of the internal controls throughout the period.

Nature of test of control

1. Inquiry
2. Observation
3. Inspection
4. Reperformance

For certain controls such as segregation of duties, documentary evidence (audit trail) may not exist.
In this case the auditor will have to test by making inquiry and observing.

There is a significant overlap between the procedures used to obtain understanding and test of
controls. Consequently they are often done simultaneously.

Timing of tests of controls

 Usually performed during interim visit.

 However, auditors cannot rely on the results of such tests without considering the need to
obtain further evidence relating to the remainder of the period.

In determining whether or not to test the remaining period, the following factors must be considered:
 1. The result of the interim tests.
2. The length of the remaining period.
3. Whether changes have occurred in the accounting and internal control systems during the
remaining period.

Extent of tests of control

The auditor should determine the size of a sample sufficient to support the assessed level of
control risk.

Using the results of tests of control

 Based on the results of test of control, the auditor should evaluate whether the internal controls
are designed and operating as intended.
 The auditor uses the assessed level of control risk (together with the assessed level of inherent
risk) to determine the acceptable level of detection risk.
 Inverse relationship between COMBINED ASSESS LEVEL OF INHERENT+CONTROL RISK AND
DETECTION RISK.
 If combined assessed level of inherent+ control risk is high the DETECTION RISK should be LOW
to reduce the audit risk to an acceptably low level.
 In this regard, the auditor may consider modifying:
1. Nature of substantive test from less effective to more effective procedures
2. Timing of substantive tests by performing them at year end rather than at interim
3. Extent of substantive tests from smaller to larger sample size.

Documenting the assessed level of Control Risk

 If the assessed level of control risk is HIGH level, the auditor should document his conclusion
that control risk is at a high level.
 If assessed at LESS THAN HIGH LEVEL, the auditor should document his conclusion that control
risk is less than high and the BASIS for that assessment.

Communication of Internal Control Weaknesses

 The auditor is required to report to the appropriate level of management, the weaknesses
that come to the auditor’s attention.
 It is ordinarily in writing and should be done at the earliest opportunity as possible.
 Oral communications could also be made provided these are adequately documented in
the audit working papers.
 It is NOT REQUIRED that auditors are to search or identify internal control weakness, but
they must communicate it to the client when they come to their attention during the course
of audit.
 These internal control weaknesses together with other matters of concern are documented
in a formal management letter.
Summary

Components of Internal Control

1. Control Environment
2. Risk Assessment
3. Information and Communication systems
4. Control Activities
5. Monitoring

Consideration of Internal Control

1. Obtain understanding
2. Document the understanding
3. Assess the level of control risk
4. (If assessed level of control risk is less than high level) Perform Tests of Controls
1. Inquiries
2. Observation
3. Inspection
4. Reperformance
5. Document the assessed level of control risks