Internal Control

and Control Risk

Chapter 10

10 - 1
 Planning an Audit and
Designing an Approach

Accept client and

Set materiality, and
perform initial
assess acceptable audit Develop
audit planning
risk and inherent risk overall
audit plan
Understand the
Understand internal and
client’s business
control and assess audit
and industry
control risk program

Assess client
business risk Gather information to assess
fraud risks
Perform preliminary
analytical procedures
10 - 2
 Learning Objective 1

Explain the five components

of internal control

10 - 3
 Definisi (SA Seksi 319)

Pengendalian intern adalah suatu proses yang

dijalankan oleh dewan komisaris, manajemen,
dan personel lain entitas yang didesain untuk
memberikan keyakinan memadai tentang
pencapaian tiga golongan tujuan berikut ini:
• Keandalan pelaporan keuangan
• Efektivitas dan efisiensi operasi
• Kepatuhan terhadap hukum dan peraturan yang
berlaku

10 - 4
 Five Components
of Internal Control

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication

10 - 5
 The Control Environment

Integrity and ethical values Organizational structure

Commitment to competence Assignment of authority

and responsibility

Board of directors or audit

committee participation Human resources
policies and practices

Management’s philosophy
and operating style
10 - 6
 Risk Assessment

Identify factors affecting risk.

Assess significance of risks
and likelihood of occurrence.
Determine actions necessary
to manage risk.

10 - 7
 Control Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

10 - 8
 1. Adequate Separation
of Duties

Custody of assets Accounting

Authorization The custody of
of transactions related assets
Operational Record-keeping
responsibility responsibility
IT Duties User departments

10 - 9
2. Proper Authorization of
Transactions and Activities

General authorization

Specific authorization

10 - 10
 3. Adequate Documents
and Records

Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple uses
Constructed to encourage correct preparation

10 - 11
 4. Physical Control over
Assets and Records

Physical precautions

Controls related to IT equipment,

programs, and data files

Backup and
Physical Access
recovery
controls controls
procedures
10 - 12
 5. Independent Checks
on Performance

The need for independent checks

arise because internal control tends
to change over time unless there is
a mechanism for frequent review.

10 - 13
 Information and
Communication

The purpose of an accounting information

and communication system is to…
initiate, record, process, and report the
transactions and to maintain accountability
for the related assets.

10 - 14
 Monitoring

Management’s ongoing and periodic assessment

of the quality of internal control performance …
to determine whether controls are operating
as intended and modified when needed.

10 - 15
 Learning Objective 2

Contrast management’s need for

internal control with the auditor’s
need to consider internal control
when designing an audit.

10 - 16
 Key Concepts

Management’s
Responsibility
Reasonable
Assurance
Inherent
Limitations

10 - 17
 Client’s Concerns

Reliability of financial reporting

Efficiency and effectiveness of operations
Compliance with applicable laws
and regulations

10 - 18
 Auditor Concerns

Controls related to reliability of

financial reporting

Controls over classes of transactions

10 - 19
 Sales Transaction-Related
Audit Objectives

Objective – General Form Related Audit Objectives

Recorded transactions Sales are for shipments
exist (existence). to existing customers.
Existing transactions are Existing sales transactions
recorded (completeness). are recorded.
Transactions are stated Sales for goods shipped
correctly (accuracy). are correctly billed.

10 - 20
 Sales Transaction-Related
Audit Objectives

Objective – General Form Related Audit Objectives

Transactions are properly
classified (classification).
Transactions are recorded
on correct dates (timing).
Transactions are properly
filed (posting and
summarization).
Sales transactions are
properly classified.
Sales are recorded on the
correct dates.
Sales transactions are
properly included in the
master files.
10 - 21
 Learning Objective 3

Explain methods used to

obtain an understanding
of internal control.

10 - 22
 Understanding Internal Control
and Assessing Control Risk

Obtain Understanding of Internal Control:

Design and Operation

Assess Control Risk Test Controls

Decide Planned Detection Risk

and Substantive Tests

10 - 23
 Reasons for Sufficiently
Understanding Internal Control

SA Seksi 319 requires the auditor to

obtain an understanding of internal
control for every audit.

• Auditability
• Potential material
Minimum audit misstatements
planning matters • Detection risk
• Design of test
10 - 24
 Procedures to Determine
Design and Placement

Update and evaluate auditor’s previous

experience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals.
Examine documents and records.
Observe entity activities and operations.

