A21/BME21: Governance, Business Ethics, Risk Management and Internal Control

PSA 300: PLANNING AN AUDIT OF FINANCIAL STATEMENTS

1. Planning an audit involves:
• establishing the overall audit strategy for the engagement; and
• developing an audit plan.

PRELIMINARY ENGAGEMENT ACTIVITIES

2. The auditor shall perform the following activities at the beginning of the current audit engagement:
• Perform procedures regarding the continuance of the client relationship and the specific audit
engagement.
• Evaluate compliance with ethical requirements, including independence.
• Establish an understanding of the terms of the engagement.

PLANNING ACTIVITIES
3. The auditor shall establish an overall audit strategy for the audit. The overall audit strategy sets the
scope, timing and direction of the audit, and guides the development of the more detailed audit plan.

4. The establishment of the overall audit strategy involves:

• Determining the characteristics of the engagement that define its scope;
• Ascertaining the reporting objectives of the engagement to plan the timing of the audit and the nature
of the communications required;
• Considering the important factors that will determine the focus of the engagement team’s
• efforts;
• Considering the results of preliminary engagement activities and, where applicable, whether
knowledge gained on other engagements performed by the engagement partner for the entity is
relevant; and
• Ascertaining the nature, timing and extent of resources necessary to perform the engagement.

5. The auditor shall develop an audit plan that shall include a description of:
• The nature, timing and extent of planned risk assessment procedures, as determined under PSA 315.
• The nature, timing and extent of planned further audit procedures at the assertion level, as
determined under PSA 330.
• Other planned audit procedures that are required to be carried out so that the engagement complies
with PSAs.

CHANGES TO PLANNING DECISIONS DURING THE COURSE OF THE AUDIT

The overall audit strategy and the audit plan shall be updated and changed as necessary during the course of
the audit.

DIRECTION, SUPERVISION AND REVIEW

1. The auditor shall plan the nature, timing and extent of direction and supervision of engagement team
members and review their work.

2. The nature, timing and extent of the direction and supervision of engagement team members and review
of their work vary depending on many factors, including:
• The size and complexity of the entity;
• The area of the audit;
• The risks of material misstatement; and
• The capabilities and competence of the individual team members performing the audit work.
The auditor plans the nature, timing and extent of direction and supervision of engagement team members
based on the assessed risk of material misstatement.

DOCUMENTATION
The auditor shall document the overall audit strategy and the audit plan, including any significant changes made
during the audit engagement.

ADDITIONAL CONSIDERATIONS IN INITIAL AUDIT ENGAGEMENTS

The auditor shall perform the following activities prior to starting an initial audit:
• Perform procedures regarding the acceptance of the client relationship and the specific audit
engagement.
• Communicate with the previous auditor, where there has been a change of auditors, in compliance with
Page | 1
 relevant ethical requirements.

PSA 315: IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL

MISSTATEMENT (ROMM)
1. The objective of the auditor is to
• identify and assess the risks of material misstatement, whether due to fraud or error, at the financial
statement and assertion levels
• thereby providing a basis for designing and implementing responses to the assessed risks of material
misstatement.

2. The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides
an appropriate basis for:
a) the identification and assessment of risks of material misstatement, whether due to fraud or error,
• at the financial statement
• and assertion levels; and

b) the design of further audit procedures in accordance with PSA 330.

The risk assessment procedures shall include the following: (IAOI)

a) Inquiries of management and of other appropriate individuals within the entity, including individuals
within the internal audit function (if the function exists).
b) Analytical procedures.
c) Observation and inspection.

INFORMATION FROM OTHER SOURCES

In obtaining audit evidence by performing risk assessment procedures, the auditor shall consider information
from:
• The auditor’s procedures regarding acceptance and continuance of the client relationship of the audit
engagement; and
• When applicable, other engagements performed by the engagement partner for the entity.

ENGAGEMENT TEAM DISCUSSION

The engagement partner and other key engagement team members shall discuss the application of the
applicable financial reporting framework and the susceptibility of the entity’s financial statements to material
misstatement.

