Phase I – C2: Consideration of Internal Control in a Financial Statement Audit

Nature and Purpose of Internal Control

- One of the most widely accepted concepts in the theory and practice of auditing is the
importance of the client system of internal control to generate reliable financial information.
- If the auditor is convinced that the client has an excellent system of internal control, one that
includes adequate internal controls for providing reliable data and for safeguarding assets and
records, the amount of audit evidence to be accumulated can be significantly less than when
controls are not adequate.
- In some instances, internal control may be so inadequate as to preclude conducting an effective
audit.
- PSA 315 (Clarified) paragraph 4 (c) defines internal control as the process designed and effected
by those charged with governance, management, other personnel to provide reasonable
assurance about the achievement of the entity objective with regard to reliability of financial
reporting, effectiveness and efficiency of operations and compliance with applicable laws and
regulations.
- It follows that internal control is designed and implemented to address identified business risks
that threaten the achievement of any of these objectives.
- Those objectives fall into three categories:
 Reliability of the entity financial reporting
 Effectiveness and efficiency of operations
 Compliance with applicable laws and regulations
- Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity control.
- However, achieving its objective relating to operations will depend not only on management
decisions but also on competitor actions and other factors outside the entity.

INTERNAL CONTROL SYSTEM DEFINED

- Means all the policies and procedures (internal control) adopted by the management of an
entity to assist in achieving managements objective of ensuring, as far as practicable, the orderly
and efficient conduct of its business, including adherence to management policies, the
safeguarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records and the timely preparation of reliable financial
information.

COMPONENTS AND PRICIPLES OF INTERNAL CONTROL

- Internal Control structures vary significant from one company to the next factors such as size of
the business, nature of operations, the geographical dispersion of its activities, and objectives of
the organization affect the specific control features of an organization.
- However certain elements or features must be present to have a satisfactory system of control
in almost any large scale organization.
The internal control system extends beyond these matters which relate directly to the functions of the
accounting system and consists of the following components:

a. Control environment
b. Entity risk assessment process
c. Information system, including the related business processes, relevant to financial reporting and
communication.
d. Control activities
e. Monitoring of controls

In 2013, COSO issued the guidance that identifies the five components that support an organization in
achieving its objectives.

Figure 11-2 shows the five components and the principles representative of the fundamental concepts
associated with the components.

Figure 11-2 Five Concepts and the Principles Representative of the Fundamental Concepts Associated
with the Component

Components Descriptions Applicable Principles

1. Control Environment
The collective effect on an
entity board management and
owners on establishing
enhancing or mitigating the
effectiveness of specific control
policies or procedures. The
control environment sets the
tone and provides discipline and
structure.
The organization:
1. Demonstrates a
commitment to
integrity and ethical
values.
2. Demonstrates
independence of the
board of directors from
management and
exercises oversight for
the development and
performance of internal
control.
3. Establishes with board
oversight, structures,
reporting lines, and
appropriate authorities
and responsibilities in
the pursuit of
objectives.
4. Demonstrates a
commitment to attract,
develop, and retain
competent individuals
in alignment with
objectives.
5. Holds individuals
accountable for their

2. Risk Assessment Management efforts to identify,
analyze and manage risks
pertaining to the preparation of
fs.
3. Control Activities Policies and procedures to
ensure that necessary actions
are taken to address risk to the
achievement of preparing
reliable fs. Control activities
pertain to performance physical
controls, and segregation of
duties.
4. Information and The entity information system
Communication and procedures for
internal control
responsibilities in the
pursuit of objectives.
6. Specifies objective with
sufficient clarify to
enable the
identification and
assessment of risks
relating to objectives.
7. Identifies risks to the
achievement of its
objectives across the
entity and analyzes risks
as a basis for
determining how the
risks should be
managed.
8. Considers the potential
of fraud in assessing risk
to the achievement og
objectives.
9. Identifies and assess
changes that could
significantly impact the
system of internal
control.
10. Select the develops
control activities that
contribute to the
mitigation of risks to the
achievement of
objectives to acceptable
levels.
11. Selects and develop
general control
activities over
technology to support
the achievement of
objectives.
12. Deploys control
activities through
policies that establish
what is expected and in
procedures that put
policies into action
13. Obtain or generates and
uses relevant, quality
 communicating matters related information to support
to the processing of accounting he functioning of other
data. This component generates components of internal
the fs. control.
14. Internally
communicates
information, including
objectives and
responsibilities for
internal control,
necessary to support
the functioning of other
components of internal
control.
15. Communicates with
external parties
regarding matters
affecting the
functioning of other
components of internal
control.
5. Monitoring The process an entity uses to 16. Sales, develops and
assess the quality of internal performs ongoing and
control over time. or separate evaluations
to ascertain whether
the components of
internal control are
present and
functioning.
17. Evaluates and
communications
internal control
deficiencies in a timely
manner to those parties
responsibilities for
taking correction action,
including senior
management and the
board of directors, as
appropriate.

