AUDITING THEORY

INTERNAL CONTROL

Related PSAs/PAPSs: PSA 400, 402 and 315

The auditor should obtain an understanding of the accounting and internal control
systems sufficient to plan the audit and develop an effective audit approach.

Accounting system means the series of tasks and records of an entity by which
transactions are processed as a means of maintaining financial records. Such systems
identify, assemble, analyze, calculate, classify, record, summarize and report
transactions and other events.

Internal Control System means all the policies and procedures (internal controls)
adopted by the management of an entity to assist in achieving management’s objective
of ensuring, as far as practicable,:
 orderly and efficient conduct of its business, including adherence to management
policies;
 safeguarding of assets;
 prevention and detection of fraud and error;
 accuracy and completeness of the accounting records; and
 timely preparation of reliable financial information.

The internal control system extends beyond those matters which relate directly to the
functions of the accounting system.

Internal Control Components (PSA 315)

(a) The control environment;
(b) The entity’s risk assessment process;
(c) The information system, including the related business processes, relevant to
financial reporting, and communication;
(d) Control activities; and
(e) Monitoring of controls.

Control environment
The control environment includes the attitudes, awareness, and actions of management
and those charged with governance concerning the entity’s internal control and its
importance in the entity. The control environment also includes the governance and
management functions and sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for effective internal control, providing
discipline and structure.

The control environment encompasses the following elements:

 Communication and enforcement of integrity and ethical values.
 Commitment to competence.
 Participation by those charged with governance.
 Management’s philosophy and operating style.
 Organizational structure.
 Assignment of authority and responsibility.
 Human resource policies and practices.

Entity’s risk assessment process

An entity’s risk assessment process is its process for identifying and responding to
business risks and the results thereof. For financial reporting purposes, the entity’s risk
assessment process includes how management identifies risks relevant to the
preparation of financial statements that are presented fairly, in all material respects in
accordance with the entity’s applicable financial reporting framework, estimates their
significance, assesses the likelihood of their occurrence, and decides upon actions to
manage them.
Risks can arise or change due to circumstances such as the following:
 Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly
different risks.
 New personnel. New personnel may have a different focus on or understanding of
internal control.
 New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
 Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
 New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
 New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
 Corporate restructurings. Restructurings may be accompanied by staff reductions
and changes in supervision and segregation of duties that may change the risk
associated with internal control.
 Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
 New accounting pronouncements. Adoption of new accounting principles or
changing accounting principles may affect risks in preparing financial statements.

Information system, including the related business processes, relevant to financial

reporting, and communication
An information system consists of infrastructure (physical and hardware components),
software, people, procedures, and data. Infrastructure and software will be absent, or
have less significance, in systems that are exclusively or primarily manual.

The information system relevant to financial reporting objectives, which includes the
financial reporting system, consists of the procedures and records established to initiate,
record, process, and report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets, liabilities, and equity.

Accordingly, an information system encompasses methods and records that:

 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
 Present properly the transactions and related disclosures in the financial
statements.

Communication involves providing an understanding of individual roles and

responsibilities pertaining to internal control over financial reporting. It includes the
extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to
an appropriate higher level within the entity. Open communication channels help ensure
that exceptions are reported and acted on.
Control activities
Control activities are the policies and procedures that help ensure that management
directives are carried out, for example, that necessary actions are taken to address risks
that threaten the achievement of the entity’s objectives.

Generally, control activities that may be relevant to an audit may be categorized as

policies and procedures that pertain to the following:
 Performance reviews.
 Information processing.
 Physical controls.
 Segregation of duties.

Monitoring of controls
Management’s monitoring of controls includes considering whether they are operating as
intended and that they are modified as appropriate for changes in conditions. Monitoring
of controls may include activities such as management’s review of whether bank
reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales
personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal
department’s oversight of compliance with the entity’s ethical or business practice
policies.

Inherent Limitations of Internal Controls

1. Management’s usual requirement that the cost of an internal control does not exceed
the expected benefits to be derived.
2. Most internal controls tend to be directed at routine transactions rather than non-
routine transactions.
3. The potential for human error due to carelessness, distraction, mistakes of judgment
and the misunderstanding of instructions.
4. The possibility of circumvention of internal controls through the collusion of a
member of management or an employee with parties outside or inside the entity.
5. The possibility that a person responsible for exercising an internal control could
abuse that responsibility, for example, a member of management overriding an
internal control.
6. The possibility that procedures may become inadequate due to changes in
conditions, and compliance with procedures may deteriorate.

Accounting and Internal Control Assessment

1st Understanding of accounting and internal control system
2nd Plan the assessed level of control risk
rd
3 Performance of tests of controls (if appropriate)
4th Reassessment of control risk
5th Final assessment of control risk

(1st) Understanding of Accounting and Internal Control Systems

In the audit of financial statements, the auditor is only concerned with those policies and
procedures within the accounting and internal control systems that are relevant to the
financial statement assertions. The understanding of relevant aspects of the accounting
and internal control systems, together with the inherent and control risk assessments
and other considerations, will enable the auditor to:
(a) identify the types of potential material misstatements that could occur in the
financial statements;
(b) consider factors that affect the risk of material misstatements; and
(c) design appropriate audit procedures.

