AUDITING THEORY Red Sirug

CONSIDERA TIONS OF ENTITY’S INTERNA L CONTROL

INTERNA L CONTROL – the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance abou t the achieve ment of an
entity’s objectives

Essential Concepts of Internal Control: Internal control is (a):

1. Process – a means of achieving the entity's objectives
2. Effected by:
a. Those charged with governance: ensure the integrity of accounting and financial reporting
systems through oversight of management
b. Management: design, implement and maintain internal control
c. Staff personnel: perform their respective functions
3. Provides reasonable assurance about the achievement of an entity’s objectives – internal
control is be designed to prevent, or detect and correct problems to help in achieving entity’s objectives
 Inherent limitations of internal control system: Even a well designed and effective internal
control system cannot eliminate material misstatements, whether due to fraud or error.
Examples of inherent limitations of internal control:
1. Management overriding the internal control.
2. Circumvention of internal controls through the collusion among employees.
3. Cost-benefit considerations (concept of reasonable assurance) – the costs of a control to be
established should not exceed its expected benefits
4. Most controls tend to be directed at routine transactions rather than non-routine transactions.
5. Human error (such as due to carelessness, distraction, mistakes of judgment, the
misunderstanding of instructions, errors in the design or use of automated controls
6. The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate.
7. Segregation of duties may be difficult to achieve in a smaller entity.
4. Helps to achieve the entity's objectives
 Objectives represent what an entity strives to achieve.
 Categories of entity's objectives:
1. Financial reporting objective – this objective relates to reliability of financial reporting
2. Operational objective – this objective is intended to enhance effectiveness and efficiency of
operations
3. Compliance objective – this objective relates to entity’s compliance with applicable laws and
regulations

Benefits of Strong Internal Control:

 Reliability of financial information for decision-making purposes
 Enhances the effectiveness and efficiency of operations
 Assurance of compliance with applicable laws and regulations
 Protection of assets and important documents and records
 Reduced cost of an external audit – because the auditor may rely on the effectiveness of internal control

Classification of Internal Control:

1. According to objectives:
a. Financial reporting controls – controls to achieve reliability of financial reporting objective
b. Operational effectiveness controls – controls to achieve operational effectiveness objective
c. Compliance controls – controls to achieve compliance objective

Relationship between the entity’s objectives and internal control:

There is a direct relationship between the entity’s objectives and the internal control it
implements to provide reasonable assurance about their achievement.
2. According to functions:
a. Preventive controls – controls that deter problems before they arise (for example, segregation of
incompatible employee functions/duties and control physical access to assets, facilities and
information)
b. Detective controls – controls that discover or detect problems as they arise (for example,
preparing bank reconciliation and preparing monthly trial balance)
c. Corrective controls – controls that remedy problems discovered with detective controls (for
example, maintaining backup copies of transactions and master files)

AT – Considering the Entity’s Internal Control Red Sirug Page 1

Components of Internal Control:

Obtaining understanding of internal control means obtaining understanding of the five interrelated and
essential components or aspects of internal control as follows:

1. Control environment – it includes the governance and management functions and the attitudes,
awareness, and actions of those charged with governance and management concerning the entity’s
internal control and its importance in the entity
 It sets the tone of an organization, influencing the control consciousness of its people.
 It is a set of characteristics that defined good control working relationships in an entity.
 It is the foundation for effective internal control for it provides an appropriate foundation for other
components of internal control.

Elements of control environment:

1. Communication and enforcement of integrity and ethical va lues – These influence the
effectiveness of the design, administration and monitoring of controls.
2. Commitment to competence – Management’s consideration of the competence levels for
particular jobs and how those levels translate into requisite skills and k nowledge.
3. Participation by those charged with governance (BOD and audit committee)
4. Management’s philosophy and operating style – Management’s approach to taking and
managing business risks, attitudes and actions toward financial reporting, and attitudes toward
information processing and accounting functions and personnel.
5. Organizational structure – The framework within which an entity’s activities for achieving
its objectives are planned, executed, controlled and reviewed.
6. Assignment of authority and responsibility – How authority and responsibility for
operating activities are assigned and how reporting relationships and authorization hierarchies
are established. Appropriate methods of assigning responsibility must be implemented to avoid
incompatible functions and to minimize the possibility of errors because of too much work load
assigned to an employee.
7. Personnel or Human resource policies and procedures – Policies and practices that
relate to recruitment/hiring, orientation, training, evaluation, counseling, promotion,
compensation, and remedial actions.

