Chapter 8

Understanding the Internal Control System

In this chapter the primary objectivers of internal control and explain reporting.we then discuss
the five components of the internal control system, as well as the role of IT, and the factors
auditors consider to develop an understanding of the IT environment.
1. Internal Control Objectives
System of internal control consist of polices and procedure desagin and implemented by
management to mitigate risk and to provide reasonable assurance that the entity can
achive its objectives and goals. Polices can be written or implied through actions and
decisions. Procedures are action to implement polices. Management design for system of
internal control to accomplish the following four broad objectives:
1) Strategic, high-level goals, that support the mission of the entity
2) Reliability of financial reporting
3) Efficiency and effectiveness of operations
4) Compliance with laws and regulations
2. Management Responsibilty for Internal Control
Management and the auditor have different responsibilities for internal controls over
financial reporting. Management, not the auditor, must establish and maintain the entity’s
internal control. the operating effectiveness of internal control over financial reporting.
The design and implementation of an effective system of control over financial reporting
involves controls at three levels:
1) Entity
2) Information technology
3) Business process
Two key concepts underlie management’s design and implementation of controls
reasonable assurance and inherent limitations.
3. Auditors Responsibilities for Internal Control
Provides an overview of the prosess of obtaining an understanding of the entity’s system
of internal control as explained in CAS 315. Auditors are responsible for understanding,
identifying, and evaluating those internal controls, that are relevant to the audit. as in the
inherent risk assessment, the objective is to identifiy the risks of material misstatement at
the financial statement and assertion level. Relevant controls given that management’s
internal control objectivers encompass more than financial reporting, not all controls are
relevant to the audit. Direct and indirect controls, direct control are control directly
address risks to the integrity of information that transactions are complete, accurate, and
valid. Indirect controls are controls that are not sufficiently precise to prevent, detect, or
correcty missataments at the assertion level but which support direct control.
Understanding controls and identifying RMM the final output of understanding internal
control is identifying RMM at the financial statement level and the assertion level.
4. Coso Components of Internal Control
A system of internal control as defined by CAS 315 encompasses five interrelated
components:
1) Control environment
The control environment is the foundation of effective international control. If top
management believes control is important, others in the organization will sense
that and respond by conscientiously observing the polices and procedures
established. If management or those charge with governance fails in its
monitoring role by placing to much trust in the system or the people operating the
controls, then the risk for fraud and error is high.
a) Integrity and ethical values
b) Board of directors oversight responsibility
c) Structure, authority and responsibility
d) Commitment to competence
 e) Accountability
2) Risk assessment
Involves a process identifying and analyzing risks that might prevent the
organization from achieving its objectives. There are four underlying principles
able to identify and assess the risk relating to its objectives, it should determine
how the risks related to information technology (IT) should be consider the
potential for fraudulent behavior , and it should monitor changes the could impact
internal controls. Once management identifies a risk, it estimates the significance
of the risk, assesses the likelihood of the risk occurring, and develops specific
actions that need to be taken to reduce the risk to an acceptable level.
a) Relevant objectivies and risk assessment, in order to ensure that the
organization meets its objective of reliable external financial reporting,
management should consider whether its reporting objectives are
consistent with the relevant financial reporting framework and appropriate
in the circumstances.
b) Fraud risk assessment, the assessment should consider the various ways
that financial reporting fraud could occur. Such factors could include the
following:
 Management bias in selection of accounting polices
 Degree of estimates and judgments in external reporting
 Fraud schemes and scenarios common the industry in which the
organization operates
 Geographic regions
 Incentives that may motivate fraudulent behavior
 Nature of technology and management’s ability to manipulate
information
 Unnusual or complex transactions subject to significant
management influence
 Vulnerability to management override and potential schemes to
circumvent controls
c) Significant changes, change creates risk, therefore, management should
implement prosesses that enable it to identify and evaluate changes in the
external and internal environment that could significantly impact the
system of internal control
3) Monitoring
activities deal with ongoing or periodic assessment of the quality of internal
control performance to determine that controls are operating as intended and that
they are modified as appropriate for changes in conditions. Monitoring also
requires that deficiencies in internal control are reported and appropriate remedial
action is taken.
a. Perform ongoing and separate evaluation, Monitoring should include
evaluation built into business/financial reporting and performed on a real-
time basis (ongoing), as well as separate periodic evaluations.
 b. Evaluates and communicates deficiencies, Internal control deficiencies
need to be reported in a timely manner to those responsible for taking
corrective action, senior management, and the board of directors (or the
audit committee).
4) Information system and communication
The purpose of an entity’s accounting information system and communication is
to initiate, record, process, and report the entity’s transactions and to maintain
accountability for the related assets. controls over the accounting systems are
distinct from the business processes and include controls over the following:
 The transfer of business process information to the general ledger
 The capture of relevant events/conditions, such as amortization, valuation
of inventory and accounts receivable, and other estimates that are not
transaction based
 Journal entries
 The accumulation and summation of other information that must be
disclosed in the financial statements
As mentioned in our earlier discussion of control activities, an important control
is the chart of accounts, which lists and classifies transactions into individual
balance sheet and income statement accounts.
a. Relevant and quality information
b. Effective internal and external communications
5) Control activities
are the policies and procedures that help ensure the necessary actions to address
risks in the achievement of the entity’s objectives. They are the controls that
ensure the proper application of the policies in all the other components of the
entity’s system of internal control, and they include indirect and direct controls.
the organization should have in place a process that maps controls to address each
risk related to the relevant financial statement assertion. Some key points to
consider when determining if all risks are addressed:
 Are all relevant business processes, information technology, and locations
where control activities are needed (including outsourced service
providers and other business partners) considered?
 Are control activities related to the integrity of information sent to and
received from outsourced service providers considered?
 Are the controls performed by outsourced service providers adequate?
Preventive controls are designed to stop errors or fraud from occurring (e.g.,
supervisor review of journal entry/purchase order or automated input edit
controls). Detective controls identify errors or irregularities after they have
occurred so corrective action can be taken (e.g., reconciliations, validation of
results). A business process is a structured set of activities designed to produce
specified output. An individual business process, also called an application
 system, can have different types of control activities. An example of a business
process or application system would be a sales system, which processes sales
transactions initiated by media such as the internet, telephone, or a purchase order
form received in the mail.
1. Proper authorization and approval
2. Adequate documents and records
3. Physical and logical control over assets and record
4. Adequate segregation of duties
5. Independent checks of performance, recorded data, and actual results

