CONSIDERATION OF

INTERNAL CONTROL:

ASSESSING THE CONTROL RISK

INTERNAL
CONTROL

Set Desired
Level of Audit
Risk

Assess
Inherent Risk

Audit Planning

Assess
Control Risk

CONSIDERATION
OF INTERNAL
CONTROL

Determine
Acceptable
Level of
Detection Risk

Performing
Substantive Test

What Is Internal Control?

INTERNAL CONTROL SYSTEM means all the
policies and procedures (internal controls)
adopted by the management of an entity to
assist in achieving managements objective of
ensuring, as far as practicable,

Integrity and
Ethical
Values

Management
Philosophy and
Operating Style
Active Participation
of Those Charged
With Governance

Control
Environment

Commitment to
Competence

Risk
Assessment

Internal Control

Information
and
Communicatio
n System

Assignment of
responsibility and
anchority

Personnel
Policies and
Procedures

Performance
Reviews

Control
Activities

Monitoring

Information
Processing

Physical
Controls

Segregation of
Duties

What Is Internal Control?

orderly and efficient conduct of its business,

including adherence to management policies;
safeguarding of assets;
prevention and detection of fraud and error;
accuracy and completeness of the accounting
records; and
timely preparation of reliable financial
information

What Is Internal Control?

Internal control is a process

Internal control is effected by those charged
with governance, management and other
personnel
Internal control can be expected to provide
reasonable assurance of achieving entitys
objective
Internal control is designed to help achieve
entitys objective

Components Of Internal Control

According to PSA 315

The control environment

Risk assessment process
Information and communication systems
Control activities
Monitoring of controls

CONTROL ENVIRONMENT

The control environment includes the

attitudes, awareness, and actions of
management and those charged with
governance concerning the entitys internal
control and its importance in the entity.

Elements of Control
Environment

Integrity and Ethical Values

Management Philosophy and Operating Style
Active Participation of those charged with
governance
Commitment to competence
Personnel Policies and Procedures

RISK ASSESSMENT
PROCESS
An entitys risk assessment process is its
process for identifying and responding to
business risks and the results thereof

Risk Assessment Process

Changes in operating environment

New personnel
New or revamped information systems
Rapid growth
New technology
New business models, products, or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements

INFORMATION AND COMMUNICATION

SYSTEM
An information system consists of
infrastructure (physical and hardware
components), software, people,
procedures, and data.

Information System
The information system relevant to financial
reporting objectives, which includes the
financial reporting system, consists of the
procedures and records established to
initiate, record, process, and report entity
transactions (as well as events and
conditions) and to maintain accountability
for the related assets, liabilities, and equity.

An information system should

Identify and record all valid transactions.

Describe on a timely basis the transactions in sufficient detail
to permit proper classification of transactions for financial
reporting.
Measure the value of transactions in a manner that permits
recording their proper monetary value in the financial
statements.
Determine the time period in which transactions occurred to
permit recording of transactions in the proper accounting
period.
Present properly the transactions and related disclosures in
the financial statements.

Communication System
Communication
involves
providing
an
understanding of individual roles and
responsibilities pertaining to internal control over
financial reporting.

CONTROL ACTIVITIES
Control activities are the policies and
procedures that help ensure that
management directives are carried out.

What are the control

procedures?

Performance reviews
Information processing
Physical controls
Segregation of duties

Performance Reviews

reviews and analysis of actual performance vs.

budgets, forecasts and prior period analyses

analysis of the relationships and investigative

and corrective actions

Information Processing

perform to check accuracy, completeness and

authorization of transactions.

when computer processing is used in

significant accounting transactions, internal
control procedures can be classified into two:
General

Control
Application Control

Physical Controls

physical security of assets

authorization for access to computer programs
periodic counting and comparison with
amounts shown on control records

Segregation of Duties

reporting, reviewing and approving

reconciliations
approval and control of documents

MONITORING
Managements monitoring of controls includes
considering whether they are operating as
intended and that they are modified as
appropriate for changes in conditions.
ongoing

monitoring
separate evaluation

Ongoing Monitoring

Includes regular management and supervisory

activities

Preparation of monthly bank reconciliations

Separate Evaluation

Monitoring Activities that are performed on a

non-routine basis

internal auditors evaluation of sales personnels

compliance with the entitys policies on terms of sales
contracts
legal departments oversight of compliance with the
entitys ethical or business practice policies.

CONSIDERATION
OF INTERNAL
CONTROL

INHERENT LIMITATIONS OF INTERNAL

CONTROLS

1. Managements usual requirement that the cost

of an internal control does not exceed the
expected benefits to be derived.
2. Most internal controls tend to be directed at
routine transactions rather than non-routine
transactions.
3. The potential for human error due to
carelessness, distraction, mistakes of judgment
and the misunderstanding of instructions.

