Internal Control

Page 1
Recap:
1. Acceptance and continuance of clients
2. Withdrawal from an audit engagements
3. Establishing an understanding of the terms of engagements
4. Preliminary engagement

Page 2
Supplemental Readings:
o PSA 300 (Redrafted) – planning an audit of financial
statement
o PSA 315 (Redrafted) – identifying an assessing risks of
material misstatement through understanding the entity and
its environment
o PSA 320 (Revised and Redrafted) – audit materiality
o PSA 330 (Redrafted) – the auditor’s responses to assessed
risks
o PSA Glossary of terms
Page 3
Understanding the internal control

Page 4
Page 5
 Understanding the internal control

Internal control
Internal Control is the process designed, implemented and
maintained by those charged with governance, management,
and other personnel to provide reasonable assurance about the
achievement of an entity’s objectives with regards to:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations

Page 6
 Understanding the internal control

Internal control
When obtaining an understanding of controls that are relevant
to the audit the auditor shall:
• Evaluate the design of those controls
• Determine whether they have been implemented
By performing procedures such as inspection of documents
and reports, observation of the application of controls in
addition to inquiry of the entity’s personnel.

Page 7
 Understanding the internal control

Components of internal control

Five components of entity’s internal control are:
1. Control environment
2. Entity’s risk assessment process
3. Information system including the related business relevant
to financial reporting and communication
4. Control activities
5. Monitoring controls

Page 8
 Understanding the internal control

Components of internal control

Control environment
The control environment includes the governance and
management functions and the attitude, awareness, and
actions of those charged with governance and management
concerning the entity’s internal control and its importance in the
entity

Page 9
 Understanding the internal control

Components of internal control

Elements of Control environment
• Communication of enforcement of integrity and ethical values
• Commitment to competence
• Participation by those charged with governance
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and practices

Page 10
 Understanding the internal control

Components of internal control

Entity’s Risk Assessment Process
Entity’s risk assessment process means to identify, analyze,
and manage risks relevant to financial reporting.
The auditor shall obtain an understanding of whether the entity
has a process for:
a. Identifying business risks relevant to financial reporting objectives
b. Estimating the significance of the risks
c. Assessing the likelihood of their occurrences; and
d. Deciding about actions to address those risks

Page 11
 Understanding the internal control

Components of internal control

Information system including the related business relevant to
financial reporting and communication

Accounting information system consists of the records and methods

used to initiate, analyze, identify, and record the organization’s
transactions and to account for related assets and liabilities. The
quality of information that the accounting information system
generates impact management’s ability to take actions and make
decisions in connection with the organization’s operations and to
prepare reliable financial statements.
Page 12
 Understanding the internal control

Components of internal control

Information system including the related business relevant to
financial reporting and communication
The auditor shall obtain an understanding of the information system,
including the related business processes, relevant to financial
reporting, including the following areas:
• The classes of transactions in the entity’s operations that are
significant to the financial statements
• The procedures, within both IT and manual systems , by which
those transactions are initiated, recorded, processed, corrected
as necessary, transferred to the general ledger & reported in FS.
Page 13
 Understanding the internal control

Components of internal control

Information system including the related business relevant to
financial reporting and communication
• The related accounting records, whether electronic or manual,
supporting information, and specific accounts in the financial
statements that are used to initiate, record, process and report
transactions, this includes the correction of incorrect information
and how information is transferred to the general ledger
• How the information system captures events and conditions,
other than transactions, that are significant to the financial
statements.
Page 14
 Understanding the internal control

Components of internal control

Information system including the related business relevant to
financial reporting and communication
• The financial reporting process used to prepare the entity’s
financial statements, including significant accounting estimates
and disclosures
• Controls surrounding journal entries, including non-standard
journal entries used to record non-recurring, unusual
transactions or adjustments

Page 15
 Understanding the internal control

Components of internal control

Information system including the related business relevant to
financial reporting and communication
The auditor shall obtain an understanding of how the entity
communicates financial roles and responsibilities and significant
matters relating to financial reporting, including:
• Communications between management and those charged with
governance
• External communications such as those with regulatory
authorities

Page 16
 Understanding the internal control

Components of internal control

The auditor shall obtain understanding of the control
environment. As part of obtaining this understanding, the
auditor shall evaluate whether:
a. management, with the oversight of those charged with governance,
has created and maintained a culture of honesty and ethical behavior
b. Strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control,
and whether those other components are not undermined by
deficiencies in the control environment

Page 17
 Understanding the internal control

Components of internal control

Control activities relevant to the audit
Control activities are the policies and procedures to help ensure
that management directives are carried out. Control activities
can be grouped into two distinct categories:
• Physical controls
• Information technology controls

Page 18
 Understanding the internal control

Components of internal control

Page 19
 Understanding the internal control

Components of internal control

The auditor shall obtain a sufficient understanding of control activities to:
• Assess the risks of material misstatement at the assertion level
• Design further audit procedures responsive to assessed risks

Page 20
 Understanding the internal control

Components of internal control

Monitoring of controls
Monitoring of controls involves assessing the design and operation of
controls on a timely basis and taking the necessary corrective actions
modified for changes in conditions

The auditor shall obtain an understanding of the major activities that the
entity uses monitor internal control over financial reporting, including
those related to those control activities relevant to the audit, and how the
entity initiates remedial actions to deficiencies in its controls.