The nature, timing and extent of the procedures performed by the auditor to obtain an
understanding of the accounting and internal control systems will vary with, among other
things:
 The size and complexity of the entity and of its computer system.
 Materiality considerations.
 The type of internal controls involved.
 The nature of the entity’s documentation of specific internal controls.
 The auditor’s assessment of inherent risk.
 Experience gained from prior audits.
Procedures in Obtaining Understanding
1. Make inquiries of appropriate company personnel
2. Inspect documents and records
3. Observe the company’s activities and operations
4. Walk-through

Documentation of Understanding
The auditor should document his understanding of internal control. The extent of
documentation is a matter of the CPA’s judgment and the form of documentation
depends upon his preference and skills.
1. Narrative descriptions 3. Flowcharts
2. Internal control questionnaires (ICQ) 4. Checklists

(2nd) Preliminary Assessment of Control Risk

The preliminary assessment of control risk is the process of evaluating the effectiveness
of an entity’s accounting and internal control systems in preventing or detecting and
correcting material misstatements. There will always be some control risk because of
the inherent limitations of any accounting and internal control system.

After obtaining an understanding of the accounting and internal control systems, the
auditor should make a preliminary assessment of control risk, at the assertion level, for
each material account balance or class of transactions.

The auditor ordinarily assesses control risk at a high level for some or all assertions
when:
(a) the entity’s accounting and internal control systems are not effective; or
(b) evaluating the effectiveness of the entity’s accounting and internal control
systems would not be efficient.

The preliminary assessment of control risk for a financial statement assertion should be
high unless the auditor:
(a) is able to identify internal controls relevant to the assertion which are likely to
prevent or detect and correct a material misstatement; and
(b) plans to perform tests of control to support the assessment.

(3rd) Test of Controls

If appropriate, tests of control are performed to obtain audit evidence about the
effectiveness of the:
(a) design of the accounting and internal control systems, that is, whether they are
suitably designed to prevent or detect and correct material misstatements; and
(b) operation of the internal controls throughout the period.

Procedures for Performing Tests of Controls

1. Inspection 3. Observation 5. Walk-through
2. Inquiry 4. Reperformance

Required Documentation
Assessed Control Risk
High (Maximum) Less than high (Below Maximum)
Understanding of ICS Required Required
Tests of Controls Required Required
Assessment of Control Risk Required Not required
Reason for assessment Not required Required

(4th) Reassessment of control risk

Based on the results of the tests of control, the auditor should evaluate whether the
internal controls are designed and operating as contemplated in the preliminary
assessment of control risk. The evaluation of deviations may result in the auditor
concluding that the assessed level of control risk needs to be revised. In such cases,
the auditor would modify the nature, timing and extent of planned substantive
procedures.
(5th) Final Assessment of Control Risk
Before the conclusion of the audit, based on the results of the substantive procedures
and other audit evidence obtained by the auditor, the auditor should consider whether
the assessment of control risk is confirmed.

Communication of Weaknesses
As a result of obtaining an understanding of the accounting and internal control systems
and tests of control, the auditor may become aware of weaknesses in the systems. The
auditor should make management aware, as soon as practical and at an appropriate
level of responsibility, of material weaknesses in the design or operation of the
accounting and internal control systems, which have come to the auditor’s attention.
The communication to management of material weaknesses would ordinarily be in
writing.

However, if the auditor judges that oral communication is appropriate, such

communication would be documented in the audit working papers. It is important
to indicate in the communication that only weaknesses which have come to the
auditor’s attention as a result of the audit have been reported and that the
examination has not been designed to determine the adequacy of internal control
for management purposes.

MULTIPLE CHOICE QUESTIONS

1. The primary responsibility for establishing and maintaining an internal control

rests with
a. The external auditors
b. The internal auditors
c. Management and those charged with governance
d. The controller or the treasurer

2. The fundamental purpose of an internal control is to

a. Safeguard the resources of the organization
b. Provide reasonable assurance that the objectives of the organization
are achieved
c. Encourage compliance with organization objectives.
d. Ensure the accuracy, reliability, and timeliness of information.

