Before You Go On Solutions

Chapter 7
Understanding and Testing the Client’s System of Internal
Controls

1.1 What is the system of internal control? The system of internal control is defined in the
auditing standards as: “The system designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations.” (CAS 315) The system of internal control is a very broad concept and
encompasses all of the elements of an organization—its resources, systems, processes,
culture, structure, and tasks. When these elements are taken together, they support the
organization in achieving its objectives.

1.2 Why is it important to understand (and assess) the system of internal controls?
Understanding the system of internal control of an organization is important because when the
system of internal controls is effective, the organization is more likely to achieve its strategic and
operating objectives. Auditors focus on the components of internal control that have a direct
impact on the financial reporting. They consider the safeguards put in place by management to
prevent and detect errors including misappropriation of assets and human errors.
Understanding the system of internal control is a key component of the overall audit risk
assessment and provides evidence that influences the resulting strategy developed by the
auditor.

1.3 Name a generally accepted framework used to describe internal controls. Frameworks
for internal controls have been developed, such as the Internal Control— Integrated Framework
developed by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) and the Guidance on Controls issued by the Criteria of Control Board of CPA Canada.
These frameworks provide a structure that allows the auditor to assess the system of internal
controls of an organization as compared with a theoretical model.

2.1 What are the seven generally accepted objectives of internal controls as related to
the recording of transactions? The internal control objectives are matched with the relevant
assertions as follows:
1. Real—controls are in place to ensure that fictitious or duplicate transactions are not
included in the books and records of the organization (occurrence, rights and
obligations, and existence assertions).
2. Recorded—controls are in place that will prevent or detect the omission of transactions
from the books and records of the organization (accuracy, completeness, and accuracy,
valuation, and allocation assertions).
3. Valued—controls are in place to ensure that the correct amounts are assigned to the
transactions (accuracy, and accuracy, valuation, and allocation assertions).

© 2021 John Wiley and Sons, Auditing, 4e

 4. Classified—controls are in place to ensure that transactions are charged and allocated
to the correct general ledger account (accuracy, classification, and accuracy, valuation,
and allocation assertions).
5. Summarized—controls are in place to ensure that the transactions in the books and
records are summarized and totalled correctly (accuracy, and accuracy, valuation, and
allocation assertions).
6. Posted—controls are in place to ensure that the accumulated totals in the transaction file
are correctly transferred to the general ledger and subsidiary ledgers (accuracy,
classification, and accuracy, valuation, and allocation assertions).
7. Timely—controls are in place to ensure that transactions are recorded in the correct
accounting period (cut-off and completeness assertions).

2.2 Why are internal controls important to an organization? The reason an organization
puts controls in place is to ensure that errors in the processing of transactions do not occur, and
if they do, that these errors are identified and rectified quickly. Internal controls assist the
organization in protecting their assets and ensuring that policies and procedures are in place to
assist the organization in meeting their objectives.

2.3 Why are internal controls important to an auditor? The auditor links controls to audit
assertions and account balances. When the objectives of internal controls are not met, it is
considered to be a deficiency in internal control and the auditor then considers whether the
weakness has a significant impact on their risk assessment for the relevant account balances,
transactions, and disclosures. If internal controls are effective, the auditor can plan a combined
audit strategy and place reliance on these controls, decreasing the amount of substantive
testing required.

3.1 What are the five components of internal control? The system of internal control
consists of five components: 1) the control environment, 2) the entity’s risk assessment process,
3) the information system, including the related business processes relevant to financial
reporting and communication, 4) control activities, and 5) monitoring of controls.

3.2 Why is segregation of duties important when understanding internal control?

Adequate segregation of duties is an important consideration in determining whether a client’s
controls are effective, as it reduces the likelihood that errors (intentional or not) will remain
undetected. When IT is used in an information system, segregation of incompatible duties is
often achieved by implementing system-based controls (referred to as logical access controls).

3.3 How does management’s attitude and control consciousness affect the internal
control environment of an organization? The control environment sets the tone of an entity
and influences the control consciousness of its people. It is the foundation for all other
components of internal control and is often thought of as a combination of the culture, structure,
and discipline of an organization. It reflects the overall attitude, awareness, and actions of
management, the board of directors, others charged with governance, and the owners
concerning the importance of controls and the emphasis given to controls in determining the
organization’s policies, processes, and organizational structure. Therefore, the control
environment is sometimes referred to as the “tone at the top”. If management takes controls and
procedures seriously, the rest of the organization will as well.

4.1 What are the different types of controls? Controls are classified as one of four types: 1)
manual, 2) automated (otherwise known as application controls), 3) information technology (IT)
general controls (ITGCs) (the overall controls put in place to manage changes to applications

© 2021 John Wiley and Sons, Auditing, 4e

and programs, as well as to limit access to appropriate users of those IT applications only), and
4) a combination of control types referred to as IT-dependent manual controls.

