OBJECTIVE

DEMONSTRATE AN IN DEPTH KNOWLEDGE AND UNDERSTANDING OF THE

INTERNAL CONTROLS AND THE EVALUATION THEREOF FOR THE
DIFFERENT CYCLES IN A BUSINESS (PLEASE REFER TO YOUR LEANER GUIDE FOR DETAIL
LEARNING OUTCOMES)

TO DISCUSS:
• Chapter 9 and 12 of Dynamic Auditing
• ISA 265, 315, 330
KNOWLEDGE QUIZ
• What is the definition of internal controls?

• True of False – Internal controls consist of manual and IT

controls

• What are the components of internal controls?

• Name the inherent limitation of internal control systems?

• What is the difference between an audit risk and business

risks?
COMPONENTS OF INTERNAL CONTROLS
COMPONENTS OF INTERNAL CONTROLS
Elements of the internal control
environment:

• Communication and enforcement

of integrity and ethical values
• Commitment of competence
• Participation by those charged with
governance
• Management’s philosophy and
operating style
• Organisational Structure
• Assignment of responsibility and
authority
• Human Resource policies and
practices

Control environment = The foundation for effective internal

controls
COMPONENTS OF INTERNAL CONTROLS
Risk factors that could impact on the
fair presentation of the AFS
(EXAMPLES)

• Changes in the
regulatory/operating environments
can lead to added competitive
pressures and an added RMM
• New personnel may lack an
understanding of the internal
controls
• Significant and rapid changes in
information systems could lead to
personnel being unfamiliar with the
system and therefore making
mistakes

RISK ASSESSMENT PROCESS = Identify business risks

 COMPONENTS OF INTERNAL CONTROLS
Elements of IT relevant to Financial Reporting
consist of procedures and records established
to:

• Initiate, record, process and report entity

transactions and to maintain accountability
for the related assets, liabilities and equity
• Resolve the incorrect processing of
transactions
• Process and account for systems overrides
or bypasses to controls
• Transfer information from transaction
processing systems to the GL
• Capture information relevant to financial
reporting for events and conditions other
than transactions
• Ensure information required to be disclosed
INFORMATION SYSTEM consist of by the applicable financial reporting
hardware, software, people, procedures framework is accumulated, recorded,
and data processed, summarised and appropriately
reported in the financial statements
COMPONENTS OF INTERNAL CONTROLS

SEGREGATION OF DUTIES

PHYSICAL SAFEGUARDING

DOCUMENT DESIGN

STATIONERY CONTROL

COMPARISONS RECONCILIATIONS AND

CONTROL ACCOUNTS

INSURANCE

SPECIFIC CONTROL TECHNIQUES

= Techniques, methods and principles that are

needed for the application of internal controls
COMPONENTS OF INTERNAL CONTROLS

MANAGEMENT SUPERVISION AND REVIEW:

TRANSACTIONS AUTHORISED ACCORDING

TO THE GENERAL/SPECIFIC AUTHORISTION
OF MANAGEMENT

SUPERVISION OF DAY-TO-DAY
TRANSACTIONS BY SENIOR RESPONSIBLE
PERSONS

REVIEWING OF ALL WORK DONE BY AN

INDEPENDENT PERSON

MANAGEMENT SHOULD ON A REGULAR BASIS

CONSIDER IF THE CONTROLS ARE OPERATING AS
INTENTED
HOW TO DESIGN A SYSTEM OF INTERNAL CONTROL

STEP ONE: Identify the risks associated with a particular system – WHAT COULD
GO WRONG?

STEP TWO: Formulate the control objectives for the particular system. – WHAT
DOES MANAGEMENT WANT THE SYSTEM TO ACHIEVE?

STEP THREE: Use the five component of a system of internal control to design a
proper system of internal control to address the risks and control objectives. After
the design the control should be implemented, maintained and monitored. – HOW
WILL MANAGEMENT ACHIEVE THIS?

IF A QUESTION REGARDING RISKS ARE ASKED FORMULATE THE RISKS

PROPERLY BY INCLUDING THE RISK INDICATOR AND CONSEQUENCE OF THE
RISK. Egg There is a risk that credit sales is made to customers who are not
creditworthy (indicator) resulting in irrecoverable debts and losses to the entity
(consequence)
OBJECTIVES OF INTERNAL CONTROLS

VALIDITY
All recorded transaction are valid and
supported by sufficient documentation
and evidence, including the necessary
authorisation.
COMPLETE NESS
All valid transactions are recorded and no
transactions are left out

ACCURACY
All transactions and transactions
documentation are recorded at the correct
quantity and price and are arithmetically
correct
EXAMPLE – HOW TO DESIGN A SYSTEM OF CONTROLS

RISK COTROL OBJECTIVE INTERNAL CONTROL

New customers who are To ensure that new Customers completes a credit
application form and submits
not creditworthy are customers are trade references.
accepted and provided creditworthy and would
credit. therefore be able to Credit controller performs
settle the debts they background checks on
customers trade references
incur – Validity and confirms credit status with
credit bureaus.

Credit controller sets a credit

limit to the amount of debt a
customer may incur and
records it on the credit
application form.

The financial manager

authorises, if appropriate the
credit limit having reviewed the
supporting documentation.
INTERNAL CONTROL AND THE AUDITOR

Control objectives normally relates to financial reporting, operations and

compliance. Are all of these controls relevant to the auditors assessment of risk?

Is the following control objective important to management or the auditor or both?

All purchase orders are carried out

In what phase of the audit does the auditor focus on internal controls?