When there are engagement team members not involved in the engagement team discussion, the engagement
partner shall determine which matters are to be communicated to those members.

OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT, THE APPLICABLE

FINANCIAL REPORTING FRAMEWORK AND THE ENTITY’S SYSTEM OF INTERNAL CONTROL

The auditor shall perform risk assessment procedures to obtain an understanding of:

1) The following aspects of the entity and its environment:

• The entity’s organizational structure, ownership and governance, and its business model, including
the extent to which the business model integrates the use of IT;
• Industry, regulatory and other external factors;
• The measures used, internally and externally, to assess the entity’s financial
• performance;

2) The applicable financial reporting framework, and the entity’s accounting policies and the reasons for
any changes thereto;
3) How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they
do so, in the preparation of the financial statements in accordance with the applicable financial reporting
framework.

The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the
applicable financial reporting framework.

INTERNAL CONTROL
Page | 2
Internal control is the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to:
• Reliability of financial reporting;
• Effectiveness and efficiency of operations; and
• Compliance with applicable laws and regulations.

When obtaining an understanding of controls that are relevant to the audit, the auditor shall:
evaluate the design of those controls; and
determine whether they have been implemented
by performing procedures in addition to inquiry of the entity’s personnel.

COMPONENTS OF INTERNAL CONTROL

1) Control Environment – The control environment includes the governance and management functions
and the attitudes, awareness, and actions of those charged with governance and management
concerning the entity’s internal control and its importance in the entity.

Elements of control environment:

• Communication and enforcement of integrity and ethical values.
• Commitment to competence.
• Participation by those charged with governance.
• Management’s philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.

The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding,
the auditor shall evaluate whether:
• Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
• The strengths in the control environment elements collectively provide an appropriate foundation
for the other components of internal control, and whether those other components are not undermined
by deficiencies in the control environment.

2. The Entity’s Risk Assessment Process

The auditor shall obtain an understanding of whether the entity has a process for:
• Identifying business risks relevant to financial reporting objectives;
• Estimating the significance of the risks;
• Assessing the likelihood of their occurrence; and
• Deciding about actions to address those risks.

3. THE INFORMATION SYSTEM, INCLUDING THE RELATED BUSINESS PROCESSES, RELEVANT TO

FINANCIAL REPORTING, AND COMMUNICATION
The auditor shall obtain an understanding of the information system, including the related business processes,
relevant to financial reporting, including the following areas:
• The classes of transactions in the entity’s operations that are significant to the financial statements.
• The procedures, within both IT and manual systems, by which those transactions are initiated, recorded,
processed, corrected as necessary, transferred to the general ledger and reported in the financial
statements.
• The related accounting records, whether electronic or manual, supporting information, and specific
accounts in the financial statements that are used to initiate, record, process and report transactions;
this includes the correction of incorrect information and how information is transferred to the general
ledger.
• How the information system captures events and conditions, other than transactions, that are significant
to the financial statements.
• The financial reporting process used to prepare the entity’s financial statements, including significant
accounting estimates and disclosures.
• Controls surrounding journal entries, including non-standard journal entries used to record non-recurring,
unusual transactions or adjustments.

The auditor shall obtain an understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting, including:
Page | 3
 • Communications between management and those charged with governance; and
• External communications, such as those with regulatory authorities.

4. CONTROL ACTIVITIES RELEVANT TO THE AUDIT

Control activities are the policies and procedures to help ensure that management directives are carried out.
Examples of control activities include those relating to the following:
• Authorization
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties

The auditor shall obtain a sufficient understanding of control activities to:

• Assess the risks of material misstatement at the assertion level; and
• Design further audit procedures responsive to assessed risks.

5. MONITORING OF CONTROLS
• Monitoring of controls involves assessing the design and operation of controls on a timely basis and
taking the necessary corrective actions modified for changes in conditions.

• The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting, including those related to those control activities relevant to the audit,
and how the entity initiates remedial actions to deficiencies in its controls.

