CONSIDERATION OF INTERNAL CONTROL

After the auditor has set the desired level of audit risk and assessed the level
of inherent risk, the next step is to assess the level of control risk.
Assessing control risk is the process of evaluating the design and operating
effectiveness of an entity’s internal control as to how it prevents or detects
material misstatements in the financial statements. The conclusions reached
as a result of assessing control risk is referred to as the assessed level of
control risk.

 Nature of Internal Control

When an entity is small, it’s owner or manager can personally perform,
or directly oversee, all of its functions. However, as the entity grows larger it
becomes necessary to delegate functional responsibilities to employees.
Once this occurs, mechanisms need to be introduced which enable
the performance of the employees to be checked, to ensure that they
are fulfilling their responsibilities as intended.
PSA 315 defines internal control as the process designed and effected
by those charged with governance, management, and other
personnel to provide reasonable assurance about the achievements of
the entity’s objectives with regard to reliability of financial reporting,
effectiveness, and efficiency of operations and compliance with
applicable laws and regulations.

This definition embodies four essential concepts.

1. Internal control is a process
Internal control is not an end in itself. Instead, it is a means of
achieving the entity’s objectives.
2. Internal control is effected by those charged with governance,
management and other personnel.
Internal control is accomplished by people at every level of
organization, including the management, those charged with governance,
and entity’s staff personnel. It is the responsibility of the management to
establish a control environment and maintain policies and procedures to
assist in achieving the entity’s objectives. Those charged with governance,
on the other hand, ensure the integrity of accounting and financial
reporting systems through oversight of management. Staff personnel should
also perform their respective functions in order to accomplish the objectives
of the entity.
3. Internal control can be expected to provide reasonable assurance of
achieving the entity’s objectives
Internal control can only provide reasonable assurance (not absolute
assurance) that the entity’s objectives will be achieved. This is because
there are inherent limitations that may affect the internal control’s
effectiveness. These limitations include:
 Management’s usual requirement that the cost of an internal control
should not exceed the expected benefits to be derived;
 Most internal controls tend to be directed at routine transactions rather
than non-routine transactions;
 The potential for human error due to careless, distraction mistakes of
judgement and the misunderstanding of instructions;
 The possibility of circumvention of internal controls through the collusion
among employees;
 The possibility of management overriding the internal control; and
 The possibility that procedures may become inadequate due to
changes in conditions, and compliance with procedures may
deteriorate.
4. Internal control is designed to help achieve the entity’s objectives.
Internal control is geared towards the achievement of the entity’s
objectives in the following categories:
 Operational Objective- Effectiveness and efficiency of operations;
 Compliance Objective- Compliance with relevant laws and regulations;
 Financial Reporting Objective- Reliability of financial reporting
In the audit of financial statements, the auditor is only concerned with
those policies and procedures within the accounting and internal control
systems that are relevant to the financial statement assertions. Therefore,
the objective that is most relevant to the audit is the financial reporting
objective.
Operational and compliance objectives may be relevant to the audit
only if they relate to data the auditor evaluates to determine the
reliability of some financial statement assertions. For example, controls
pertaining to non- financial data that the auditors uses in analytical
procedures, such as production statistics, or controls pertaining to
detecting non- compliance with laws and regulations that may have a
direct and material effect on the financial statements, such as controls
over compliance with income tax laws and regulations used to
determine the income tax provision, may be relevant to an audit.
 Components of Internal control
Although internal control policies and procedures vary significantly
from one entity to another, there are essential components of
internal control that must be established to provide reasonable
assurance that the entity's objectives will be achieved. There are five
interrelated components of the entity's internal control, namely:
 Control Environment;
 Risk Assessment;
 Information and Communication system;
 Control activities; and
 Monitoring
o Control Environment
The control environment includes the attitudes, awareness, and actions
of management and those charged with governance concerning the
entity’s internal control and its importance in the entity. The control
environment also includes the governance and management functions
and sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for effective internal
control, providing discipline and structure.
Factors reflected in the control environment include:
 Integrity and ethical values
Management should establish ethical standards that discourage
employees from engaging in dishonest, unethical, or illegal acts that could
materially affect the financial statements.
 Management philosophy and operating style
The auditor should assess the management attitude towards financial
reporting as well as its emphasis on meeting projected profit goals because
these will significantly influence the risks of materials misstatements in the
financial statements.
 Active participation of those charged with governance
The entity must have an audit committee which will be responsible for
overseeing the financial reporting policies and practices of the entity.
 Commitment to competence
The entity should consider the level of competence required for each