REMEMBER DURING THE PLANNING YOU FIRST DETERMINE WHETHER ANY RISKS
IDENTIFED DURING THE RISK ASSESSMENT ARE SIGNIFICANT. YOU DO THIS BEFORE
ANY CONTROLS ARE TAKEN INTO ACCOUNT
STAGES OF THE AUDIT
1 PRE-ENGAGEMENT ACTIVITIES
Client investigation
Skills and competence
Establish terms of engagement

2
OVER ALL PLANNING
Understand the entity’s
Understand the entity internal controls,
and its environment including the information
systems
Set planning materiality
And overall audit
strategy

Risk of material
Evaluate inherent risks Evaluate Control risks
misstatement
STAGES OF AN AUDIT
2 DETAILED PLANNING

Identification and Identify and evaluate

evaluation of significant internal controls over
accounts/process significant
account/process

Risk of material
Evaluate inherent risks Evaluate Control risks misstatement per
significant
account/process

Non significant
accounts =
Analytical review Determine nature, timing and
extent of test of controls and
procedures substantive procedures
 Stages of the audit process

Test of control ISA

DETAIL TESTING 265,315,330,500,5
39

Substantive
procedures ISA
500,501,505,510,5
Perform AND evaluate test of controls and substantive procedures 20,530,540,550,58
0,600,610,620,
IAPSs
1005,1010,1012,1
013,SSAAPS 4,
1100

EVALUATING, CONCLUDING AND REPORTING

EVALUATING, CONCLUDING AND REPORTING ISA

Overall review of financial information, and evaluation of audit evidence 265,315,330,500,5
30

ISA 700,705, 706,

710, 720, 800,
Conclude and formulate an audit opinion ISRE2400, ISRSs
4400, 4410,
SAAPS2,3
 RISK ASSESSMENT PROCEDURES – INTERNAL
CONTROLS
Obtain an understanding of internal controls TO
• Identify types of material misstatements
• Consider factors that affect the RMM
• Design the nature, timing and extent of further audit procedures in
response to the assessed risk

Obtain an understanding of the internal controls INVOLVES

• Evaluate the design of a control
• Determine whether it has been implemented

• If reliance wants to be placed on the controls = Test operating effectiveness

of the control

DESIGN AND IMPLEMENTATION OF A CONTROL SHOULD BE TESTED FOR ALL SIGNIFICANT

RISKS
RISK ASSESSMENT PROCEDURES AND
PERFORMANCE OF TEST OF CONTROLS

HOW do we obtain an understanding of the internal controls?

When do an auditor perform test of controls?

Test of controls are performed by the auditor to determine what?

The internal control systems is normally documented:

• System description – Description of the system and the controls in the system
• System flow charts – Diagrammatical presentation of the functions and controls
procedures in a system.
RISK ASSESSMENT PROCEDURES AND TEST OF
CONTROLS

What is the difference between risk assessment procedures and test of controls?
TEST OF CONTROLS

EXTENT

Determined by:
NATURE = Assessment of
materiality
TIMING
= Inspection = Assessed risk
= Depend on the
= Observation = Degree of assurance
auditor’s objective
= Enquiry the auditor plans to
= Should cover the
= Re-performance obtain
whole period
= Combination of above
Items can be selected
using professional
judgement or statistical
methods
TEST OF CONTROLS EXAMPLE (NATURE)

CONTROL TEST OF CONTROL

Separate goods receiving department exist Enquire and observe whether

a separate department exist

The goods are received by two persons who Enquire of the goods receipt
Enquire and observe whether a separate department existEnquire and observe
count and inspect them for quality personnel how the control
whether a separate department exist
function. Observe on a
secretive basis whether the
controls are complied with.

One receipt of the goods the goods received
personnel prepare a GRN and sign it as proof of
the fact that the goods were counted and
inspected
Observe the receipt of goods
and determine whether the
controls are complied with.
Inspect the signatures on the
GRN as proof
TEST OF CONTROL EXAMPLE (DIRECTION OF
TESTING)

All recorded purchased are valid (goods were actually received)

What control objective is achieved?

What will be a typical control to address the above?

What test of control(s) will be performed to determine if the control is operating

effectively?
TEST OF CONTROL EXAMPLE (DIRECTION OF
TESTING)

All valid purchases are recorded and nothing is left out.

What control objective is achieved?

What will be a typical control to address the above?

What test of control(s) will be performed to determine if the control is operating

effectively?
COMMUNICATING DEFICIENCIES IN INTERNAL
CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANAGEMENT
Auditor’s responsibility
* Communicate significant deficiencies
DEFICIENCY
= Control is designed, implemented
or operated in such a way that it is
unable to prevent or detect and
correct misstatements in the AFS on
a timely basis
= Control necessary to prevent or
detect and correct misstatements in
the AFS on a timely basis is missing
ISA
265
SIGNIFICANT DEFICIENCY
= deficiency or a combination of
deficiencies in internal control that
in the auditor’s professional
judgement is of sufficient
importance to merit the attention
of those charged with governance
COMMUNICATING DEFICIENCIES IN INTERNAL ISA
265
CONTROL TO THOSE CHARGED WITH GOVERNANCE
AND MANAGEMENT
Communication if SIGNIFICANT DEFICIENCIES should be:
• In writing
• Could be preceded by some form of oral communication to assist
management or those charged with governance to take remedial action
• Should take place on a timely basis
• Include a description of the deficiencies and explanation of their potential
effects
• Include sufficient information to enable those charged with governance and
management to understand the context of the communication
• Should be to the CEO/CFO in the case of reporting to management
 ISA
COMMUNICATING DEFICIENCIES IN INTERNAL 265
CONTROL TO THOSE CHARGED WITH GOVERNANCE 230

AND MANAGEMENT

What should an auditor do if a significant deficiency has been communicated in the

prior year but no remedial action was taken and still exist in the current year?

What if the deficiency still exist because management has chosen not to remedy
them?