Unit 4: Internal Control

What are the risk, how has management responded to the risk, what types of control are in place
and how are auditors responding to the risk

Business risks are risks that would prevent an entity from achieving its objectives or executing its
strategies.

Some risks of material misstatement that management has determined to be acceptable and has not
designed and implemented any controls in response to these risks. Effectiveness of internal controls
can be impacted by human error, control overriding by management, collusions by many people.
Thus, auditor always have to perform some substantive audit procedures.
5 components of an entity’s internal control

ISA 315: Control environment, risk assessment process, Information system, including the related
business processes relevant to fin reporting and communication, control activities and monitoring of
controls.

Entity level controls: controls relating to the control environment, risk assessment process,
communication and monitoring of controls.
In meeting the requirements of ISA 315, ISA 240 and ISA 550 related to understanding the control
environment, auditor must know about the controls of related party transaction, and significant
transaction outside the course of business.

Risk assessment process

Risk management Framework

Auditor must make sure that control is capable of preventing, detecting or correcting a material
misstatement, the control exists and the entity is using it (observation or inspection)
IT risks and control

Auditor must understand IT policies and procedures, software, strategy and budget.

Risks: Data loss and unauthorized access to data

General IT controls

Data center and network operations.

System software acquisition, change and maintenance.

Program change and access security.

Application system acquisition, development, and maintenance.

Manage change controls

Purpose is to prevent, detect or correct unauthorized changes to IT environment

Process level controls

How transactions are initiated, authorized, recorded, processed, corrected where necessary,
transferred and reconciled to GL, and reported to fin statement.
Auditor may perform a walkthrough to test the above control.
Segregation of duties involves the following components of a transaction being allocated to different
employees: Authorization, custody of the Asset, Recording the trans into accounting system and
reconciliation by using access right.

Walkthrough includes combination of enquiry, observation, reperformance and inspection of the

relevant documentation (often includes flow charts or narrative process description), must record
the following:

Details of the transaction, documents reviewed, relevant IT application used, date of the
walkthrough, and details of the entity’s personnel the auditor has spoken to.
Understanding control attributes
Risk of control is low when: controls are effectively designed and implemented, thus can place
reliance on the operating effectiveness of controls.
Factors of control

Auditor ‘s responsibility when client outsource services ISA 402

Must consider controls and evidence at the user entity

ISA 402 para 9: Factors to consider
ISA 402: If auditor cannot gain sufficient understanding of the user entity, must consider the controls
and procedures in place at the service organization.
ISA 315 para 14 – 17,19, 22-24: 7 elements of control environment:

WE: 4.1 Identify risks arising from IT

WE 4.2: Understanding General IT controls
WE 4.3: Assessing control (Walkthrough)

How to control:
Control Evaluation

WE 4.4: Selecting controls to test

Control based audit approach over payroll since relevant controls have been designed effectively
and implemented by the company for the year and conduct 100% substantive audit approach over
the fin year close process. For control testing, the team needs to select the minimum number of
controls necessary to address all the identified risks in the payroll process (key controls in the
process).
If the control is part of another process, does not need to be tested.
Also need to consider if the selected for testing control will depend on other controls:

WE 4.5: Providing control recommendations

Robust => do more detailed works.
Act 4.1: Identifying and evaluating entity level controls
Act 4.2: what could go wrong
Act 4.3: Evaluating controls

Control is effectively designed when its design achieves its objective to prevent, detect and correct a
material misstatement.

Act 4.4: Control deficiencies and recommendations

ISA 315 (Revised) and ISA 550, an entity would be expected to have policies and procedures in place
which mitigate the risk of material misstatement associated with related party relationships and
transactions.