Professional Documents
Culture Documents
Internal Control Evaluation Manual: Internal Control:-Safeguards That Are Put in Place by Management To Address Risks
Internal Control Evaluation Manual: Internal Control:-Safeguards That Are Put in Place by Management To Address Risks
Internal Control Evaluation Manual: Internal Control:-Safeguards That Are Put in Place by Management To Address Risks
Internal Control :- safeguards that are put in place by management to address risks
and to provide reasonable assurance that its operations are proceeding as planned.
Risk Assessment
➔ Process of identifying and analysing relevant risks
➔ Plays key role in selection of appropriate control activities
➔ Setting objectives is a pre-condition to risk assessment
Control Activities
➔ Preventive and detective in nature
➔ Policies and procedures to address risk and to achieve objectives
➔ should be appropriate, consistent, comprehensive, reasonable and cost effective
(i.e. cost of implementing the control should not exceed the benefits derived)
Examples of Control Activities
(i) authorization and approval procedures
(ii) segregation of duties (authorizing, processing, recording, reviewing)
(iii) controls over access to resources and records
(iv) verifications
(v) reconciliations
(vi) reviews of operating performance
(vii) reviews of operations, processes and activities
(viii) supervision (assigning, reviewing and approving, guidance and training)
IT Control Activities
● General Controls
● Application Controls
General Controls
Apply to all or a large segment of organisation’s information system
Example:
➔ entity-wide security program planning and management
➔ access controls
➔ controls on the development, maintenance and change of the application
software
➔ system software controls
➔ segregation of duties, and
➔ service continuity
Application Controls
Apply to separate, individual application system i.e. related to individual
applications
Example:
➔ Input control
➔ Processing control
➔ Output control
➔ master/standing data file control
Note: Auditing standards of CAG state that study and evaluation of internal control is
carried out according to the type of audit.
➔ In the case of regularity (financial audit), mainly such controls are evaluated that
assist in safeguarding assets and resources, and assure the accuracy and
completeness of accounting records
➔ In the case of regularity (compliance audit), such assessment is mainly of
controls
that assist management in complying with laws and regulations
➔ In the case of performance audit, such controls are evaluated that assist in
conducting the business of the audited entity in an economic, efficient and
effective manner.
Audit Methodology
It includes:-
● Evaluation of the adequacy of existing internal control arrangements
● Testing the actual operation of Internal Controls
Evaluation of the adequacy of existing internal control arrangements
➔ start with higher level controls„ for example, strategic planning, which affect the
whole system, and work down to the lower level controls such as those over
individual transactions
➔ There is no absolute measure of what constitutes adequate control. Auditors
must use their judgement in determining which level of control is appropriate in
the light of their evaluation of the risk and materiality involved
➔ The auditors should use professional judgement in determining whether
controls are adequate or not.
➔ most common tools used in evaluation of the internal control are
FLOWCHARTING and QUESTIONNAIRE
Flowcharting
A diagrammatic method of recording and describing a system which can show the flow
of documents, information or processes and the related controls within that system.
Questionnaire
A series of questions which the auditor may wish to ask to understand and evaluate an
internal control system
Compliance Testing
➔ This is used to obtain assurance that controls established by management are
operating as intended and are effective.
➔ Errors found in compliance testing may indicate control weakness but they do not
demonstrate positively that the system is failing to achieve its objectives.
● Interviewing
used when evidence is absent or unclear
● Analysis
Where a transaction or process comprises a set of interrelated parts, the
auditor
may need to analyze and verify each part before forming a judgement about
the whole
● Verification
used for confirming the truth, accuracy or validity of transactions.
It involves-
➔ Comparison(with some ascertainable facts or set standards)
➔ Confirmation(checking with third parties)
➔ Vouching(checking a transaction against supporting
documentation)
● Re-performance
used where calculations or measurements have been checked as a control
● Test data
used for testing computerized systems, but may also be used in manual system
1. Who is responsible for establishing and maintaining the system of internal control?
a) Auditor
b) Government
c) Creditor
d) management
3.If there was a 50% risk of a material misstatement in a financial statement item in the
unaudited financial statements and a probability of 80% that the misstatement would be
detected by the auditor, audit risk would be equal to
a. 0.10%. b. 0.20%
c. 0.50% d. 0.40%
6. Assurance that recognizes that the cost of internal control should not exceed the
benefit derived is
a. Absolute assurance b. Reasonable assurance
c. Rational assurance d. Practical assurance
7. Two most common tools used in evaluation of the internal control are
a. Interview and Walk through Test
b. Flowcharting and Questionnaire
c. Survey and Interview
d. Organisational set-up and Survey
12. The acceptable level of audit risk (AR) is the risk of a material misstatement in
financial
statements that is acceptable to
a. The head of the audit entity b. The auditor
c. The State Government d. The PAC/COPU
19. There is a relationship between Detection Risk and the combined level of Inherent
and control risk
a) Proportionate
b) Inverse
c) Direct
d) Positive