A. Control Environment
- Means the overall attitude, awareness and actions of directions and management regarding the
internal control system and its importance in the entity.
- The control environment has an effect on the effectiveness of the specific control procedures.
 - A strong control environment, example on with tight budgetary controls and an effective
internal audit function, can significantly complement specific control procedures.
- However, a strong environment does not by itself, ensure the effectiveness of the internal
control system
- Factors reflected the control environment include:
 The function of the board of directors and its committees.
 Management philosophy and operating style
 The entity organization structure and methods of assigning authority and responsibility.

The environment in which internal control operates has an impact on the effectiveness of the specific
control procedures. Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Values

2. Commitment to Competence
3. Participation by those Charged with Governance
4. Managements Philosophy and Operating Style
5. Organizational Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Procedures
B. Entity’s Risk Assessment Process
- The identification, analysis, and management of risks pertaining to the preparation of fs.
- Example, risk assessment may focus on how the entity considers the possibility of transactions
not being recorded or identifies and assesses significant estimates recorded in the fs.
- Risk relevant to financial reporting include external and internal events and circumstances that
may occur and adversely affect an entity ability to initiate, record, process and report financial
data consistent with the assertions of management in the fs.
- Once risks are identified, management considers their significance, the likelihood od their
occurrence, and how they should be managed.
- Risks can arise or change due to circumstances such as the following:
 Changes in regulatory or operating environment
 New personnel
 New or revamped information systems; New Technology
 Rapid Growth
 New business models, products or activities
 Corporate restructurings; expanded foreign operations
 Expanded foreign operations
 New accounting pronouncement
- Basic concepts of the entity risk assessment process are relevant to every entity, regardless of
size, but the risk assessment process is likely to be less formal and less structured in small
entities than in larger ones.
- All entities should have established financial reporting objectives, but they may be recognized
implicitly rather than explicitly in small entities.
- Management may be aware of risks related to theses objectives without the use of a formal
process but through direct personal involvement with employees and outside parties.
 C. Information System including the Business Processes Relevant to Financial Reporting and
Communication
- An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data. Infrastructure and software will be absent, or have less
significance, in systems that are exclusively or primarily manual.
- Many information system make extensive use of IT.

An information system encompasses methods and records that:

 Identify and record all valid transactions

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transaction for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary
value in the fs.
 Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.
 Present properly the transaction and related disclosures in the fs.
D. Control Activities
- Control activities are the policies and procedures that help ensure that management directives
are carried out, example that necessary actions are taken to address risks that threaten the
achievement of the entity objectives.
- Controls activities, whether within IT or manual system have various objectives and are applied
at various organizational and functional levels.
- The major categories of control procedures are:
A. Performance Review
B. Information Processing Controls
(1) Segregation of duties
(2) Adequate documents and records
(3) Safeguards over access to assets
(4) Independent check on performance
C. Physical control (e.g., secured facilities over access to assets and records, authorization for
access tom computer programs and data files)
E. Monitoring of Controls
- The final component of internal control is the process that an entity uses to assess the quality of
internal control over time.
- Monitoring involves assessing the design and operation of controls on a timely basis and taking
corrective action as necessary.
- Management monitors controls to consider whether they are operating as intended and to
modify them as appropriate for changes in condition.
- Some monitoring activities may include communications from external parties.
- Example, customers implicitly corroborate sales data by paying their bills or raising questions.
 - Also, bank regulators other regulators and outside auditors may communicate about the design
or effectiveness of internal control.

OBJECTIVE OF THE STUDY OF INTERNAL CONTROL

- Auditor should obtain an understanding of the accounting and internal control systems
sufficient to plan the, audit and develop and effective audit approach.
- The auditor should use professional judgement to assess audit risk and to design audit
procedures to ensure it is reducing to an acceptably low level.
- The auditor understanding of their clients internal control provides therefore a basis both to (1)
plan the audit, and assess control risk.