Considering the control environment:

The auditor shall obtain understanding of control environment and evaluate:
a. Whether the management, with the oversight of those charged with governance, has create d
and maintained a culture of honesty and ethical behavior
b. Whether the strengths in the control environment provide foundation for the other components
of internal control
c. Whether other components of internal control are not undermined by control environme nt
weaknesses

2. Entity’s risk assessment process – entity’s own process of identification, analysis, and management
of risks relevant to the preparation and fair presentation of financial statements

Considering the entity’s risk assessment process:

The auditor shall obtain understanding of whether the entity has a process for:
a. Identifying business risks relevant to financial reporting objectives
b. Estimating the significance of the risks
c. Assessing the likelihood of their occurrence
d. Deciding about actions to address those risks

3. Information system (including the related business processes, relevant financial reporting
and communication) – information and communication systems support the identification, capture,
and exchange of information in a timely and useful manner
 The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the methods and records established to record, process, summarize, and report
entity transactions (as well as events and conditions) and to maintain accountability for the related
assets, liabilities, and equity.
 Communication involves providing an understanding of individual roles and responsibilities pertaining
to internal control over financial reporting. Communication may take such forms as policy manuals
and financial reporting manuals. Open communication channels help ensure that exceptions are
reported and acted on.

Considering the information system:

The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:
AT – Considering the Entity’s Internal Control Red Sirug Page 2
 a. The classes of transactions in the entity’s operations that are significant to the financial
statements;
b. The procedures, within both information techno logy (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the
general ledger and reported in the financial statements;
c. The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the
correction of incorrect information and how information is transferred to the general ledger.
d. The records may be in either manual or electronic form;
e. How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
f. The financial reporting process used to prepare the entity’s financial statements, including
significant accounting estimates and disclosures; and
g. Controls surrounding journal entries, including non-standard journal entries used to record non-
recurring, unusual transactions or adjustments.

4. Control activities – the policies and procedures that help ensure management’s directives are carried
out and that necessary steps to address risks are taken. Control activities address risks that if not
mitigated would threaten the achievement of the entity’s objectives.

Examples of specific control activities include those relating to:

 Authorization
 Performance reviews
 Information processing
 Physical controls
 Segregation activities

Considering the control activities:

The auditor shall obtain understanding of control activities relevant to the audit. Control activities
relevant to the audit are those that the auditor judges it necessary to understand in order to:
a. Assess the risks of material misstatement at the assertion level and b.
Design further audit procedures responsive to the assessed risks.

An audit does not require an understanding of all the control activities. In understanding the entity’s
control activities, the auditor shall obtain understanding of how the entity has responded to risks arising
from IT.

Examples of specific control activities that may be relevant to an audit:

1. Prenumbering of documents – helps to assure that:
a. All transactions are recorded (completeness).
b. No transactions are recorded more than once (existence).
2. Authorization of transactions – authorization should occur before commitment of resources
3. Independent checks to maintain asset accountability – independent checks involve the
verification of work previously performed by others, such as:
 Review of bank reconciliations
 Comparison of subsidiary records to control accounts
 Comparison of physical counts of inventory to perpetual records
4. Documentation – provides evidence of the underlying transactions and is a basis for
establishing responsibility for the execution and recording of transactions
5. Performance reviews – includes review and analyses of the following:
a. Actual performance versus budgets, forecasts, and prior period performance
b. Relationship between different sets of data to one another, together with analyses of the
relationships and investigative and corrective actions (for example, the management of a
sports team might use attendance data to ascertain the reasonableness of ticket sales).
c. Comparison between internal data and external sources of information, and
d. Functional or activity performance (for example, sales reports, receivable reports, etc., may
be used to analyze performance and to identify errors).
6. Information processing controls – ensure that transactions are valid, properly authorized,
and completely and accurately recorded
a. Application controls – controls which apply to the processing of individual applications
Examples of application controls:
 Checking the arithmetical accuracy of records
 Maintaining and reviewing accounts and trial balance
 Automated controls such as edit checks of input data and numerical sequence checks
 Manual follow-up of exception reports
 Controls surrounding receivables

