3.

Five Components of COSO internal framework

a. Control environment sets the tone of an organization, influencing the control consciousness of its
people. It is the foundation for all other components of internal control, providing discipline and
structure.

b. Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its
objectives, forming a basis for determining how the risks should be managed.

c. Control activities are the policies and procedures that help ensure that management directives are
carried out.

d. Information and communication systems support the identification, capture, and exchange of
information in a form and time frame that enable people to carry out their responsibilities.

e. Monitoring is a process that assesses the quality of internal control performance over time.

4. In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit
by performing procedures to understand the design of controls relevant to an audit of financial
statements and determining whether they have been placed in operation. In obtaining this
understanding, the auditor considers how an entity’s use of information technology (IT) and manual
procedures may affect controls relevant to the audit. The auditor then assesses control risk for the
relevant assertions embodied in the account balance, transaction class, and disclosure components of
the financial statements. Regardless of the assessed level of control risk, the auditor should perform
substantive procedures for all relevant assertions related to all significant accounts and disclosures in
the financial statements.

5. In assessing control risk, auditors assess whether the financial statements are auditable, determine
assessed control risk by the understanding obtained assuming the controls are being followed and use a
control risk matrix to assess control risk. In the control risk matrix, auditors identify audit objectives,
identify existing controls, associated control with related audit objectives, and identify and evaluate
control deficiencies, significant deficiencies, and material weaknesses. Auditors identify deficiencies and
material weaknesses by identifying existing controls and absence of key control. They also consider the
possibility of compensating controls.

6. Test of controls are the procedures to test effectiveness of controls in support of a reduced assessed
control risk. The procedures for test of controls involves the following:

a. Inquire of client personnel

b. Examine documents, records and reports

c. Reperform client procedures

d. Observe control-related activities.

Designing Tests of Controls

Assessing control risk requires the auditor to consider the design of controls to evaluate whether they
should be effective in meeting transaction-related audit objectives. Some evidence will have been
gathered in support of the design of the controls, as well as evidence that they have been placed in
operation, during the understanding phase. To use specific controls as a basis for reducing assessed
control risk, however, specific evidence must be obtained about their operating effectiveness
throughout all, or at least most, of the period under audit. Designing tests of controls involves the
following:

1. Nature of tests

a. Inquiring

Inquiring designed to determine;

an employee’s understanding of his/her duties,

the individual’s performance of those duties, and

the frequency, causes, and disposition of deviation. Unsatisfactory answers from an employee may
indicate an improper application of control.

b. Observing

Observing the employee’s performance provides similar evidence.

c. Inspecting

Inspecting documents and records is applicable when there is a transaction trail of performance in the
form of signatures and validation stamps that indicate whether the control was performed and the
individual who performed it.

d. Task Reperforming

Reperforming a control by the auditor provides the best evidence of its effectiveness. In performing the
tests, the auditor selects the procedure that will provide the most reliable evidence about the
effectiveness of the control policy or procedure. No one test of controls is always applicable or equally
effective in providing evidence.

2. Timing of test

The timing of the test of controls refers to when they are performed and the part of the accounting
period to which they relate. An additional test of control is performed during interim work, which may
be several months before the end of the year under audit. These tests therefore only provide evidence
of the effectiveness of controls from the beginning of the year to the date of the tests. From the
standpoint of audit efficiency, the tests of controls should be performed as late in the interim period as
possible.

Discussion 1

Internal control system means all the policies and procedures adopted by the management of an entity
to assist in achieving Management's objective of ensuring, as far as practicable, the orderly and efficient
conduct of it's business, including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and completeness of the accounting records,
and the timely preparation of reliable financial information. It typically has three broad objectives in
designing an effective internal control system:

a. Reliability of the entity's financial reporting - it relates to internal and external financial reporting, as
well as, non financial reporting

b. Effectiveness and efficiency of operations - control within a company provides effective and efficient
use of it's resources to optimize company's goals. Important objective of these controls is accurate
financial and non financial information about the company's operations for decision making purposes.

c. Compliance with applicable laws and regulations - Section 404 requires management of all public
companies to isuue a report about the operating effectiveness of internal control over financial
reporting

Discussion 2

The one who must establish and maintain the entity's internal control is the management, not the
auditor. This concept is consistent with the requirement that management is responsible for the
preparation of financial statements in accordance with the applicable accounting framework such as
GAAP or IFRS. On the other hand, the responsibilities of an auditor, include understanding and testing
internal control over financial reporting. Auditors of larger public companies are required by Securities
and Exchange Commission to issue annually and audit report on the operating effectiveness of internal
control.