3. Which of the following internal control objectives would be most relevant to the audit?
a. Operational objective
b. Compliance objective
c. Financial reporting objective
d. Administrative control objective

4. An auditor would most likely be concerned with internal control policies and procedures
That provide reasonable assurance about the
a. Efficiency of management’s decision-making process
b. Appropriate prices the entity should charged for its products
c. Methods of assigning production tasks to employees
d. Entity’s ability to process and summarize financial data

5. In an audit of financial statements, an auditor’s primary consideration regarding an

internal control activity is whether the control
a. Reflects management’s philosophy and operating style
b. Affects management’s financial statement assertions
c. Provides adequate safeguards over access to assets
d. Enhances management’s decision-making processes

6. Internal control can provide only reasonable assurance of achieving entity’s control
objectives. One factor limiting the likelihood of achieving those objectives is that
a. The auditor’s primary responsibility is the detection of fraud
b. The board of directors is active and independent
c. The cost of internal control should not exceed its benefits
d. Management monitors internal control
7. Inherent limitations in an internal control must be considered in evaluating its effectiveness
in preventing and detecting errors and fraud. Inherent limitations do not include
a. Misunderstanding of instructions, mistakes of judgment, personal
carelessness, distraction. or fatigue.
b. Incompatible functions performed by the same person.
c. Collusion among employees.
d. Management override of certain policies or procedures.

8. Which of the following best describes an inherent limitation that should be recognized by an
auditor when considering the potential effectiveness of an internal control structure?
a. Procedures whose effectiveness depends on segregation of duties can be
circumvented by collusion.
b. The competence and integrity of client personnel provide an environment conducive
to control and provides assurance that effective control will be achieved.
c. Procedures designed to assure the execution and recording of transaction in
accordance with proper authorizations are effective against fraud perpetrated
by management
d. The benefit expected to be derived from effective internal control usually do not
exceed the cost of such control.

9. When considering the effectiveness of a system of internal accounting control, the auditor
should recognize that inherent limitations do exist. Which of the following is an example
of an inherent limitation in a system of internal accounting control?
a. The effectiveness of procedures depends on the segregation of employee duties.
b. Procedures are designed to assure the execution and recording of transactions in
accordance with management’s authorization.
c. In the performance of most control procedures, there are possibilities of errors
arising mistakes in judgment.
d. Procedures for handling large numbers of transactions are processed by electronic
data processing equipment.

10. An effective system of internal control

a. Cannot be circumvented by management
b. Can reduce the cost of an external audit
c. Can prevent collusion among employees
d. Eliminates risks and potential loss to the organization

11. The internal control cannot be designed to provide reasonable assurance that
a. Transactions are executed in accordance with management’s authorization.
b. Frauds will be eliminated.
c. Access to assets is permitted only in accordance with management’s authorization.
d. The recorded accountability for assets is compared with the existing assets at
reasonable intervals.

12. Which of the following statements about internal control is correct?

a. Property maintained internal control reasonably ensures that collusion
among employees cannot occur
b. The establishment and maintenance of internal control are important responsibilities
of the internal auditor.
c. Exceptionally strong internal control is enough for the auditor to eliminate substantive
tests on a significant account balance.
d. The cost-benefit relationship is a primary criterion that should be considered in
designing internal control.

13. Internal control, no matter how well designed and operated, can only provide an entity
with reasonable assurance about achieving the entity’s objectives. The likelihood of
achievement is affected by limitations inherent to internal control.
These limitations do not include:

a. Collusion among employees

b. Inappropriate management override of internal control.
c. Human failures.
d. Incompatible functions performed by the same person.

Components of Internal Control

14. Which of the following best describes the interrelated components of internal control?
a. Organizational structure, management, philosophy, and planning
b. Control environment, risk assessment, control activities, information and
communication systems and monitoring
c. Risk assessment, backup facilities, responsibility accounting, and natural laws
d. Internal audit and management’s philosophy and operating style.
15. Which of the following is not one of the components of an entity’s internal control?
a. Control risk
b. Control activities
c. Information and communication
d. The control environment

16. The overall attitude and awareness of an entity’s board of directors concerning the
importance of the internal control usually is reflected in its
a. Computer-based controls
b. System of segregation of duties
c. Control environment
d. Safeguards over access to assets

17. When obtaining an understanding of an entity’s control environment, an auditor should

concentrate on the substance of management’s policies and procedures rather than
their form because
a. The auditor may believe that the policies and procedures are inappropriate for that
particular entity
b. The board of directors may not be aware of management’s attitude toward the
control environment
c. Management may establish appropriate policies and procedures but not act on
them

d. The policies and procedures may be so ineffective that the auditor may assess
control risk at a high level

18. Basic to a proper control environment are quality and integrity of personnel who must
perform the prescribed procedures. Which is not a factor in providing for competent
personnel?
a. Segregation of duties
b. Hiring practices
c. Training programs
d. Performance evaluations

19. In evaluating the design if the entity’s internal control environment, the auditor considers the
following elements and how they have been incorporated into the entity’s processes. Such
elements would include all of the following except
a. Integrity and ethical values
b. Commitment to competence
c. Organizational structure
d. Information and communications systems

20. It is important for the auditor to consider the competence of the audit client’s employees,
because their competence bears directly and importantly upon the
a. Cost-benefit relationship of internal control
b. Achievement of the objectives of internal control
c. Comparison of recorded accountability with assets
d. Timing of the tests to be performed