AT – Considering the Entity’s Internal Control Red Sirug Page 3

  Controls surrounding payroll
b. General controls – controls that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of
information systems. General controls apply to information processing throughout the
company.
Examples of general controls:
 Program change controls
 Controls that restrict access to programs or data
 Controls over the implementation of new releases of packaged software applications
 Controls over system software that restrict access to or monitor the use of system
utilities that could change financial data or records without leaving an audit trail
 Controls over data center and network operations
7. Physical controls – physical controls for safeguarding assets involve security devices and
limited access to programs and to restricted areas, including computer facilities
a. Physical segregation and security of assets, including adequate safeguards such secured
facilities over access to assets and records.
Examples of physical controls:
 Protective or security devices
 Bonded or independent custodians
 Physical and security of assets:
 Cash – placed in cash boxes, vault or safe deposit boxes
 Cash – deposited in a bank
 Inventory – placed in a warehouse
 PPE items – tagged with non-movable labels
b. Authorization for access to computer programs and data files (for example, requiring
password prior to access)
c. Authorized access to assets and records (such as through the use of computer access codes,
prenumbered forms, and required signatures on documents for the removal or disposition of
assets)
d. Required signatures on documents for the removal or disposition of assets
e. Periodic counting and comparison with amounts shown on control
records Examples:
 Comparing the results of cash, security and inventory counts with accounting records
 Reconciliations
f. The extent to which physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on
circumstances such as when assets are highly susceptible to misappropriation.
8. Segregation of duties – involves ensuring that individuals do not perform incompatible duties.
 Duties should be segregated such that the work of one individual provides a crosscheck on
the work of another individual.
 A proper segregation of duties (or incompatible functions) requires that one person should not
be responsible for all phases of a transaction. This means that different employees should be
assigned to the following functions:
 Authorizing transactions
 Recording transactions – recordkeeping
 Maintaining custody of assets involved in the transactions
For example, the responsibilities of the treasury department include handling of cash and
custody of securities but do not include data processing.
 Segregation of duties is intended to reduce the opportunities to allow any person to be in a
position to both perpetrate and conceal errors or fraud in the nor mal course of the person’s
duties.

5. Monitoring – the process to assess the effectiveness (or quality) of internal control performance over
time
Management’s monitoring of controls includes:
 Assessing the effectiveness of controls on a timely basis and ta king necessary corrective actions
 Monitoring of controls through ongoing activities
 Using information from communications from external parties such as customer complaints and
regulator comments that may indicate problems, highlight areas in need of improvement

Considering the monitoring of controls:

The auditor shall obtain understanding of:
a. The major activities that the entity uses to monitor control over financial reporting, including
those related to those activities relevant to the audit
b. How the entity initiates corrective actions to its controls
c. Sources of the information used in the entity’s monitoring activities

AT – Considering the Entity’s Internal Control Red Sirug Page 4

 d. The basis upon which management considers the information to be sufficiently reliable for the
purpose

CONSIDERING INTERNA L CONTROL

Internal control is relevant to the entire entity and each of the five components of internal control may affect
any of the three entity objectives, but not all of an entity's objectives and related controls are relevant to the
audit.

The auditor shall obtain an understanding of internal control relevant to the audit. Generally, those controls
that pertain to financial reporting objective are most relevant to the audit. Thus, the auditor shall consider and
understand financial reporting controls. The auditor need not assess all controls related to financial reporting, but
rather applies professional judgment in determining which controls to assess.