INHERENT LIMITATIONS OF INTERNAL

CONTROLS
4. The possibility of circumvention of internal controls
through the collusion of a member of management or
an employee with parties outside or inside the entity.
5. The possibility that a person responsible for
exercising an internal control could abuse that
responsibility, for example, a member of management
overriding an internal control.
6. The possibility that procedures may become
inadequate due to changes in conditions, and
compliance with procedures may deteriorate.

CONSIDERATION OF INTERNAL
CONTROL
1.

2.

3.
4.

Obtain and document understanding of

accounting and internal control system
Plan the assessed level of control risk
Performance of tests of controls
Document assessed level of control risk

UNDERSTANDING INTERNAL
CONTROL
Obtaining an understanding of internal control
involves :

evaluating the design of a control; and

determining whether it has been
implemented

Understanding internal control

identify the types of potential material

misstatements that could occur in the financial
statements
consider factors that affect the risk of material
misstatements; and
design appropriate audit procedures (nature,
timing, extent)

Understanding internal control

the size and complexity of the entity and of its

computer system
materiality considerations
the type of internal controls involved
the nature of the entitys documentation of
specific internal controls
the auditors assessment of inherent risk
experience gained from prior audits

Procedures in obtaining
understanding
1.

2.
3.

4.

Make inquiries of appropriate company

personnel
Inspect documents and records
Observe the companys activities and
operations
Walk-through

Documentation
A commonly used form of documentation
includes:
1.
2.
3.
4.

narrative descriptions
flowcharts and diagrams
internal control questionnaires (ICQ)
checklists

PRELIMINARY ASSESSMENT OF CONTROL

RISK

The preliminary assessment of control risk is

the process of evaluating the effectiveness of
an entitys accounting and internal control
systems in preventing or detecting and
correcting material misstatements.

PRELIMINARY ASSESSMENT OF CONTROL

RISK

After obtaining an understanding of the

accounting and internal control systems, the
auditor should make a preliminary assessment
of control risk, at the assertion level, for each
material account balance or class of
transactions.

PRELIMINARY ASSESSMENT OF CONTROL

RISK

The auditor ordinarily assesses control risk

at a high level for some or all assertions
when:
the

entitys accounting and internal control

systems are not effective; or
evaluating the effectiveness of the entitys
accounting and internal control systems would not
be efficient.

PRELIMINARY ASSESSMENT OF CONTROL

RISK

The preliminary assessment of control risk for

a financial statement assertion should be
high unless the auditor:
is able to identify internal controls relevant to the
assertion which are likely to prevent or detect and
correct a material misstatement; and
plans to perform tests of control to support the
assessment.

PERFORMING TEST OF
CONTROLS
Tests of control are performed to obtain audit
evidence about the effectiveness of the:
a. design of the accounting and internal control
systems
b.
operation of the internal controls throughout
the period.

Why do we need to perform test of controls?

According to PSA 400, the auditor should

obtain
audit evidence through test of controls to support
any
assessment of control risk at less than high
level.

Greater reliance requires more

extensive test of controls.

NATURE OF TEST OF
CONTROLS
1.
2.

3.
4.
5.

Inspection
Inquiry
Observation
Re performance
Walk-through

Inquiry
Searching appropriate information about
the effectiveness of internal control from
knowledgeable persons inside and outside
the entity.

Inspection
Involves examination of documents and
records to provide evidence of reliability
depending on their nature and source and
the effectiveness of internal control over
their processing.

Observation
Looking at the process being performed by the
others.

Re performance
Involves repeating the activity performed by
the client to determine whether proper results
were obtained.

Timing of tests of controls

In determining whether or not to test the

remaining period, the following factors must be
considered:
the results of the interim tests
the length of the remaining period
whether changes have occurred in the
accounting period and internal control systems
during the period

Using the results of tests control

Based on the result of tests of control, the
auditor should evaluate whether the internal
controls are designed and operating as
intended. The conclusion reached as a result
of this evaluation is called the assessed level
of control risk.

Using the results of tests control

The nature of substantive tests from less

effective to more effective procedures
The timing of substantive tests by them at
year-end rather than interim
The extent of substantive tests from smaller
to larger sample size

DOCUMENTATION
After evaluating the results of tests of control
and assessing the control risk the auditor
should document his assessment of control
risk

Documentation
ASSESSED CONTROL
RISK
Less Than High

High (Maximum)

(Below Maximum)

Understanding of ICS

Required

Required

Tests of Controls

Required

Required

Assessment of Control
Risks

Required

Not Required

Reason for Assessment

Not Required

Required

Communication of Internal Control

Weakness
The auditor should make management aware,
as soon as practical and at an appropriate
level of responsibility, of material weaknesses
in the design or operation of the accounting
and internal control systems, which have come
to the auditors attention. The communication
to management of material weaknesses with
other matter of concern are documented in a
formal management letter.

ANY QUESTIONS?
Thank you for listening.
Presented by:
PAOLO MIGUEL C. ARQUERO
SHEILA MAE ROSARY G.
SERRANO