Chapter 6: Consideration of Internal Control

A. Nature of Internal Control

According to PSA 315
Internal Control is the process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entity's objectives with
regards to reliability of financial reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations
1. Internal Control as a Process
2. Internal Control is effected by those charged with governance, management, and other personnel.
3. Internal control can be expected to provide reasonable assurance of achieving the entitys objectives
It is because of inherent limitations (listed below) that may affect the internal controls
effectiveness:
a. Managements usual requirement that the cost of an internal control should not exceed the
expected benefit s to be derived.
b. Most internal controls tend to be directed at routine transactions rather than non-routine
transactions.
c. The potential for human error due to carelessness, distraction, mistakes of judgment and
the misunderstanding of instructions.
d. The possibility of circumvention of internal controls through the collusion among
employees.
e. The possibility of management overriding the internal control.
f. The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate.
4. Internal control is designed to help achieve the entity's objective in the following categories:
a. Financial reporting
-

The management objective is to produce reliable financial report and

safeguard assets.
b. Operations
- To have effectiveness and efficiency in operations.
c. Compliance
- To comply with the law and regulations that affects the entity.
B. Components of Internal Control
1. Control Environment

It is the foundation for effective internal control.

The control environment is the control consciousness of an organization; it is the
atmosphere in which people conduct their activities and carry out their control

responsibilities.
It is an intangible factor that is essential to effective internal control.
It is determined by the attitudes of the persons in charge of the internal control
system.

Factors reflected in the control environment:

1.
2.
3.
4.
5.

Integrity and ethical values

Active participation of those charged with governance
Commitment to competence
Personnel policies and procedures
Assignment of responsibility and authority/Organizational Structure

2. Risk Assessment
I. Determine Goals and Objectives
The central theme of internal control is (1) to identify risks to the achievement of an organization's
objectives and (2) to do what is necessary to manage those risks. Goals and objectives are classified in the
following categories:
1. Operations objectives. These objectives pertain to the achievement of the basic mission(s) of a
department and the effectiveness and efficiency of its operations, including performance standards
and safeguarding resources against loss.
2. Financial reporting objectives. These objectives pertain to the preparation of reliable financial
reports, including the prevention of fraudulent public financial reporting.
3. Compliance objectives. These objectives pertain to adherence to applicable laws and regulations.
II. Identify Risks after Determining Goals
Risk assessment is the identification and analysis of risks associated with the achievement of operations,
financial reporting, and compliance goals and objectives.
For financial reporting purposes, the entitys risk assessment process includes how management identifies
risks relevant to the preparation of financial statements that are presented fairly, in all material respects in
accordance with the entitys applicable financial reporting framework, estimates their significance, assesses
the likelihood of their occurrence, and decides upon actions to manage them.
III. Risk Analysis
After risks have been identified, a risk analysis should be performed to prioritize those risks:

a. Assess the likelihood (or frequency) of the risk occurring.

b. Estimate the potential impact if the risk were to occur.
c. Determine how the risk should be managed.
3. Information & Communication System
To be effective, an internal control system must provide relevant and timely information and communication.
The system should identify the information requirements and create an information system that provides
the needed data and reports.
The essential elements of sound information system:
1. Identification of Information. Proper identification of all economic transactions and
events.
2. Capture of Information. Once identified, accounting data must be accessed and
captured by whatever device is used to store and assemble it while awaiting the
classification and recording by the storage device.
3. Processing of Information. Accounting information is processed by the recording of
transactions in journals and their posting to ledger accounts.
4. Reporting of Information. The external auditor is concerned that the internal control
system accurately converts accounting data from ledger format to financial
statements prepared in accordance with GAAP, including necessary year-end
adjustments and adequate footnote disclosures.
Communication Financial reporting controls require that specific duties be communicated clearly to
employees responsible for implementing the control procedures.
4. Control Activities
-

Are the policies and procedures that help ensure that management directives are carried out.
Control procedure relevant to FS audit includes:
1. Performance Review
-

These activity includes reviews and analyses of actual performance vs budget, forecasts
and prior period performance; analyses of the relationship of every data, investigative and
corrective actions.

2. Information processing
-

A variety of controls are performed to check the accuracy, completeness and authorization
of transactions.

3. Physical controls

These activities encompass the physical security of assets, including safeguards such as
secured facilities over access to assets and records and others shown in control records.

4. Segregation of duties
-

Assigning different people the responsibilities of authorizing transactions, recording

transactions, and maintaining custody of assets is intended to reduce the opportunities to
allow any person to commit and conceal errors and fraud in the normal course of person's
duty.

5. Monitoring
-

It is the process of assessing the quality of internal performance over time. This is done to ensure
that controls continue to operate effectively.

C. Internal Control for a Small Business

-

In a small business, with few employees, it is difficult to have a proper segregation of duties which
tends the business to have a weak internal control. This weakness can be compensated if the
owner/manager actively participates in the operations of the business.

D. Consideration of Internal Control

The one responsible for establishing and maintaining an entitys accounting and internal control system is
the entitys management and not the auditor. Nevertheless the auditors should give adequate
consideration to these controls because the quality of the entitys internal controls systems can have a
significant impact on the audit.
The Following Steps that is involve in the consideration of the entitys internal control:
1.

Obtain understanding of the internal control

2.