• If the entity has an internal audit function, the auditor shall obtain an understanding of the following in
order to determine whether the internal audit function is likely to be relevant to the audit:
a) The nature of the internal audit function’s responsibilities and how the internal audit function fits
in the entity’s organizational structure; and
b) The activities performed, or to be performed, by the internal audit function.

• The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring
activities, and the basis upon which management considers the information to be sufficiently reliable for
the purpose.

CONSIDERATION OF INTERNAL CONTROL

INTERNAL CONTROL – the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement of an
entity’s objectives with regard to:
• Reliability of financial reporting
• Effectiveness and efficiency of operations; and
• Compliance with applicable laws and regulations.

CHARACTERISTICS OF INTERNAL CONTROL:

1. Internal control is a process.
2. Internal control is effected by entity’s personnel.
3. Internal control provides reasonable assurance of achieving its objectives.
4. Internal control is geared toward attainment of entity’s objectives.

INHERENT LIMITATIONS OF INTERNAL CONTROL (COC CHA)

1. Cost-benefit consideration;
2. Management Overriding the Control;
3. The possibility of circumvention of controls through Collusion with parties outside the entity or with
employees of the entity;
4. The possibility that procedures may become inadequate due to Changes in condition and compliance
with procedures may deteriorate;
5. The potential for Human error due to carelessness, distraction, mistakes of judgment or the
misunderstanding of instructions; and
6. The fact that most controls tend to be directed at Anticipated types (routine) of transactions and not
at unusual (non-routine) transactions.

AREAS OF INTERNAL CONTROL

Page | 4
 1. ADMINISTRATIVE CONTROL
• Includes, but is not limited to, plan of organization and the procedures and records that are concerned
with the decision processes leading to management’s authorization of transactions.
• Promotes operational efficiency and adherence to managerial policies.

2. ACCOUNTING CONTROL
• Comprises the plan of organization and the procedures and records that are concerned with the
safeguarding of assets and the reliability of financial records.
• Involves systems of authorization and approval controls over assets, internal audit and all other
financial matters.

ACCOUNTING SYSTEM VS. INTERNAL CONTROL SYSTEM

ACCOUNTING SYSTEM – means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify, assemble, analyze, calculate,
classify, record, summarize and report transactions and other events.

INTERNAL CONTROL SYSTEM – means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management’s objective of ensuring, as far as practicable,
• Orderly and efficient conduct of its business, including adherence to management policies;
• Safeguarding of assets;
• Prevention and detection of fraud and error;
• Accuracy and completeness of the accounting records; and
• Timely preparation of reliable financial information.

From these characteristics, we can conclude that internal control system is much broader than accounting
system. It encompasses accounting system since it extends beyond those matters which relate directly to the
functions of the accounting system.

PARTIES RESPONSIBLE FOR INTERNAL CONTROL

MANAGEMENT AND THOSE CHARGED WITH GOVERNANCE
• The board of directors and its audit committee have responsibility for making sure the internal control
system within the organization is adequate.
• The primary responsibility for the development and maintenance of internal controls rests with an
organization’s management.
INTERNAL AUDITORS
• Internal auditors’ responsibilities typically include ensuring the adequacy of the system of internal control,
the reliability of data, and the efficient use of the organization’s resources.
• Internal auditors identify control problems and develop solutions for improving and strengthening internal
controls.
EXTERNAL AUDITORS
• External auditors assess the effectiveness of internal control within an organization to plan the financial
statement audit.
• External auditors focus primarily on controls that affect financial reporting.
• External auditors have a responsibility to report internal control weaknesses to the audit committee of
the board of directors.