10 - 25
 Documentation of
the Understanding

Internal
control
questionnaire
Flowchart

Narrative

10 - 26
 Learning Objective 4

Obtain Understanding of Internal Control:

Assess control
Design and Operation risk by linking
strengths and
weaknesses of
Assess Control Risk Test Controls internal control to
transaction-
Decide Planned Detection Risk
related audit
and Substantive Tests objectives.

10 - 27
 Assess Control Risk

Obtain sufficient understanding for planning.

Assess whether the entity is auditable.
Determine assessed control risk.
Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.

10 - 28
 Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.

10 - 29
 Identify and Evaluate
Weaknesses

Identify existing controls.

Identify the absence of key controls.
Determine misstatements that could result.
Consider compensating controls.

10 - 30
 The Control Risk Matrix

Auditors use the control risk matrix to

identify both controls and weaknesses
and to asses control risk.

10 - 31
 Communication

Reportable conditions letter

Audit committee communications
Management letters

10 - 32
 Learning Objective 5

Obtain Understanding of Internal Control: Describe the

Design and Operation
process of
designing
Assess Control Risk Test Controls
and
performing
Decide Planned Detection Risk tests of
and Substantive Tests
controls.

10 - 33
 Tests of Controls

The procedures to test effectiveness

of controls in support of a reduced
assessed control risk are called
tests of controls.

10 - 34
 Procedures for
Tests of Controls

Make inquiries of client personnel.

Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.

10 - 35
 Extent of Procedures

Reliance on evidence from prior year’s audit

Testing less than the entire audit period

10 - 36
 Relationship of Assessed Control
Risk and Extend of Procedures
Assessed Control Risk
High Level: Lower Level:
Obtaining an Tests of
Type of Procedure Understanding Only Controls
Inquiry Yes – extensive Yes – some
Documentation Yes – with transaction Yes – using
walk-through sample
Observation Yes – with transaction Yes – multiple
walk-through times
Reperformance No Yes – sampling

10 - 37
 Learning Objective 6

Obtain Understanding of Internal Control: Decide

Design and Operation
Planned
Detection Risk
Assess Control Risk Test Controls and
Substantive
Decide Planned Detection Risk Tests
and Substantive Tests

10 - 38
 Decide Planned Detection Risk
and Design Substantive Tests

The auditor uses the results of the control risk

assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.

The auditor links the control risk assessments

to the balance-related audit objectives.

10 - 39
 Tolerable Misstatements,
Risk, and Planned Evidence
Acceptable
audit risk D D I

Inherent Planned I Planned

risk I detection risk audit evidence
I D I
Control
risk

Tolerable
misstatement
D = Direct relationship; I = Inverse relationship
10 - 40
End of Chapter 10

10 - 41
Overall Audit Plan
and Audit Program

Chapter 13

10 - 42
 Audit Planning

Accept client and Perform preliminary

perform initial analytical procedures Develop
audit planning overall
audit plan
Understand the Set materiality, and and
client’s business assess acceptable audit audit
and industry risk and inherent risk program

Assess client Understand internal

business risk control and assess
control risk

10 - 43
 Learning Objective 1

Use the five types of audit tests

to determine whether financial
statements are fairly stated

10 - 44
 Types of Tests

Risk Assessment Procedures

Further Audit Procedures

10 - 45
 Further Audit Procedures
and the Audit Risk Model

Audit risk AAR

model = PDR
IR × CR

Sufficient
Substantive Tests of
Tests of Analytical appropriate
+ tests of + procedures + details of = evidence
controls
transactions balances
per GASS

Further audit procedures

10 - 46
 Tests of Control

To determine the appropriateness of

the design and operating effectiveness of
specific internal controls

Make inquiries
Examine documents, records
include
Observe control-related activities
Reperform client procedures
10 - 47
Substantive Tests of Transactions

To determine whether all five transaction-

related audit objectives have been
satisfied for each class of transactions

For efficiency, the STOT are often done

at the same time as TOC

10 - 48
 Analytical Procedures

The most important purposes of analytical

procedures in the audit of account balances
are:

Indicate the presence of possible

misstatements in the financial statements
Reduce tests of balances

10 - 49
 Tests of Detail of Balances

Focus on the ending general ledger

balances for both balance sheet and
income statements accounts

Confirmation

include Physical examination

Examination

10 - 50
 Role of all Audit Tests in
the Sales and Collection Cycle
Accounts Cash in
Sales Receivable Bank
Sales Cash receipts
transactions transactions
Audited by Audited by
TOC, STOT, and AP TOC, STOT, and AP

Ending Ending
balance balance
Audited by AP and TDB

TOC + STOT + AP + TDB

= Sufficient competent evidence per GAAS
10 - 51
 Learning Objective 2

Select the appropriate

types of audit tests

10 - 52
 Relationship Between Further
Audit Procedures and Evidence

10 - 53
 Learning Objective 4

Design an audit program

10 - 54
 Audit Program

 The list of audit procedures for an audit area

or an entire audit
 Contents:
 Types of tests
 Audit objectives
 Procedures
 Sample size
 Items to select
 Timing

10 - 55
 Audit Program

Part 1:
Tests of controls and substantive
tests of transactions
Part 2:
Analytical procedures
Part 3:
Tests of details and balances

10 - 56
 Audit Procedures

1. Apply the transaction-related audit objectives

to the class of transactions being tested.
2. Identify key controls that should reduce
control risk for each audit objective.
3. Develop appropriate tests of controls.
4. Design substantive tests of transactions.

10 - 57
 Methodology for Designing
Controls and Substantive Tests
Design tests of controls
Perform procedures and substantive tests
to understand of transactions to meet
internal control. transaction-related
audit objectives.

Assess control risk. Audit procedures

Sample size
Evaluate cost-benefit Items to select
of testing controls. Timing
10 - 58
Four-Step Approach to Designing
Control and Substantive Tests

10 - 59
 Test of Control and Substantive
Tests of Transactions

 Sales
 Cash receipts
 Acquisitions
 Cash disbursements
 Payroll and personnel

10 - 60
 Methodology for Designing Tests of
Balances – Accounts Receivable

Identify client business risks Design and perform analytical

affecting accounts receivable. procedures for accounts
receivable balance.
Set tolerable misstatement
and assess inherent risk
Design tests of details of
for accounts receivable.
accounts receivable balance
to satisfy balance-related
Assess control risk for sales
audit objectives.
and collection cycle.
Audit procedures Sample size
Design and perform tests of
controls and substantive tests Items to select Timing
of transactions for sales and
collection cycle.
10 - 61
 Learning Objective 5

Compare and contrast

transaction-related audit
objectives and balance-
related audit objectives.

10 - 62
 Relationship of Transaction- to
Balance-Related Audit Objectives

Transaction-Related Balance-Related Nature of

Audit Objective Audit Objective Relationship
Occurence Existence or Direct
completeness
Completeness Completeness or Direct
existence
Accuracy Valuation Direct

10 - 63
 Relationship of Transaction- to
Balance-Related Audit Objectives

Transaction-Related Balance-Related Nature of

Audit Objective Audit Objective Relationship
Classification
Cutoff
Right and
obligation

10 - 64
 Learning Objective 6

Integrate the four phases

of the audit process.

10 - 65
 Summary of the
Audit Process

Perform analytical
Plan and design procedures and
Phase I Phase III
an audit approach. tests of details
of balances.

Perform tests of
Complete the
controls and
Phase II Phase IV audit and issue
substantive tests
an audit report.
of transactions.

10 - 66
 Summary of the Audit Process
Phase I

Accept client and perform initial planning.

Understand the client’s business and industry.
Assess client’s business risk.
Perform preliminary analytical procedures.
Set materiality and assess acceptable audit risk
and inherent risk.
Understand internal control and assess control risk.
Develop overall audit plan and audit program.
10 - 67
 Summary of the Audit Process
Phase II

Plan to reduce assessed No

level of control risk?

Yes
Perform tests of controls.
Perform substantive tests of transactions.
Assess likelihood of misstatements in
financial statements.
10 - 68
 Summary of the Audit Process
Phase III

Low Medium High or

unknown

Perform analytical procedures.

Perform tests of key items.
Perform additional tests of details of balances.

10 - 69
Summary of the Audit Process
Phase IV

Review for contingent liabilities.

Review for subsequent events.
Accumulate final evidence.
Evaluate results.
Issue audit report.
Communicate with audit
committee and management.

10 - 70
End of Chapter 13

10 - 71