Document the understanding of accounting and internal control systems

3.

Assess the level of control risk

4.

Perform tests of controls

5.

Document the assessed level of control risks

OBTAIN UNDERSTANDING OF THE INTERNAL CONTROL

In all audits, the auditor should obtain an understanding of each of the five components of internal control
sufficient to plan the audit. A sufficient understanding is obtained by performing procedures to understand

the design of controls relevant to an audit of financial statements and determining whether they have been
placed in operation.
In planning the audit, such knowledge should be used to:

Identify types of potential misstatement.

Consider factors that affect the risk of material misstatement.

Design the nature, timing and extent of audit procedures to be performed

An Initial Understanding of the design of the entitys internal control systems is ordinarily obtained by

Making Inquiries of appropriate individuals

Inspecting documents and records

Observing of entitys activities and operations

Walk-through test involves tracing one or two transaction through the entire accounting systems, from
their initial recording at source to their final destination as a component of an account balance in the
financial statements.
DOCUMENT THE UNDERSTANDING OF ACCOUNTING AND INTERNAL CONTROL SYSTEMS
After obtaining sufficient knowledge about the design of internal control system and verifying that
the policies and procedures are implemented, the next step would be for the auditor to document his
understanding of accounting and internal control systems. This documentation need not be in any particular
form. The extent of documentation may vary depending on the size and complexity of the entity and nature
of their internal control system
Some commonly used forms of documentations include

Narrative description

Flowchart

Questionnaire

ASSESS THE LEVEL OF CONTROL RISK

Assessing control risk is the process of evaluating the effectiveness of an entity's internal control in
preventing or detecting material misstatements in the financial statements. Control risk should be assessed
in terms of financial statement assertions.
In determining whether assessing control risk at the maximum level or at a lower level would be an effective
approach for specific assertions, the auditor should consider:
`

The nature of the assertion.

The volume of transactions or data related to the assertion.

The nature and complexity of the systems, including the use of IT, by which the entity
processes and controls information supporting the assertion.

The nature of the available evidential matter, including audit evidence that is available only
in electronic form

Assessing control risk below the maximum level involves:

Identifying specific controls relevant to specific assertions.

Performing tests of controls.

Concluding on the assessed level of control risk.

Controls can be either directly or indirectly related to an assertion. The more indirect the relationship, the
less effective that control may be in reducing control risk for that assertion.
For example, a sales manager's review of a summary of sales activity for specific stores by region ordinarily
is indirectly related to the completeness assertion for sales revenue. Accordingly, it may be less effective in
reducing control risk for that assertion than controls more directly related to that assertion, such as
matching shipping documents with billing documents.
PERFORM TESTS OF CONTROLS
Test of control must be performed to obtain evidence about whether controls that are candidates to be
relied upon actually operate as prescribed.
Test of Control are performed to obtain evidence about the effectiveness of the

Design of the accounting and internal control system

Operation of the internal controls throughout the period

According to PSA, the auditor should obtain audit evidence through the test of control to support any
assessment of control risk at less than high level.
Nature of Test of Control
The four methods of testing control are:
1.

Inquiry - consist of searching for the appropriate information about the effectiveness of internal

control from knowledgeable persons inside or outside the entity.

2.

Observation -refers to looking at the process being performed by others.

3.

Inspection involves the examination of documents and records to provide evidence of reliability

depending on their nature and effectiveness of internal control over their processing.
4.

Reperformance involves repeating the activity performed by the client to determine whether the

proper results were obtained

Timing and Extent of Test of Control
Testing controls over a longer period of time provides more evidence of the effectiveness of controls than
testing over a shorter period of time. Further, testing performed closer to the date of management's
assertion provides more evidence than testing performed earlier in the year. The auditor should balance
performing the tests of controls closer to the as-of date with the need to test controls over a sufficient period
of time to obtain sufficient appropriate evidence of operating effectiveness. In addition Auditor cannot
possibly examine all transactions related to certain control procedures therefore the auditor should
determine the size of a sample sufficient to support the assessed level of control risk.
Using the result of Test of Controls
The conclusion reached as a result of evaluation is called the Assessed Level of Control Risk. The auditor
uses the Assessed Level of Control Risk (together with the assessed level of Inherent Risk) to determine
the acceptable level of Detection Risk
DOCUMENT THE ASSESSED LEVEL OF CONTROL RISKS
The auditor should document his or her conclusions about the assessed level of control risk. Conclusions
about the assessed level of control risk may differ as they relate to various account balances or classes of
transactions. For those financial statement assertions where control risk is assessed at the maximum level,

the auditor should document his or her conclusion that control risk is at the maximum level but need not
document the basis for that conclusion. For those assertions where the assessed level of control risk is
below the maximum level, the auditor should document the basis for his or her conclusion that the
effectiveness of the design and operation of controls supports that assessed level. The nature and extent of
the auditor's documentation are influenced by the assessed level of control risk, the nature of the entity's
internal control, and the nature of the entity's documentation of internal control.
E. Communication of Internal Control weaknesses
The Auditor is required to report to the appropriate level of management material weaknesses in the design
or operation of the accounting and internal control systems, which have come to the auditors attention.
It is ordinarily be in writing and should be done at the earliest opportunity so the appropriate corrective
actions may be taken as soon as possible.