CORPORATE GOVERNANCE
• System of stewardship and control to guide organizations in fulfilling their long-term economic, moral,
legal, and social obligations towards their shareholders or members and other stakeholders.
• A system of direction, feedback, and control using regulations, performance standards, and ethical
guidelines to hold the board of directors and senior management accountable for ensuring ethical
behavior and reconciling long-term customer satisfaction with shareholder or member value to the benefit
of all stakeholders and society.
• PURPOSE – to maximize the organization’s long-term success, thereby creating sustainable value for its
shareholders/members, other stakeholders, and the nation.
ELEMENTS OBJECTIVE RESPONSIBILITY ROLES AND RESPONSIBILITIES
TCWG – exercise the corporate powers of
Those charged with
Governance Strategic control a corporation, conduct all its business,
governance
and control its properties.
Management – given the authority by the
Management
Risk Management Senior management TCWG to implement the policies it has laid
control
down in the conduct of the business.
Page | 5
 Risk owners – execute daily risk
Operational
Internal control Risk owners management activities to effectively
control
address business risks

COMPONENTS OF INTERNAL CONTROL

Internal control, as discussed in PSA 315, consists of the following components: (CRIME)
1) Control Environment
2) Entity’s Risk Assessment Process
3) Information and Communication Systems
4) Control Activities
5) Monitoring of Controls

INDIRECT CONTROLS
• These controls are not sufficiently precise to prevent, detect or correct misstatements at the assertion
level
• Controls that support direct controls
• Control Environment, Entity’s Risk Assessment Process and Monitoring of Controls

DIRECT CONTROLS
• Controls that are precise enough to address risks of material misstatement at the assertion level
• Information and communication systems and Control Activities

INDIRECT CONTROLS

CONTROL ENVIRONMENT – describes a set of standards, processes and structures that provide the basis for
carrying out internal control across the organization. Control environment is the foundation of which an effective
system of internal control is built and operated in an organization.

COMPONENTS:
Elements of control environment that could be relevant when obtaining an understanding of the control
environment include the following:
OLD RULE (as per COSO Framework): (IM CPA HO)
• Communication and enforcement of Integrity and Ethical values
• Management’s philosophy and operating style
• Commitment to competence
• Participation by those charged with governance
• Assignment of authority and responsibility
• Human resources policies and procedures
• Organizational structure

NEW RULE (as per PSA 315 Revised): (ICE AA)

• Management’s commitment to integrity and ethical values
• TCWG’s independence from management and exercise oversight of the entity’s system of internal
control
• Entity’s assignment of authority and responsibility in pursuit of its objectives
• Attraction and development of competent individuals in alignment with its objectives
• Individuals are held accountable for their responsibilities in pursuit of the objectives

ENTITY’S RISK ASSESSMENT PROCESS

An entity’s risk assessment process is its process for identifying and responding to business risks and the results
thereof.

The auditor shall obtain an understanding of whether the entity has a process for: (IAM)
• Identifying business risks relevant to financial reporting objectives
• Assessing the significance of risks and the likelihood of their occurrence
• Deciding how to Manage those risks

MONITORING OF CONTROLS
• Monitoring is the process of assessing the quality of internal control performance over time.
• It involves assessing the design and operations of controls on a timely basis and taking necessary
corrective actions.
• Monitoring is done to ensure that controls are present and continue to function effectively.
Page | 6
 • Monitoring can be accomplished through:
✓ Ongoing monitoring activities
✓ Separate evaluations
✓ Combination of the two.

DIRECT CONTROLS
INFORMATION SYSTEM
Information is obtained or generated by management from both internal and external sources in order to support
internal control components.

An information system enables the entity to have the ability to generate timely and meaningful information. An
information system consists of:
✓ Infrastructure (physical and hardware components)
✓ Software (processes and procedures)
✓ People
✓ Input or data
✓ Output or meaningful information

COMMUNICATION
Communication involves providing an understanding of individual roles and responsibilities of the entity’s system
of internal control. The auditor gives emphasis on the communication of financial reporting roles and
responsibilities and significant matters relating to financial reporting. This includes:
✓ Between people within the entity
✓ Communications between management and those charged with governance
✓ External communications, such as those with regulatory authorities

CONTROL ACTIVITIES
Control activities are actions (generally described in policies, procedures, and standards) that help management
mitigate risks in order to ensure the achievement of objectives.