task and translate this to requisite knowledge and skills.
 Personnel policies and procedures
The entity must implement appropriate policies for hiring, training,
evaluating, promoting, and compensating entity’s personnel because the
competence of the entity’s employees will bear directly on the
effectiveness of the entity’s internal control.
 Assignment of responsibility and authority/ Organizational structure
Organizational structure provides a framework for planning, directing,
and controlling the entity’s operations. Appropriate methods of assigning
responsibility must be implemented to avoid incompatible functions and to
minimize the possibility of errors because of too much work load assigned to
an employee.
o Risk Assessment
Entity’s business objectives cannot be achieved without some risks.
Business risks is the risks that the entity’s business objectives will not be
attained as a result of internal and external factors such as technological
developments, changes in customers demand and other economic
changes.
Business risks are crucial to every organization. Management should
adopt policies and procedures that are designed to identify and analyze
the risks affecting the entity’s business and to take the appropriate action
to manage these risks. For audit purposes, the auditor is concerned only
with those risks that are relevant to the preparation of reliable financial
statements.
o Information and Communication Systems
Effective internal control must provide timely information and
communication. The information system relevant to financial reporting
objectives, which includes the financial reporting system, consists of the
procedures and records established to initiate, record, process, and report
entity transactions (as well as events and conditions), and to maintain
accountability for the related assets and liabilities.
An information system encompasses methods and records that:
 Identify and record all valid transactions;
 Describe the transactions in sufficient detail and in a timely manner, in
order to permit proper classification of transactions for financial
reporting;
 Measure the value of transactions in a manner that permits recording
their proper monetary value in the financial statements;
 Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period; and
 Present properly the transactions and related disclosures in the financial
statements properly.
Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting. Open
communication channels help ensure the exceptions are reported and
acted on. Communication can be made electronically, verbally, and
through the actions of management. It can take such forms as policy
manuals, accounting and financial reporting manuals, and memoranda.
o Control Activities
Control activities are the policies and procedures that help ensure that
management directives are carried out. Specific control procedures that
are relevant to financial statement audit include:
 Performance Reviews;
 Information Processing;
 Physical controls; and
 Segregation of duties
1. Performance reviews
These control activities includes reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance;
relating different sets of data to one another, together with analyses of the
relationships and investigative and corrective actions.
2. Information processing
A variety of controls are performed to check accuracy, completeness,
and authorization of transactions. When computer processing is used in
significant accounting applications, internal control procedures can be
classified into two types: general and application controls.
3. Physical controls
These activities encompass the physical security of assets, including
adequate safeguards such as secured facilities over access to assets and
records; authorization for access to computer programs and data files; and
periodic counting and comparison with amounts shown on control records.
4. Segregation of duties
Assigning different people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets is intended to
reduce the opportunities to allow any person to be in a position to both
perpetrate and conceal errors or fraud in the normal course of the person’s
duties. Examples of segregation of duties include reporting, reviewing and
approving reconciliations, and approval and control of documents.
o Monitoring
Monitoring is a process of assessing the quality of internal control
performance over time. It involves assessing the design and operation of
controls on a timely basis and taking necessary corrective actions.
Monitoring is done to ensure that controls continue to operate effectively.
Monitoring of controls is accomplished through ongoing monitoring
activities, separate evaluations, or a combination of the two. Ongoing
monitoring activities are built into the normal recurring activities of an entity
and include regular management and supervisory activities such as
preparation of monthly bank reconciliation. Separate evaluations are
monitoring activities that are performed on a non-routine basis, such as
functions performed by internal auditors.
 Internal control for a small business
In a small business, with very few office employees, it is difficult to have
proper segregation of duties or maintain a separate internal audit
department . Consequently, internal control systems in small business tend
to be weak compared to the internal control systems of larger entities.
These weaknesses, however, can be compensated if the owner/manager
actively participates in the operations of the business.
 Considerations of internal control
Auditors are not responsible for establishing and maintaining an entity’s
accounting and internal controls systems: that is the responsibility of the
entity’s management. Nevertheless, the auditors should give adequate
consideration to these controls because the condition of the entity’s
internal control systems can have a significant impact on the audit.
Consideration of the entity’s internal control systems involves the following
steps:
1. Obtaining understanding of the internal control;
2. Documenting the understanding of accounting and internal control
systems;
3. Assessing the level of control risks;
4. Performing tests of controls; and
5. Documenting the assesses level of control risks

