CHAPTER 6

CONSIDERATION OF INTERNAL CONTROL

CONSIDERATION OF INTENAL CONTROL

•This is the step in the audit process wherein the auditor will assess the level of control risk.•Assessing control risk – the process of evaluating the design and operating effectiveness of an entity’s internal control as to how it prevents or detects material misstatements in the financial statements•Assessed level of control risk – the conclusion reached as a result of the assessment

NATURE OF INTERNAL CONTROL•As the entity grows larger, mechanisms are needed to be introduced which enable the performance of the employees to be checked, to ensure that they are fulfilling their responsibilities as intended.

DEFINITION OF INTERNAL CONTROL

•According to PSA 315, internal control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

FOUR ESSENTIAL CONCEPTS in the definition of INTERNAL CONTROL

1. It is a process.2. It is effected by those charged with governance, management and other personnel.3. It can be expected to provide reasonable assurance of achieving the entity’s objectives.4. It is designed to help achieve the entity’s objectives.

INHERENT LIMITATIONS THAT MAY AFFECT INTERNAL CONTROL’S EFFECTIVENESS•Management’s requirement that the cost of an internal control should not exceed the benefits to be derived•Most internal controls are directed at routine transactions than non-routine transactions• The potential for human error• The possibility of circumvention of internal control through the collusion among employees• The possibility of management overriding the internal control• The possibility of procedures becoming inadequate due to changes

ENTITY’S OBJECTIVES

Internal control is geared towards the achievement of the entity’s objectives in the following categories:

•Effectiveness and efficiency of operations•Compliance with laws and regulations•Reliability of financial reporting

•In the audit of financial statements, the auditor is only concerned with those policies and procedures within the accounting and internal control systems that are relevant to the financial statement assertions. Therefore, the objective that is most relevant to the audit is the financial reporting objective.

FIVE COMPONENTS OF INTERNAL CONTROLControl Environment – includes the attitudes, awareness and actions of management and those charged with governance; it is the foundation of effective internal control.

Risk Assessment – management should adopt policies and procedures designed to identify and analyze the risks affecting the business.

Business risk – the risk that entity’s business objectives will not be attained as a result of internal and external factors

Information and Communication Systems – Effective internal control must provide timely information and communication.

Information system – consists of procedures and records established to initiate, record, process, and report entity transactions and to maintain accountability Communication system – involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting

Control Activities – are the policies and procedures which help ensure that the management directives are carried out.

Control activities would include: 1. Performance Reviews – include reviews and analyses of actual performance vs. budgets, forecasts, and prior period performance. 2. Information Processing – it is performed to check the accuracy, completeness, and authorization of transactions.

3. Physical controls – physical security of assets; authorization for access to computer programs and data files; periodic counting and comparison with the amounts shown on control records 4. Segregation of duties – assigning different people the responsibilities of authorizing and recording transactions, and maintaining custody of assets

Monitoring – is a process of assessing the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.

It is accomplished through one or a combination of the following: 1. Ongoing monitoring activities - built into the normal recurring activities of an entity 2. Separate evaluations – performed on a non-routine basis

INTERNAL CONTROL FOR A SMALL BUSINESS

•Proper segregation of duties or establishment of a separate internal audit department is difficult.• Internal control systems of small businesses tend to be weak compared to those of larger entities.

These weaknesses can be compensated if the owner/manager actively participates in the operation of the business.

Consideration of Internal Control

1. Obtain understanding of the internal control

2. Document the understanding of accounting and internal control system

3. Assess the level of control risk4. Perform tests of controls5. Document the assessed level of

control risks

Understanding Internal Control

Obtaining understanding of internal control involves: Evaluating the design of the control;Making inquiries of appropriate individuals; Inspecting documents and records; andObserving of entity’s activities and

operations. Determining whether it has been

implemented

The auditor uses the understanding of internal control to: Identify types of potential

misstatements that can occur Consider factors that affect the risk of

material misstatements Design the nature, timing, and extent

audit procedures to be performed

Documenting the auditor’s understanding of internal control

•Narrative•Flowchart•Internal Control Questionnaire

Assessment of Control Risk• Preliminary assessment of control risk may be at a

high level (100%) or less than high level.• When the auditor’s knowledge of the entity’s

internal control indicates that internal controls related to a particular assertion are not effective, the auditor may simply assess control risk at a high level.

• If the auditor concludes that it is more efficient to rely on the entity’s internal control systems, the auditor would plan to assess control risk at less than high level. For this purpose, the auditor should:

Identify specific internal control policies or procedures that are likely to prevent or detect and correct material misstatement relevant to financial statement assertion, and

Perform tests of control to determine the effectiveness of such policies or procedures

Performing Test of ControlsTest of controls are performed to obtain evidence about the effectiveness of the: Design of the accounting and internal control

systems; or Operation of the internal controls throughout

the periodTest of controls generally consist of one (or a combination) of the following evidence gathering techniques:1. Inquiry2. Observation3. Inspection4. Reperformance

Documenting the assessed level of control risk• If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is at a high level.• If control risk is assessed at less than high level, the auditor should document his conclusion that control risk is less than high and the basis for that assessment. The auditor cannot assess control risk at less than high level without performing tests of control.

Communication of Internal Control WeaknessesAn auditor is required to report to the appropriate level of management material weaknesses in the design or operation of the accounting and internal control systems, which have come to the auditor’s attention. These internal control weaknesses together with other matters of concern are documented in a formal management letter.