EVALUATING THE

DESIGN AND
EFFECTIVENESS OF
INTERNAL CONTROL

BERLYN JOY A. SALADO

BSA 2-5
 INTERNAL AUDITING
• Internal auditing is an independent,
objective assurance and consulting
activity designed to add value and
improve an organization’s
operations.
• It helps an organization accomplish
its objectives by bringing a
systematic, disciplined approach to
evaluate and improve the
effectiveness of risk management,
control, and governance processes.

2
 Internal auditing follows a structured, logical, and
organized series of steps and procedures. The audit
process is primarily an evidence-gathering process.

PLANNING GATHERING AND REPORTING FOLLOW UP

EVALUATING AUDIT
EVIDENCE

3
PLANNING
• Most important part of the audit
• Entails familiarization with the
objectives, processes, risks and
controls of the auditee and
activity to be audited, and
developing a strategy and
approach in conducting the
audit
• Involves the listing down of
audit activities per audit
engagement

4
Conducting the
Internal Audit Chief audit executive must
establish a risk-based
plan, consistent with the
organization’s goal.

Audit plan must be

logically related to risks
of the organization.

5
 Internal auditor must assess
the risks faced and not
detected by the organization.
PREPARING This is called audit risks.
THE RISK-
BASED PLAN Audit risks = Inherent risk x
Control risk x Detection Risk
(AICPA Audit Risk Model )

6
PLANNING
• Internal auditor conduct
preliminary survey to accumulate
relevant information about the
operation to be audited:
objectives, people, processes and
systems.

He can either:
Review previous audits and other
helpful information
Conduct interviews and
walkthroughs

7
ASSESSING
CONTROL RISK
• Auditor must consider
design of controls, if
placed and used, assess
their effectiveness.
• Design refers to the
controls that have been
established, and
effectiveness refers to
how controls function.

8
 Risk Control
Matrix
• Tool to help ensure
that internal auditors
adequately account for
risk at the engagement
level and ensure that
all significant risks
identified are
addressed in
subsequent fieldwork.

9
GATHERING
AND
EVALUATING
AUDIT
EVIDENCE

10
AUDIT EVIDENCE
• necessary to support
auditor’s conclusion as to
effectiveness of internal
control.

11
 SUFFICIENT VS RELIABLE INFORMATION
SUFFICIENT INFORMATION
• is factual, adequate and
convincing.
• Sufficiency is the measure of
the quantity of audit evidence.
• The higher the assessed risks,
the more audit evidence is
likely to be required.
• is the best attainable information
• Reliability and relevance measure the
quality (appropriateness) of audit
evidence in providing support for the
conclusions on which the auditor’s
opinion is based.
• The higher the quality, the less
evidence may be required.
RELIABLE INFORMATION
12
 RELIABLE INFORMATION

• Reliability is influenced by its source and its nature and the

circumstances in which it is obtained, examples:
 Increased when obtained from independent sources outside the entity.
 Increased when related controls imposed by the entity are effective.
 Evidence obtained directly is more reliable that evidence obtained indirectly
or by inference.
 Evidence in documentary form is more reliable than evidence obtained
orally.
 Evidence provided by original documents is more reliable that provided by
photocopies or facsimiles, filmed, digitized or transformed into electronic
form.

13
 AUDIT EVIDENCE IS OBTAINED BY
PERFORMING AUDIT PROCEDURES:

Analytical External
Inspection Inquiry
procedures confirmation

Observation Reperformance Recalculation

9
 • Evaluations of financial information
ANALYTICAL made by a study of plausible
PROCEDURES relationships among both financial and
nonfinancial data.

15
 CONFIRMATION
• Direct written response to the
auditor from a third party.

Two types:
 Positive confirmation – asks the
respondent to reply in all cases either
by indicating agreement or asking the
respondent to fill in information
 Negative confirmation – asks the
respondent to reply only in the event
of disagreement with the information
provided in the request.