Control activities may be preventive or detective in nature and may be performed at all levels of the organization.

COMPONENTS OF CONTROL ACTIVITIES

Examples of control activities include those relating to the following:

As per COSO Framework (APIPS)

1) Authorization
2) Performance reviews
3) Information processing
4) Physical controls
5) Segregation of duties

As per PSA 315 Revised (PARVS)

1) Authorization and approvals
2) Reconciliation
3) Verifications
4) Physical or logical controls
5) Segregation of duties

PSA 330: THE AUDITOR’S RESPONSES TO ASSESSED RISKS

Overall Responses:
1) The auditor should design and implement overall responses to address the risks of material misstatement
at the financial statement level. Such responses may include:
• Emphasizing to the audit team the need to maintain professional skepticism.
• Assigning more experienced staff or those with special skills or using experts.
• Providing more supervision.
• Incorporating additional elements of unpredictability in the selection of further audit procedures to
be performed.
• Making general changes to the nature, timing, or extent of audit procedures.

Page | 7
Audit Procedures Responsive to Risks of Material Misstatement at the Assertion Level
2) In designing the further audit procedures, the auditor shall:
a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion
level for each class of transactions, account balance, and disclosure, including:
• The likelihood of material misstatement due to the particular characteristics of the relevant class
of transactions, account balance or disclosure (that is, the inherent risk); and
• Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby
requiring the auditor to obtain audit evidence to determine whether the controls are operating
effectively (that is, the auditor intends to rely on the operating effectiveness of controls in
determining the nature, timing and extent of substantive procedures); and

b) Obtain more persuasive evidence the higher the auditor’s assessment of risk.

Considering the nature, timing, and extent of further audit procedures

The nature of further audit procedures refers to their:
• Purpose – tests of controls or substantive procedures.
• Type – inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical
procedures.

Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies.

Extent includes the quantity of a specific audit procedure to be performed.

TESTS OF CONTROLS
1. The auditor is required to perform tests of controls when:
• The auditor’s risk assessment includes an expectation of the operating effectiveness of controls; or
• Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.

2. Tests of the operating effectiveness of controls are performed only on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion.

3. Testing the operating effectiveness of controls includes obtaining evidence about:

• How controls were applied at relevant times during the period under audit;
• The consistency with which they were applied; and
• By whom or by what means they were applied.

SUBSTANTIVE PROCEDURES
1. Substantive test procedures are performed in order to detect material misstatements at the assertion level,
and include:
• Tests of details of classes of transactions, account balances, and disclosures; and
• Substantive analytical procedures.

2. The auditor’s substantive procedures should include the following audit procedures related to the financial
statement closing process:
• Agreeing or reconciling the financial statements with the underlying accounting records; and
• Examining material journal entries and other adjustments made during the course of preparing the
financial statements.

3. The auditor should perform audit procedures to evaluate whether the overall presentation of the financial
statements, including the related disclosures, are in accordance with the applicable financial reporting
framework.

EVALUATING THE SUFFICIENCY AND APPROPRIATENESS OF AUDIT EVIDENCE OBTAINED

Based on the audit procedures performed and the audit evidence obtained, the auditor should evaluate whether
the assessments of the risks of material misstatement at the assertion level remain appropriate.

The auditor should conclude whether sufficient appropriate audit evidence has been obtained to reduce to an
acceptably low level the risk of material misstatement in the financial statements.

If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement
assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain further
audit evidence, the auditor shall express a qualified opinion or a disclaimer of opinion.
Page | 8
DOCUMENTATION
The auditor shall include in the audit document:
• The overall responses to address the assessed risks of material misstatement at the financial statement
level and the nature, timing, and extent of the further audit procedures;
• The linkage of those procedures with the assessed risks at the assertion level; and
• The results of the audit procedures.

If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in prior audits,
the auditor should document the conclusions reached with regard to relying on such controls that were tested
in a prior audit.

The auditor’s documentation shall demonstrate that the financial statements agree or reconcile with the
underlying accounting records.

Page | 9