Figure 11-2 presents a summary of how an auditor considers internal control in planning an audit.

In assessing control risk, and auditor must consider the design of controls, whether they have been
placed in operation and if they are in use their effectiveness.

a. To assess control risk below maximum, an auditor should identify, relevant to each assertion, the
specific controls that are likely to prevent or detect material misstatement in those assertions.
b. To evaluate the effectiveness of controls that have been places in operation, the auditor
performs tests to determine that they are being applied. This is not required in obtaining an
understanding of internal control to plan an audit.

Document of Understanding

- The auditor should document the understanding of the entity internal control structure
elements obtained to plan the audit.
- The form and extent of this documentation is influenced by the size and complexity of the
entity, as well as the nature of the entity internal control structure.
- Example, documentation of the understanding of the internal control structure of a large
complex entity may include flowcharts, questionnaires, or decision tables.
- Small entity however, documentation in the form of a memorandum may be sufficient.
- Generally the more complex the internal control structure and the more extensive the
procedures performed, the more extensive the auditors documentation should be.

1. Internal Accounting Control Questionnaire

- Internal Accounting control questionnaire contains a series of question designed to detect
control weaknesses.
- Most questionnaires are designed to yield “yes”, “no” or “not applicable” answers to question.
- A “yes” answer generally indicates a satisfactory degree of internal accounting control while a
“no” answer indicates a possible weakness in control or at least indicates that further
investigation is required.
- When negative answer does indicate a weakness in a control, they should be completed on a
separate weakness investigation work sheet.
- There should be a description of the possible effects of the weakness and indications whether
such effects could lead to material errors.
 - If the weakness is material, then it should be reported to a senior management, the board of
directors and the audit committee.
- “Material weakness is one in which the procedures or degree of compliance with the
procedures fail to provide reasonable assurance that material error or irregularities would
be prevented or promptly detected during the accounting process”.

In completing the internal control questionnaire, the auditor should consider the following critical
aspects:

1) Is the system of internal control sound?

2) If it is not reliable, what errors might occur?
3) What alternative audit procedures should be adopted if the system is unreliable?

Figure 11-3 illustrates the format of an Internal Control Questionnaire

Advantages

1. They provide audit assurance that attention is given to presence or absence of all controls listed
and that certain features of the system are not overlooked.
2. They provide a means of obtaining uniform documentation of internal control system reviewed.
3. They provide inexperienced audit staff members with the guidance in performing internal
control reviews.
4. They facilitate the early detection of potential weaknesses in the system.

Disadvantages

1. Auditor may view the questionnaire device for accomplishing an automatic evaluation of
internal control.
2. Controls listed on questionnaires may not suit the particular circumstances of a specific audit.
3. The auditor may overlook pertinent control not included in the questionnaires.

2. Flowcharts
- Symbolic diagram of a specific part of an internal accounting control system indicating the
sequential flow of data and or authority.
- An internal control flowchart uses standardized symbols, interconnecting lines, and annotations
to represent information, documents and document flow.
- It provides a pictorial overview of a client internal control activities.
- It illustrated the interaction of individual, records and controls related to a particular
department or class of transactions.
- Internal control flowcharts generally reflect the segregation of duties by using a column across
the top to reflect different departments and the how documents from the left to right.
- A properly prepared flowchart should reflect all operations movement, delays and filing
procedures associated with whatever is being charted and should also indicate the conversion of
source document into accounting information, example, ledger, journal or computer generated
documents.
Flowcharts have several advantages over other methods of documentation:

1. Easily understood. Since flowcharts provide a visual description supplemented by a written

narrative, they are more easily understood.
2. Better overall picture or complex system. A complex system maybe reduced to a one or two page
flowchart which might otherwise require a 15 page internal control questionnaire or a 10 page
narrative memo.
3. Parallels EDP documentation. EDP systems are commonly documented with flowcharts which
make it easier for EDP purchase personnel to relate to the auditors.
4. It is easy to update.

Disadvantage in using flowcharts include:

1. Higher level of knowledge and training are require to prepare a good flowchart of a complex
system.
2. Flowcharts take more time to prepare and require more knowledge.
3. It is more difficult to spot internal control weaknesses.
- General rule, flowcharts are prepared to be read from the upper left-hand comer of a page to
the bottom right hand comer.
- The flow of information across and downward should be self-explanatory and should indicate
the source and final disposition pf each item.
- Subroutine or secondary information should be recorded on supplementary or supporting
flowcharts to avoid cluttered presentation.