4.2 What is the difference between an application control and an IT general control?
Application controls are the fully automated controls that apply to the processing of individual
transactions to ensure transactions are processed correctly. They are the controls that are
driven by the particular software application being used. IT general controls (ITGCs) are the
client’s controls over the hardware and software it uses, including acquisition and maintenance
of equipment, backup and recovery procedures, and the organization of the IT department to
ensure the appropriate segregation of duties. These ITGCs support the ongoing functioning of
the automated (that is, programmed) aspects of preventive and detective controls and also
provide the auditor with a basis for relying on electronic audit evidence.

4.3 Which type of control, preventive or detective, is usually a more efficient control type
to test? Detective controls are usually more efficient. Preventive controls do not always
produce physical evidence indicating whether the control was performed, who performed it, or
how well it was performed. Even when there is evidence it was performed, there may be no
evidence as to the effectiveness of the control. It is important to note that detective controls are
only effective, and therefore only provide audit assurance, when the underlying data and
transactions (and therefore preventive controls) can be relied on. Therefore, it is important to
gain an understanding of (and possibly test) the preventive controls in addition to the detective
controls to which they relate.

5.1 Name three factors to consider when deciding the extent of testing to be performed.
The factors to consider when deciding the extent of testing include the following:
• How often the control is performed—the less frequently a control is performed, the fewer
instances of the control there are to test,
• The degree to which the auditor intends to rely on the control as a basis for limiting their
substantive tests,
• The persuasiveness of the evidence produced by the control,
• The need to be satisfied that the control operated as intended throughout the period of
reliance,
• The existence of a combination of controls that may reduce the level of assurance needed
from any one of the controls,
• The relative importance of the “what could go wrong” questions or statements considering
the inherent risks, the audit assertions, and the volume, complexity, and materiality of the
transactions or accounts,

5.2 When would testing application controls warrant performing a test of more than one?
When the control is applied more frequently (say, weekly or daily), the auditor might test more
than one application of the control in detail and review a sample of the remaining applications
for unusual items.

5.3 Why does the auditor update the interim evaluation of controls at year end? Tests of
controls will usually be carried out at an interim date (that is, before year end). It is preferable to
test entity-level controls and ITGCs early in the audit process because the results of this testing
could affect the nature and extent of other procedures the auditor plans to perform. The auditor
updates their evaluation of controls from the time of their interim procedures through to the year-
end date as the audit of the statements covers the entire fiscal year. They update their
evaluation by identifying changes, if any, in the control environment and in the controls

© 2021 John Wiley and Sons, Auditing, 4e

themselves. If changes are identified, they consider the effect of such changes on their
evaluation of the controls.

6.1 Explain the techniques used to document internal controls. The most common forms
of documentation include the following:
• Narratives—the most common form of documentation, particularly in smaller environments
where accounting and internal control activities are simple or where a particular flow of a
transaction is relatively simple and straightforward. It involves the auditor describing (in
words) each step of the flow of transaction from start to finish (that is, from initiation to
reporting in the financial statements).
• Flowcharts—used in larger and more complex environments. It involves the auditor
summarizing (in flowcharts/boxes) each step of the flow of a transaction from start to finish
(that is, from initiation to reporting in the general ledger). While a flowchart may take longer
to prepare, it provides a visual representation of the transaction and the key controls
throughout the flow that is often simpler for the reader or reviewer to understand.
• Combinations of narratives and flowcharts—this form of documenting internal controls is
typically a page divided into two sections with the process flowchart on the left-hand side
(or the top side) and the narrative describing each step in the flow on the right-hand side
(or the bottom half of the page). The flowchart side highlights the key activities from
initiation to reporting, while the narrative column contains the details about what happens in
the flow of the transaction.
• Checklists and preformatted questionnaires—an internal control checklist or questionnaire
used to systematically identify the most common types of internal control procedures that
should be present. This is particularly helpful in industries that the auditor may not
personally be familiar with auditing, or when less-experienced auditors find it difficult to
identify which are the critical controls.

6.2 When would it be more appropriate to use a flowchart instead of a narrative to

document internal controls? Flowcharts are more appropriate in larger and more complex
environments. It provides a visual representation of the transaction and the key controls
throughout the flow that is often simpler for the reader or reviewer to understand.

6.3 Name the four techniques for testing controls. Techniques used to test controls include
inquiry, observation, inspection of physical evidence, and re-performance. Ordinarily, a
combination of these testing techniques provides evidence that the control operated as intended
throughout the period in which the auditor wishes to place reliance on it.

7.1 What does the auditor do when they identify control exceptions? The auditor needs to
investigate any control exceptions (deviations) they identify during their testing to find out, to the
extent practical, the causes (for example, whether the exceptions may be indicative of a pattern
of similar exceptions), the amounts involved, the financial statement accounts affected, and the
potential effect on other audit procedures. If control exceptions are identified, the auditor will
determine if there are any compensating controls. If testing is extended and another control
exception is identified, the auditor should change their decision of relying on that control. If a
compensating control is not effective or does not exist, the auditor should update (and
potentially increase) the nature, timing, and extent of the planned substantive procedures. If
tests of controls indicate the controls are not operating effectively, then control risk must be
assessed as high for that assertion.