Page 21
 Understanding the internal control

Components of internal control

If the entity has an internal audit function, the auditor shall obtain an
understanding of the following in order to determine whether the internal
audit function is likely to be relevant to the audit:
• The nature of the internal audit function’s responsibilities and how the
internal audit functions fits in the entity’s organizational structure
• The activities performed, or to be performed, by the internal audit
function.

Page 22
 Understanding the internal control

Components of internal control

The auditor shall obtain an understanding of the sources of the
information used in the entity’s monitoring activities, and the basis upon
which management considers the information to be sufficiently reliable for
the purpose.

Page 23
 Understanding the internal control

Limitation of internal control

The effectiveness of internal control system is subject to certain inherent
limitation including:
• Management override of internal control – example of techniques
used by management in overriding internal controls over the financial
reporting function
• Back dating or forward dating documents to a different period
• Making adjusting entries during the financial reporting closing
process
• Reclassifying items properly between the statement of financial
performance and financial condition

Page 24
 Understanding the internal control

Limitation of internal control

The effectiveness of internal control system is subject to certain inherent
limitation including:
• Collusion – the effectiveness of duties lies in individuals performing
only their assigned jobs or in the performance of one person being
checked by another.

Page 25
 Understanding the internal control

Documenting the understanding of internal control

The auditor must document the understanding of the internal control
components in their working papers to plan the audit. The form and
extent of this documentation is affected by the size and complexity of the
entity, as well as the nature’s of the entity’s internal control. The
documentation usually takes the form of:
• Internal control questionnaire
• Narrative description
• Flowcharts
The more complex the internal control and the more extensive the
procedures performed by the auditor, the more extensive should be the
documentation.
Page 26
 Understanding the internal control

Documenting the understanding of internal control

Internal control questionnaires provides a systematic means for the
auditor to investigate areas such as internal control structure. It contains
questions about factors of internal control components. Most internal
control questionnaires are designed to yield “yes” or “no” or “not
applicable” answer to the question.

Narrative description – documented in memorandum. It describes the

follow of transaction cycles, identifying the employees performing various
tasks, documents prepared, records maintained, and the division of
duties. This is more appropriate when the entity has a simple internal
control system.
Page 27
 Understanding the internal control

Documenting the understanding of internal control

Flowchart is a diagram, a symbolic representation of an entity’s internal
control system or a series of procedures shown in sequence it illustrates
the interaction of the system in terms of functions, documents, processes
and reports.

Page 28
 Understanding the internal control

Documenting the understanding of internal control

Method Advantages Disadvantages
Question • Easy to complete • may be answered without
naires • Comprehensive list of questions adequate consideration
make it unlikely that important • Standardized
portions of the internal control will be questionnaires may not fit
looked client adequately
• Weakness become obvious (unable
to provide reasonable response)

Memoran • Tailor-made to fit specific • May become very long

dum engagement and time-consuming
• Requires a detailed analysis of the • Weaknesses in the
operations and thus enable the structure are not always
auditor to understand the function obvious
• Auditor may overlook
important portions of the
internal control
Page 29
 Understanding the internal control

Documenting the understanding of internal control

Method Advantages Disadvantages
Flowchar • Graphic presentations of the • Preparation is time-
t structure consuming
• Important portions of the internal • Weaknesses in the
control will not be overlooked structure not obvious
• Good for electronic systems (especially to
inexperienced auditor)

Page 30
 Risk that the
Risk of material misstatements auditor will not
of financial statements detect such
misstatements

AR IR CR DR
Audit of Internal
Control

Audit Planning Audit Business

(including consideration of process and
internal control) related accounts

Page 31
 Major phases of an audit

Consider and audit Internal

Plan the Audit
Control

Audit Business process and

Establishing Materiality and
related accounts
Assess Risks
(applied auditing)

Pre-planning Complete the audit

Client Acceptance/ Continuance

and Establishing Engagement Issue audit report
Terms
Page 32
 Major phases of an audit

Consider and audit Internal

Plan the Audit
Control

Audit Business process and

Establishing Materiality and
related accounts
Assess Risks
(applied auditing)

Pre-planning Complete the audit

Client Acceptance/ Continuance

and Establishing Engagement Issue audit report
Terms
Page 33
Supplemental Readings:
Next topic: Audit Evidence, Procedures and Documentation

Page 34
Questions

Page 35