The following questions should be answered before a flowchart is prepared:

1) Who performs the various functions in the routine?

2) Why are these functions performed?
3) What work is performed, and is the work considered input or output?
4) When are the functions performed and in what sequence?
5) How are the functions performed and in what sequence?
- Conference with senior management, supervisors and employees using the above checklist
should be conducted by the independent auditor before flowcharting a routine.
- In addition copies of all forms, documents, and reports used in the routine to be flowcharted
should be obtained.

A primary purpose of the internal control flowchart is to communicate effectively. The following
techniques should assist in meeting this goal:

 Standardized Symbols. Auditors use a uniform set of symbols developed by the American
National Standards Institution (ANSI).
 Flowlines. The flow of documents should be from top to bottom and left to right. Arrowheads
may be used on all lines and should be used when the flow is not standard or is bi-directional.
 Documents. When a document is created its source should be indicated. Multiple document
symbols are required when multiple copies of the document are prepared. This disposition of
every copy of each document should be shown.
  Processing. Processing symbols are used to identify any procedures applied to documents such
as their being filed.
 Annotations. Comments and explanations should be used to make the flowchart easier to
understand or more complete.

Flowchart is an art, and therefore, different individuals may prepare different flowcharts for any given
situation. The critical factor is that flowchart should clearly represent a system. The following guidelines
may be useful in preparing a flowchart:

1. Determine the class of transactions or transaction cycle to be flowcharted.

2. Obtain in understanding of internal control by making inquiries of client personnel, observing
employee activities, and examining documents, records and policies and procedures manuals.
3. Organize the flowchart into columns, using a different column for each department, function or
individual. Draw a sketch of the flowchart.
4. Draw the flowchart and insert comments and annotations.
5. Test the flowchart for completeness by following a few transactions through the chart.

Figure 11-4 shows the widely used Flowcharting Symbols.

3. Narrative Description
- Narrative is a written description of a particular or phases or a control system.
- Although useful for describing simple systems, narrative may be adequate when a system is
complicated or frequently revised.
- If the system are extensive and or complex, separate narratives may be prepared for smaller
groups of controls which relate to specific classes of transactions or accounts.
- Some auditors prepare narrative descriptions to accompany internal control questionnaire or
flowcharts in order to provide information not otherwise included.

Figure 11-5 Is an example of a written narrative, describing a segment of a sales accounting system.

Advantages

1. Narrative is flexible and maybe tailor made for engagements

2. Requires a detailed analysis and thus forces auditor to understand functioning of the system.

Disadvatages

1. Auditor may not have the ability to describe the system correctly and concisely.
2. This may require more time and careful study.
3. Auditor may overlook important portions of internal control system.
4. A poorly written internal accounting control narrative can lead to a misunderstanding of the
system thus resulting in the improper design and application of compliance tests.
4.. Internal Control Checklist

- This contains a detailed enumeration of the methods and practices which characterize good
internal control or of item to be considered in reviewing internal control.
- The checklist basically provides only a guide to review the internal control of the auditee and
does not represent a record of the auditor findings.
- In most cases therefore, this tool is used together with the narrative approach.
5. Decision Tables
- the system is depicted as decision points
- Advantages and disadvantages are similar to those of the flowchart approach.

Figure 11-3: scan

Figure 11-4: scan

Figure 11-5: scan

HHOW ADEQUACY OR INADEQUACY OF INTERNAL CONTROL AFFECTS AUDIT PROCEDURES

- The primary reason for studying and evaluating internal control is to provide a basis for relying
upon the system and for determining the extent of year end substantive tests to be performed.
- There is an inverse relationship between the effectiveness of internal control and the extent of
detailed audit procedures; more effective systems require less detailed testing.
- Strengths and weaknesses identified during the evaluation of internal accounting control and
tests of compliance will affect the nature, timing and extent of audit procedures.
- It should be remembered that the purpose of an audit engagement is to determine whether the
fs are fairly presented in accordance with financial reporting standards.
- The audit is not specifically designed to search for errors or irregularities, although during the
study and evaluation of internal accounting control system and the performance of substantive
tests, errors or irregularities may be discovered.
- The auditor must consider the audit implication when errors or irregularities are likely to exist.
- Initially, discussion with management personnel may be made.
- If its appears that material errors and irregularities could occur, this fact must be communicated
to the board of directors.
- Furthermore, if additional evidence indicates that theme are irregularities which may materially
affect the fs, it may be appropriate for the auditor to:
1) Qualify his opinion or disclaim an opinion based on an uncertainty conditions.
2) Considers withdrawing from the engagement and notifying the board of directors in writing
the reason for the withdrawals.