7.2 Why does the auditor consider the entity’s overall control environment when
performing control testing? An effective entity-level control environment

© 2021 John Wiley and Sons, Auditing, 4e

may allow the auditor to limit their tests of controls to inquiry and observation during
the period between when they tested the controls (interim) and year end. If they become
aware of adverse changes in the overall control environment of the entity, such as a loss
of employees and key management who perform key controls and who provide evidence
as to the effectiveness of the overall entity control environment, additional tests of controls
may be necessary.

7.3 Why does the auditor always investigate control exceptions? The auditor needs to
investigate any control exceptions (deviations) they identify during their testing to find out, to the
extent practical, the causes (for example, whether the exceptions may be indicative of a pattern
of similar exceptions), the amounts involved, the financial statement accounts affected, and the
potential effect on other audit procedures.

8.1 What level of detail does the auditor need to include in the audit working papers
when documenting the results of their control testing? The auditor documents the purpose
of the tests of controls, the test performed, the controls selected for testing, and the results of
the testing. There must be enough detail regarding the controls selected to allow another auditor
to review the working paper, re-perform the steps (if necessary), and reach the same conclusion
as the auditor who prepared the working paper.

8.2 Which auditing standard sets the minimum level of documentation required in the
working papers stored in the audit files? The auditing standard that sets the minimum level
of documentation is CAS 230 Audit Documentation.

8.3 What is the impact on the extent of required substantive testing if inherent risk is
high and no assurance has been obtained from control testing? If inherent risk is high and
no assurance has been obtained from control testing, the audit strategy may be revised to a
substantive approach. This means extensive substantive procedures designed to estimate the
dollar value of any error in the balance would need to be performed.

9.1 Why is it important to identify both the strengths and weaknesses in a system of
internal controls? Strengths and weaknesses in internal control are usually noted by the
auditor when performing
tests of controls as part of the control risk assessment. An internal control strength is when
control is in place and working as intended; therefore, it is effective in preventing or detecting a
material misstatement in the financial statements. Auditors identify the strengths in order to test
and rely on these internal controls. Weaknesses in internal controls exist when an internal
control is unable to prevent, detect, and correct material misstatements. Auditors will not rely on
controls which are weak and ineffective.

9.2 Does the auditor provide feedback on strengths in internal controls or just
weaknesses? Explain. While clients will often be interested in obtaining feedback from
external auditors as to the relative strengths of their internal controls, focus is ordinarily on the
areas of weakness identified. This is because it is the weaknesses that increase the risk of
material misstatements being undetected by management’s processes and controls, and, thus,
it is on the areas of weakness that the auditor typically performs additional substantive testing to
quantify the (potential) material misstatements.

9.3 What obligations does the auditor have regarding communicating strengths or
weaknesses in internal controls? CAS 260 Communication with Those Charged with
Governance and CAS 265 Communicating Deficiencies in Internal Control to Those Charged

© 2021 John Wiley and Sons, Auditing, 4e

with Governance and Management require the auditor to provide those charged with
governance with timely observations arising from the audit that are significant and relevant to
their responsibility to oversee the financial reporting process, and to promote effective two-way
communication between the auditor and those charged with governance. The auditor should
communicate matters of governance interest to management, such as significant (or material)
weaknesses in the design or implementation of internal control, as soon as practicable, and at
an appropriate level of responsibility.

10.1 Do auditors always communicate weaknesses in internal controls to those charged

with governance? Explain your answer. Significant weaknesses in internal controls need to
be communicated. Professional judgement is necessary in deciding whether a weakness
identified is significant enough to warrant communicating to management and to those charged
with governance. When the auditor identifies risks of material misstatement that the entity has
not controlled (or has not adequately controlled), or if in the auditor’s judgement there is a
significant deficiency in the entity’s design or implementation of internal control, the auditor is
required to communicate these deficiencies as soon as practicable to those charged with
governance. Deciding whether an observation should be reported to those charged with
governance is often a matter of consultation and discussion among the audit team. The auditor
may also identify and communicate internal control deficiencies not considered significant but
still worthy of management’s attention.

10.2 Can the content ordinarily included in a management letter be delivered verbally to
those charged with governance? Explain your answer. While it is not mandatory to provide
this feedback in writing, the auditor ordinarily prefers to provide their recommendations in the
form of a letter or report to avoid any ambiguity or confusion as to what observations,
conclusions, and recommendations they have made. Responding to a management letter also
provides a simple way for management to document the actions they have taken in response to
the issues raised and to share these actions (and the progress toward the resolution of the
issues) with those charged with governance.

10.3 Why is it preferred that most communications with those charged with governance
be done in writing? The auditor ordinarily prefers to provide their recommendations in the form
of a letter or report to avoid any ambiguity or confusion as to what observations, conclusions,
and recommendations they have made.

© 2021 John Wiley and Sons, Auditing, 4e