16
 INSPECTION

• Examining records or
documents, internal or
external, in paper or
electronic form, or other
media or physical
examination of asset.

17
 INQUIRY
• Seeking of information
of knowledgeable
persons, both financial
and nonfinancial, within
or outside the entity.
• Used extensively
throughout the audit in
addition to other audit
procedures.

18
 OBSERVATION

• Looking at a process or
procedure being
performed by others.
• Provides evidence
about performance of
a process but is limited
to the point in time at
which observation
takes place.

19
 REPERFORMANCE

• Auditor’s independent
execution of
procedures or controls
that were originally
performed as part of
the entity’s internal
control.

20
 RECALCULATION

• Checking the
mathematical accuracy
of documents or
records.
• May be performed
manually or
electronically.

21
AUDIT SAMPLING
• Audit sampling is the
application of an audit
procedure to less than 100
percent of the items within an
account balance or class of
transactions for the purpose of
evaluating some characteristic
of the balance or class

22
 TWO GENERAL
APPROACHES TO
AUDIT SAMPLING
• Statistical – produce a scientifically
random sample with test result that
can be quantified in terms of a
confidence level and precision.
• CHARACTERISTICS:
 Random selection of the
sample items
 The use of probability theory
• Nonstatistical – the decision to select
specific items from a population.

23
 SAMPLE SIZE
• Sample size is determined based on the following factors:
Confidence level
Tolerable deviation rate (TDR)
Expected population deviation rate (EPDR)

• Important notes:

 If TDR increases, sample size decreases.

 If EPDR increases, sample size increases.
 If confidence level increases, sample size increases.
24
METHODS IN SAMPLE SELECTION
• Random Sampling
• Systematic selection or
interval sampling
• Stratified random sampling
• Cluster sampling
• Haphazard Sampling
• Stop-and-Go Sampling
• Discovery Sampling

25
 Random Sampling

• Each item in the population

has an equal chance and
nonzero probability of
selection.

26
 SYSTEMATIC SELECTION/
INTERVAL SAMPLING

• Choosing items that are a

certain interval apart on a
list.
• For example, auditor might
select every 30th item
starting at a random
selected point.

27
 STRATIFIED RANDOM
SAMPLING
• If the population is
heterogenous, an
auditor may subdivide it
into more coherent
units, subpopulations or
strata before selecting
random samples from
each unit.

28
CLUSTER SAMPLING
• Clusters already exits,
auditor does not
select the
characteristics for
grouping them.
• The auditor selects
cluster to test and
then decide to sample
items in a cluster or
test them all.

29
 HAPHAZARD SAMPLING

• This lacks credibility.

Selecting sample without
following a structure
technique.
• Sample contains only those
interests enough to respond
and is likely biased towards
some shared characteristics
of the respondents.

30
STOP-AND-GO SAMPLING
• When the auditor expects relatively error-free
population, he may begin testing with a small sample.
• If the sample demonstrates the anticipated low error
rate, the auditor may choose to stop sampling,
otherwise, he will go ahead with further sampling to
full scale statistical sampling.

31
DISCOVERY SAMPLING

• This does not intend to characterize a population on

the basis of a sample. Its objective is to uncover at
least one instance of suspected serious problem such
as fraud.

32
EVALUATION
• Involves comparing the upper
deviation rate and tolerable rate of
deviation and evaluate the
effectiveness of a control accordingly.
• The upper deviation rate is the sum of
the sample deviation rate and the
allowance for sampling risk.
• If the upper deviation rate is equal or
less than the tolerable deviation rate
= control is effective. Otherwise, not
effective.

33
 REPORTING

• Internal auditor is required to communicate

the results of the engagement.
• The final communication of results must
include applicable conclusions, as well as
recommendations/action plans.
• Usually, the auditor presents the fact,
findings, conclusions, opinions and
recommendations.

34
THANK YOU!
berlynsalado@gmail.com