Figure 11-7 scan

Summary of Internal Control Documentation Requirements: scan

 COMMUNICATION OF PERFORMANCE, IMPROVEMENT AND OBSERVATIONS IN INTERNAL CONTROL
TO MANAGEMENT

- As result of obtaining and understanding of the accounting and internal control systems and test
of control, the auditor may become aware of weaknesses in the system.
- The auditor should make management aware, as soon as practical and at an appropriate level of
responsibility, of material weaknesses in the design or operation of the accounting and internal
control system, which have come to the auditor’s attention.
- The communication to management of material weaknesses would ordinarily be in writing.
- However, if the auditor judges that oral communication is appropriate, such communication
would be documented in the audit working papers.
- It is important to indicate in the communication that only weaknesses which have come to the
auditors attention as a result of the audit have been reported and that the examination has not
been designed to determine the adequacy of internal control for management purposes.
- The auditor purpose of evaluating the prescribed control procedures is to plan substantial tests
that will be effective in detecting the types of errors or irregularities that are possible in the
circumstances.
- However, this information may also be used by auditors as a basis for making constructive
suggestions to clients concerning improvements in internal control.
- Management letter may be made that will contain constructive suggestions or improvements in
internal control or other suggestion for increased efficiency in operations.
- This letter is considered a by product rather than the aim of the audit and is often completed
sometime after the completion of field work.
- The auditor identifies material weaknesses; he has a professional responsibility to communicate
them to both senior management and the board of directors.
- Auditor should issue a written report at the earliest possible that it is documented in the work
papers.
- Auditing standards identify conditions that an auditor may find during an audit that must be
reported to the audit committee or its equivalent.

Reportable Conditions

- Specifically, these are matters coming to the auditors attention that, in his judgement should be
communicated to the audit committee because they represents significant deficiencies in the
design or operation of the internal control structure, which could adversely affect the
organization ability to record, process, summarize and report financial data consistent with the
assertion of management in the fs.

Example of reportable conditions are as follows:

Deficiencies in Internal Control Structure Design

 Inadequate overall internal control structure design

 Absence of appropriate segregation of duties consistent with appropriate control objectives.
  Absence of appropriate reviews and approvals of transaction accounting entries or system
output.
 Inadequate procedures for appropriately assessing and applying accounting principles.

Failures in the Operation of the Internal Control Structure

 Evidence of failure of identified controls in preventing or detecting misstatements of accounting

information.
 Evidence that a system fails to provide complete and accurate output consistent with the entity
control objectives because of the misapplication of control procedures.
 Evidence of failure to safeguard assets from loss, damage or misappropriate.

Others

 Absence of a sufficient level of control consciousness within the organization.

 Failure to follow up and correct previously identified internal control structure deficiencies.

Reporting Form and Content

- Conditions noted by the auditor that are considered reportable under this section or that are
the result of agreement with the client should be reported, preferably in writing if information is
communicated orally, the auditor should document the communication by appropriate
memoranda or notations in the working papers.
- The report should state that the communication is intended solely for the information and the
use of the audit committee, management and others within the organization.
- When there are requirements established by governmental authorities to furnish such reports,
specific reference to such regulatory authorities may be made.

Any report issued on reportable conditions should:

 Indicate that the purpose of the audit was to report on the fs and not to provide assurance on
the internal control structure.
 Include the definition or reportable conditions
 Include the restriction on distribution as discussed in the previous paragraph.

If the reportable condition is of such magnitude as to be a material weakness, the report can identify it
separately as a material weakness.

Figure 11-8 scan

- If no reportable conditions are found, an auditor may not issue a letter stating that.
- Such a letter may mislead users by implying a greater level of assurance about the lack of any
significant deficiencies than the auditor could really provide.
- An auditor may issue a letter indicating that no material weaknesses were found during the
course of an audit.
- Many auditors write management letter to clients.
- Not required by auditing standards, such letter contain suggestions for improving operations
and internal control.
- Internal control matters covered may include reportable conditions that have been
communicated to the audit committee as well as matters not significant enough to be included
in the letter on reportable conditions.