Purpose of Understanding of Internal Control:

 Primary purpose: To provide a basis for planning the audit to determine the nature, timing, and extent
of further audit procedures
Specifically, such understanding is used by the auditor in:
1. Identifying types of potential misstatements
2. Identifying factors that affect the risks of material misstatements, and
3. Designing the nature, timing, and extent of further audit procedures
 Secondary purpose: To provide a basis for constructive suggestions to management about
improvements in internal control

Steps in Considering Internal Control:

1. The auditor shall obtain an understanding of internal control relevant to the audit – involves
performing procedures to evaluate the design of relevant controls and determine whether they have been
implemented (placed in operation)
 This procedure includes understanding of the five interrelated components of internal control to
evaluate the design and determine if the control has been implemented.
a. Evaluate the design of relevant controls – involves determining whether those controls,
individually or in combination with other controls, is capa ble of effectively preventing or detecting
and correcting material misstatements
 The design refers to capability of a control to prevent or detect and correct material
misstatements
Major emphasis in the design of effective control:
a. Assets are properly protected
b. Incompatible duties are segregated
c. Transactions are authorized
An improperly designed control may represent a material weakness in the entity’s internal control.

b. Determine whether the controls have been implemented – involves determining whether the
control is placed in operation; implementation of a control means that the control exists and is being
used by the entity
Risk assessment procedures to obtain audit evidence about the design and implementation of
relevant controls:
 Inquiry of entity personnel (inquiry alone is not sufficient obtain audit evidence about the
design and implementation of relevant controls)
 Observing the application of specific controls
 Inspecting documents and records
 Performing a “walk-through” test – tracing a transaction through the information system
relevant to financial reporting, from initial recording to presentation in the financial
statements

2. Perform preliminary assessment of control risk – assessing the level of control risk (such as high,
medium or low) based on understanding of internal control (the design of controls and whether they have
been implemented)
 The ultimate purpose of assessing control risk at the assertion level for each material account
balance or class of transactions is to contribute to the auditor's evaluation of the risk that material
misstatements exist in the financial statements.
 The assessment of control risk is the process of evaluating the effectiveness of an entity’s internal
control in preventing or detecting and correcting material misstatements.
 Control risk is assess in terms of financial statement assertions.

a. Maximum level: Control risk is assessed at high/maximum level if:

 Controls are poorly designed, or

AT – Considering the Entity’s Internal Control Red Sirug Page 5

  Properly designed controls have not been implemented, or
 It is inefficient to rely on internal control (inefficient to perform tests of controls) – for example, it
is inefficient to obtain evidence to justify the assessment of control risk at less than high level
Auditor’s response if control risk is assessed at a high/maximum level:
 Auditor will not perform tests of controls
 Auditor will primarily rely on substantive tests

b. Less than high/maximum level: Control risk is assessed at less than high/maximum level if
controls are properly designed and have been implemented; the auditor should perform tests of
operating effectiveness of relevant controls.
The PSA requires the auditor to document the basis or the evidence to justify the assessment of
control risk at less than high/maximum level.

3. Perform tests of controls if preliminary assessment of control risk is below high/maximum

level (performed when the auditor intends to rely on the internal control)
 Tests of controls are audit procedures designed to evaluate the operating effectiveness of internal
controls that are likely to detect or prevent material misstatements in support of a reduced assessed
level of control risk. In other words, tests of controls are performed to confirm that the controls
tested are working effectively in order to substantiate the reduced assessed level of control risk.
 When to perform tests of controls:
a. When the auditor intends to rely on the operating effectiveness of relevant controls in
determining the nature, timing and extent of substantive procedures; or
 Tests of controls are performed only on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct, a material
misstatement in an assertion.
b. When substantive procedures alone cannot provide sufficient appropriate evidence at the
assertion level
 Unlike substantive tests of details, tests of controls are not required audit procedure.
 The greater the reliance the auditor plans to place on internal control, the more extensive the
tests of those controls that need to be performed.
 Tests of controls generally consist of one (or combination of the following evidence gathering
techniques:
a. Inquiry
b. Observation
c. Inspection
d. Reperformance of a control by the auditor

Results of tests of controls:

a. Results do not confirm effectiveness of controls – the auditor should revise the preliminary risk
assessment of control risk from less than high to high level
In addition, the auditor shall also make the necessary revision on the overall audit strategy, audit
plan and preliminary audit program.
In this case, the auditor’s general approach to audit would be to use the substantive approach
(an approach whose emphasis is on substantive procedures).
b. Results confirm effectiveness of controls – the auditor relies on the entity’s internal control and
decrease substantive testing
In this case, the auditor’s general approach to audit would be the reliance or combined
approach (an approach that uses both tests of controls and substantive procedures).

