Professional Documents
Culture Documents
Considerations of Entity's Internal Control Red Sirug Lecture Note
Considerations of Entity's Internal Control Red Sirug Lecture Note
INTERNA L CONTROL – the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance abou t the achieve ment of an
entity’s objectives
1. According to objectives:
a. Financial reporting controls – controls to achieve reliability of financial reporting objective
b. Operational effectiveness controls – controls to achieve operational effectiveness objective
c. Compliance controls – controls to achieve compliance objective
Obtaining understanding of internal control means obtaining understanding of the five interrelated and
essential components or aspects of internal control as follows:
1. Control environment – it includes the governance and management functions and the attitudes,
awareness, and actions of those charged with governance and management concerning the entity’s
internal control and its importance in the entity
It sets the tone of an organization, influencing the control consciousness of its people.
It is a set of characteristics that defined good control working relationships in an entity.
It is the foundation for effective internal control for it provides an appropriate foundation for other
components of internal control.
2. Entity’s risk assessment process – entity’s own process of identification, analysis, and management
of risks relevant to the preparation and fair presentation of financial statements
3. Information system (including the related business processes, relevant financial reporting
and communication) – information and communication systems support the identification, capture,
and exchange of information in a timely and useful manner
The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the methods and records established to record, process, summarize, and report
entity transactions (as well as events and conditions) and to maintain accountability for the related
assets, liabilities, and equity.
Communication involves providing an understanding of individual roles and responsibilities pertaining
to internal control over financial reporting. Communication may take such forms as policy manuals
and financial reporting manuals. Open communication channels help ensure that exceptions are
reported and acted on.
4. Control activities – the policies and procedures that help ensure management’s directives are carried
out and that necessary steps to address risks are taken. Control activities address risks that if not
mitigated would threaten the achievement of the entity’s objectives.
An audit does not require an understanding of all the control activities. In understanding the entity’s
control activities, the auditor shall obtain understanding of how the entity has responded to risks arising
from IT.
5. Monitoring – the process to assess the effectiveness (or quality) of internal control performance over
time
Management’s monitoring of controls includes:
Assessing the effectiveness of controls on a timely basis and ta king necessary corrective actions
Monitoring of controls through ongoing activities
Using information from communications from external parties such as customer complaints and
regulator comments that may indicate problems, highlight areas in need of improvement
Internal control is relevant to the entire entity and each of the five components of internal control may affect
any of the three entity objectives, but not all of an entity's objectives and related controls are relevant to the
audit.
The auditor shall obtain an understanding of internal control relevant to the audit. Generally, those controls
that pertain to financial reporting objective are most relevant to the audit. Thus, the auditor shall consider and
understand financial reporting controls. The auditor need not assess all controls related to financial reporting, but
rather applies professional judgment in determining which controls to assess.
b. Determine whether the controls have been implemented – involves determining whether the
control is placed in operation; implementation of a control means that the control exists and is being
used by the entity
Risk assessment procedures to obtain audit evidence about the design and implementation of
relevant controls:
Inquiry of entity personnel (inquiry alone is not sufficient obtain audit evidence about the
design and implementation of relevant controls)
Observing the application of specific controls
Inspecting documents and records
Performing a “walk-through” test – tracing a transaction through the information system
relevant to financial reporting, from initial recording to presentation in the financial
statements
2. Perform preliminary assessment of control risk – assessing the level of control risk (such as high,
medium or low) based on understanding of internal control (the design of controls and whether they have
been implemented)
The ultimate purpose of assessing control risk at the assertion level for each material account
balance or class of transactions is to contribute to the auditor's evaluation of the risk that material
misstatements exist in the financial statements.
The assessment of control risk is the process of evaluating the effectiveness of an entity’s internal
control in preventing or detecting and correcting material misstatements.
Control risk is assess in terms of financial statement assertions.
b. Less than high/maximum level: Control risk is assessed at less than high/maximum level if
controls are properly designed and have been implemented; the auditor should perform tests of
operating effectiveness of relevant controls.
The PSA requires the auditor to document the basis or the evidence to justify the assessment of
control risk at less than high/maximum level.
Required Documentation:
1. Document the understanding of accounting and internal co ntrol systems
Form of documentation may vary
One form or a combination of forms of documentation may be used at the same time
Forms of documentation:
1. Internal control questionnaire – consists of a list of questions on internal control be answered
by "Yes" or "No" response. A negative response is designed to draw attention to a possible
weakness in internal control. Written explanations are required for "No" answers.
2. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system or the
sequential flow of authority, processes, transactions and documents. The use of standard symbols
makes flowcharts easy to understand.
a. Systems flowcharts – used to evaluate internal control because it shows the origin of each
document in the system, its subsequent processing, and its final disposition
b. IT flowcharts – used in evaluating the internal control in an automated/computerized
accounting environment. The auditor can use these flowcharts to evaluate both the flow of
the program and the internal controls related to the IT function in general.
3. Internal control checklists – a detailed listing of ideal control measures (the auditor tickmarks
a. Manual controls may be more appropriate than automated controls in sit uations where judgment
and discretion is required, such as circumstances in which misstatements are difficult to define,
anticipate, or predict.
b. Manual controls, however, may pose additional risks because they can be more easily ignored or
overridden, they are subject to human error, and they are less consistent than automated controls.