 Understanding Internal Control

The auditor should obtain sufficient understanding of the components of
the entity’s internal control relevant to the audit.
Obtaining an understanding of internal control involves
 Evaluating the design of a control; and
 Determining whether it has been implemented
Evaluating the design of a control involves considering whether the control,
individually or in combination with other controls, is capable of effectively
preventing, or detecting and correcting, material misstatements.
Implementation of a control means that the control exists and that the
controls have been placed in operation.
An initial understanding of the design of the entity’s internal control systems
is ordinarily obtained by:
 Making inquires of appropriate individuals;
 Inspecting documents and records; and
 Observing of entity’s activities and operations.
After obtaining sufficient knowledge about the design of the system, the
auditor should determine whether these controls have been implemented.
This is accomplished by performing a “walk-through” test. This tasks involves
tracing one or two transactions through the entire accounting systems,
from their initial recording at source to their final destination as a
component of an account balance in the financial statements. Walk-
through test also confirms the auditors' understanding of how the
accounting systems and control procedures function.
It is to be emphasized that the auditors is not required to obtain knowledge
about the operating effectiveness of the internal control when obtaining an
understanding of the entity’s internal control system. At this stage of the
audit, the auditor is basically concerned about the design of relevant
control policies and procedures and whether such controls are actually
being applied.
The auditor’s understanding of internal control should be adequate
enough to:
 Identify types of potential misstatements that can occur;
 Consider factors that affect the risks of material misstatements; and
 Design the nature, timing, and extent audit procedures to be performed.
Documenting the auditor’s understanding of internal control
Subsequent to obtaining sufficient knowledge about the design and
implementation of the internal control, the auditor is required to document
his understanding of accounting and internal control systems. This
documentation need not be in any particular form. The extent of
documentation may vary depending on the size and complexity of the
entity and nature of the entity’s internal control system. Some commonly
used forms of documentation include:
 Narrative description of the entity’s internal control;
 Flowchart that diagrams the flow of transactions and documents; and
 Internal control questionnaire providing managements responses to
questions about internal control.
Assessment of Control Risk
After obtaining and documenting the auditor’s understanding of the
accounting and internal control systems, the auditor should make a
preliminary assessment of control risk, at the assertion level, for each
material account balance or class transactions. The auditor’s preliminary
assessment of control risk may be at a high level (100%) or less than high
level.
When the auditor’s knowledge of the entity’s internal control indicates that
internal controls related to a particular assertion are not effective, the
auditor may simply assess control risk at a high level. Hence, no tests of
controls need to be performed and the auditor will rely primarily on
substantive tests.
On the other hand, if the auditor believes that controls appear to be
reliable, the auditor should determine whether it is efficient to obtain the
evidence to justify an assessment of control risk at a lower level.
If the auditor concludes that it is more efficient to rely on the entity’s internal
control systems, the auditor would plan to assess control risk at less than
high level.
For this purpose, the auditor should:
 Identify specific internal control policies or procedures that are likely to
prevent or detect and correct material misstatement relevant to
financial statement assertion; and
 Perform tests of control to determine the effectiveness of such policies or
procedures.
 Performing tests of controls
Irrespective of how effective internal control procedures may appear to
be in preventing material misstatements from occurring in the financial
statements, before the auditor can rely on them to reduce substantive tests,
the auditor must test these controls to obtain evidence that they are
working effectively as the preliminary assessments suggests.
Test of controls are performed to obtain evidence about the effectiveness
of the:
 Design of the accounting and internal control systems; or
 Operation of the internal controls throughout the period.
It is important to note that the auditor will only test the operating
effectiveness of controls that are likely to detect or prevent material
misstatements. That is, the auditor will only test those controls that he or she
plans to rely upon.
According to PSA, the auditor should obtain audit evidence through tests of
controls to support any assessment of control risk at less than high level. The
lower the assessment of control risk, the more support the auditor should
obtain that the internal control is suitably designed and operating
effectively. Thus, the greater the reliance the auditor plans to place on
internal control, the more extensive the tests of those controls that need to
be performed.
o Nature of tests of control
Test of controls generally consist of one (or a combination) of the
following evidence gathering techniques- (1) inquiry, (2) observation, (3)
inspection, and (4) reperformance.
Inquiry consists of searching for the appropriate information about the
effectiveness of internal control from knowledgeable persons inside or
outside the entity.
Observation refers to looking at the process being performed by others. For
example the auditor may observe the payroll payoff procedures or the
performance of internal control procedures that leave no evidence of
performance.
Inspection involves the examination of documents and records to provide
evidence of reliability depending on their nature and source and the
effectiveness of internal control over their processing.