Required Documentation:
1. Document the understanding of accounting and internal co ntrol systems
 Form of documentation may vary
 One form or a combination of forms of documentation may be used at the same time
 Forms of documentation:
1. Internal control questionnaire – consists of a list of questions on internal control be answered
by "Yes" or "No" response. A negative response is designed to draw attention to a possible
weakness in internal control. Written explanations are required for "No" answers.
2. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system or the
sequential flow of authority, processes, transactions and documents. The use of standard symbols
makes flowcharts easy to understand.
a. Systems flowcharts – used to evaluate internal control because it shows the origin of each
document in the system, its subsequent processing, and its final disposition
b. IT flowcharts – used in evaluating the internal control in an automated/computerized
accounting environment. The auditor can use these flowcharts to evaluate both the flow of
the program and the internal controls related to the IT function in general.
3. Internal control checklists – a detailed listing of ideal control measures (the auditor tickmarks

AT – Considering the Entity’s Internal Control Red Sirug Page 6

 the controls adopted by the client)
4. Narrative memoranda – a written version of a flowchart. It is a description of the auditor's
understanding of the system of internal control. Note that flowcharts are more appropriate for
documenting complex control structures, while written narratives are more appropriate for less
complex structures.
5. Decision trees or tables –
a. Decision trees – are graphic illustrations that depict the logic of an operation or process.
They generally employ questions with "Yes" or "No" answers, which direct the user to the
next relevant questions.
b. Decision tables – are graphic illustrations tha t depict the logical relationships of a system in
table form. Both approaches document the auditor's understanding of a process.

2. Document the assessed level of control risk

 If the control risk is assessed at a high level, the auditor should document his conclusion that control risk
is at a high level.
 If the control risk is assessed at less than high level, the auditor should document:
a. His conclusion that control risk is at less than high level, and
b. The basis for that assessment – results of tests of controls confirming the assessment of control risk at
below high/maximum level

Effect of Information Technology on Internal Control:

Effect on Internal Control
An entity's use of information technology may affect any of the five components of internal control:
a. Management's failure to appropriately address IT risks may negatively impact the control
environment.
b. The use of IT may enhance an entity's risk assessment by providing more timely information.
c. Many information and communication systems make extensive use of IT, and the way in which IT is
used often affects an entity's internal control.
d. Much of the information used in monitoring is provided by IT, and therefore, the accuracy of the IT
system is crucial.
e. The use of IT may affect the way in which existing control activities are implemented. Also, the
effectiveness of user controls may depend upon the accuracy of information provided to the user by

a. Manual controls may be more appropriate than automated controls in sit uations where judgment
and discretion is required, such as circumstances in which misstatements are difficult to define,
anticipate, or predict.
b. Manual controls, however, may pose additional risks because they can be more easily ignored or
overridden, they are subject to human error, and they are less consistent than automated controls.

Testing Automated Controls

a. In testing automated controls, the auditor needs to identify and test not just specific application
controls but relevant general controls on whi ch the application controls depend. (Application
controls and general controls are covered further below.)
b. In a manual system, manual controls such as approvals, reviews, and reconciliations are used. In an automated
system using information technology, bo th manual and automated controls may be used; however, even
manual controls may be dependent to some extent on the effective functioning of IT.
IT Benefits
IT is used by an entity to improve the efficiency and effectiveness of its internal control. The a uditor
should consider the effect of such benefits as part of assessing internal control. Benefits may include:
a. The ability to process large volumes of transactions and data accurately and consistently.
b. Improved timeliness and availability of information.
c. Facilitation of data analysis and performance monitoring.
d. Reduction in the risk that controls will be circumvented.
e. Enhanced segregation of duties through effective implementation of security controls.
IT Risks
The use of IT may also create additional internal control risks. The auditor must evaluate the entity's use
of IT to determine whether and to what extent the following risks exist:
a. Potential reliance on inaccurate systems.
b. Unauthorized access to data, which may result in loss of data and/or data inaccuracies.
c. Unauthorized changes to data, systems, or programs.
d. Failure to make required changes or updates to systems or programs.

AT – Considering the Entity’s Internal Control Red Sirug Page 7