5. Internal Controls Specific to Information Technology

the system of internal control contains manual and automated controls and each
component of the system of internal control may use some extent of information
technology (IT). Technology can strengthen a company’s system of internal control but
can also provide challenges. To address risks associated with reliance on technology,
organizations often implement specific IT controls.
1) General Control apply to all aspects of the IT function, including IT
administration; separation of IT duties; systems development; physical and online
security over access to hardware, software, and related data; backup and
contingency planning in the event of unexpected emergencies; and hardware
controls. General computer controls can be manual (such as IT budgets and
 contracts with service providers) or automated (embedded in the computer
programs).
a) IT Governance
b) Separation of IT duties
c) System Development and Change
d) Physical and Online Security
e) Hadware Controls
2) Aplication Controls are controls typically at the business process level that apply
to processing transactions, such as the inputting, processing, and outputting of
sales or cash receipts. Application controls can be manual or automated controls.
Input controls are designed to ensure that the information entered into the
computer is authorized, accurate, and complete. Processing controls prevent and
detect errors while transaction data are processed. General controls, especially
controls related to systems development and security, provide essential control for
minimizing processing errors. Output controls focus on detecting errors after
processing is completed, rather than on preventing errors.
6. Impact of Information Technology on the System of Internal Control
The organization’s use of IT, which includes the degree to which an organization is
automated as well as its IT applications, infrastructure, and processes, has a significant
impact on the way in which the entity’s system of internal control is designed and
implemented. Below we focus on how the complexity of the IT system can vary
according to (1) type of IT applications and data management systems, (2) the complexity
of the infrastructure, and (3) the degree to which the organization relies upon third-party
hosting or outsourcing.
7. Impact of Emerging Technologies on Internal Control
Technology has always been changing and evolving. Today’s current emerging
technologies will impact how an organization obtains or generates and uses relevant,
quality information to support an effective internal control system. In this section, we will
briefly cover three different emerging technologies that are expected to have a significant
impact on organizations’ business models, processes, and system of internal control.
1) Internet of things and periphera devices
2) Smart contracts and blokchain
3) Machine learning and articifia intelligence
8. Understanding Controls of Small Businesses
the auditor is required to obtain an understanding of internal controls. However, the size
of a company does have a significant effect on the nature of internal control activities and
the specific monitoring controls. It is often difficult for a small business to establish
adequate separation of duties. Further, the entity is unlikely to have in-house expertise in
systems and would place more reliance on software and hardware suppliers for system
support and maintenance.