Reperformance involves repeating the activity performed by the client to
determine whether proper results were obtained. For example, the auditor
may reperform the procedure by tracing the sales prices to the authorized
price list in effect at the date of the transaction. If no errors are found, the
auditor can conclude that the procedure is operating as intended.
For certain controls such as segregation of duties, documentary evidence
(audit trail) may not exist. In this case, the auditor will have to test the
effectiveness of the control procedure by making inquiry of appropriate
client personnel and observing the application of the control procedures.
There is significant overlap between used to obtain understanding and test
of controls. Notice that inquiry of client personnel, observation of
procedures and inspection of documents are also used when obtaining
understanding about the entity’s internal control system. In fact, many of
the procedures used to understand the design of internal control may
provide evidence about the reliability of the client’s accounting and
internal control systems. Consequently, obtaining understanding of the
entity’s internal control system and assessing control risks are often done
simultaneously.
o Timing of tests of controls
Auditors usually perform tests of controls during an interim visit in
advance of period end. However, auditors cannot rely on the results of
such tests without considering the need to obtain further evidence relating
to the remainder of the period.
This evidence may be obtained by performing tests of control for the
remaining period or by reviewing whether there are changes affecting the
entity’s internal control system. In determining whether or not to test the
remaining period, the following factors must be considered:
 The result of the interim tests;
 The length of the remaining period; and
 Whether changes have occurred in the accounting and internal control
systems during the remaining period.
o Extent of tests of control
The auditor cannot possibly examine all transactions related to certain
control procedures. In an audit, the auditor should determine the size of a
sample sufficient to support the assessed level of control risk.
o Using the results of tests of control
Based on the results of the tests of control, the auditor should evaluate
whether the internal controls are designed and operating as intended.
The conclusion reached as a result of this evaluation is called the assessed
level of control risk. The auditors uses the assessed level of control risk
(together with the assessed level of inherent risk) to determine the
acceptable level of detection risk. There is an inverse relationship between
detection risk and the combined level of inherent and control risks. For
example, if the combined assessed level of inherent and control risk is high,
detection risk needs to be low to reduce audit risk to an acceptably low
level. In this regard, the auditor may consider modifying:
 The nature of substantive tests from less effective to more effective
procedures;
 The timing of substantive tests by performing them at year-end rather
than at interim; or
 The extent of substantive tests from smaller to larger sample size.
o Operating effectiveness vs. implementation
Testing the operating effectiveness of control is different from obtaining
audit evidence that controls have been implemented.
When obtaining audit evidence of implementation by performing risk
assessment procedures, the auditor determines that the relevant controls
exist and that the entity is using them. When performing tests of the
operating effectiveness of controls, the auditor obtains audit evidence that
controls operate effectively. This includes obtaining audit evidence about
how controls were applied at relevant times during the period under audit,
the consistency with which they were applied, and by whom or by what
means they were applied.
 Documenting the assessed level of control risk
After evaluating the results of tests of control and assessing the control
risk, the auditor should document his assessment of control risk.
If the control risk is assessed at a high level, the auditor should document
his conclusion that control risk is at a high level.
If the control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high and the basis for
that assessment. This basis is actually the results of tests control. Hence, the
auditor cannot assess control risk at less than high level without performing
tests of control.
The following table summarize the documentation requirements for auditors
when considering internal control:
Control risk at Control Risks at less
High level than High Level
1. Understanding of Internal Control Required Required
2. Conclusion Required Required
3. Basis for the conclusion Required Not required
 Communications of Significant Deficiencies in Internal Control
As a result of the auditor’s consideration of the accounting and internal
control systems, the auditor may become aware of significant deficiencies
in the entity’s internal control systems. In this regard, the auditor is required
to report to the appropriate level of management and those charged with
governance, any significant deficiencies in the internal control systems,
which have come to the auditor’s attention. This communication should be
in writing and can be done either before or after the auditor’s report on the
financial statements is issued.
Regardless, of the timing of the written communication of significant
deficiencies, the auditor may communicate these orally in the first instance
to management and, when appropriate, to those charged with
governance to assist them in taking timely remedial action to minimize the
risks of material misstatement. Doing so, however, does not relieve the
auditor of the responsibility to communicate the significant deficiencies in
writing.
It is to be emphasized that auditors are not required to search for and/or
identify internal control deficiencies. The auditors must, however,
communicate significant deficiencies in internal control to the client when
they come to their attention during the course of the audit. These internal
control deficiencies, together with other matters of concern, are ordinarily
communicated to the client in a formal report called management letter.