07/08/2017

1 Study & Evaluation of Internal Control System

AUD 06

2 Internal Control Concepts

- PSA 315, Understanding the Entity and Its Environment and Assessing the Risk of Material
Misstatement

3 Overriding Principles
The auditor shall obtain understanding of clients internal controls
to plan the audit,
develop an effective audit approach.

4 Auditors Objectives
Identify potential misstatements

Identify factors that affect the risk of material misstatements

Design further audit procedures
5 Structure of Internal Control
Internal Control System means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving managements objective of ensuring, as far as
practicable,:
orderly and efficient conduct of its business, including adherence to management policies;
safeguarding of assets;
prevention and detection of fraud and error;
accuracy and completeness of the accounting records; and
timely preparation of reliable financial information.

6 Structure of Internal Control

Accounting system
Pertains to the series of tasks and records of an entity by which transactions are processed as a
means of maintaining financial records.
Such systems identify, assemble, analyze, calculate, classify, record, summarize and report
transactions and other events.

7 Structure of Internal Control

The internal control system extends beyond those matters which relate directly to the functions of
the accounting system.

8 Components of Internal Controls

- PSA 315, Understanding the Entity and Its Environment and Assessing the Risk of Material
Misstatement

9 Internal Control Framework by COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint
initiative of different private sector organizations dedicated to providing thought leadership

1
 07/08/2017

through the development of frameworks and guidance on enterprise risk management, internal
control and fraud deterrence.
10 Components of Internal Controls
Control environment;
Entitys risk assessment process;
Control activities;
Information system & communication
Monitoring of controls.

11 Control Environment
Attitudes, Awareness, and Actions of management and TCWG concerning the entitys internal
control and its importance in the entity.
Also includes the governance and management functions and sets the tone of an organization,
influencing the control consciousness of its people.
It is the foundation for all other components of internal control, providing discipline and structure.

12 Control Environment
Elements of Control Environment
Communication and enforcement of Integrity and ethical values.
Commitment to Competence.
Human resource policies and practices.
Assignment of authority and responsibility.
Managements philosophy and operating style.
Participation by those charged with governance.
Organizational structure.

13 Risk Assessment Process

Identification of risk relevant to preparation of financial statements
Estimation of significance of risks
Assessment of likelihood of risks
Actions to manage risks

14 Risk Assessment Process

Sources of Risks
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New technology


New business models, products or activities
Corporate restructurings

2
 07/08/2017

Expanded foreign operations

New accounting pronouncements

15 Control Activities
Ensure that management directives are carried out.
Encompass
Performance reviews.
Information processing.
Physical controls.
Segregation of duties.

16 Information and Communication

Information system
Infrastructure, software, people, procedures & data
Automated/manual
Relevant to financial reporting
Procedures & records established to initiate, record, process & report entity transactions
maintain accountability for the related assets, liabilities & equity.

17 Information and Communication

Objectives of Information System
Identify & record valid transactions
Describe on timely basis = proper classification
Measure the value of transactions = proper monetary value in the FS
Determine proper time period
Presentation and disclosure

18 Information and Communication

Communication
Provide an understanding of individual of roles & responsibilities pertaining to internal control
over financial reporting.
Extent of understanding on how their activities relate to work of others
Open communications channels

19 Monitoring of Controls
Ensures controls are operating as intended.
Review of bank reconciliations,
Internal auditors evaluation of sales personnels compliance with the entitys policies on terms
of sales contracts, and
A legal departments oversight of compliance with the entitys ethical or business practice
policies.

20 Monitoring of Controls
Ongoing monitoring includes

3
 07/08/2017

Ongoing monitoring includes

Regular reporting duties and reviewed by appropriate level of management
Communications/interaction from third parties
Oversight of supervisory personnel
Trainings, seminars, meetings and planning sessions
Separate evaluations
audits/ independent checks

21 Inherent Limitations of Internal Controls

Cost vs. benefit
Direction of controls
Human factors.
Subject to collusion/overriding
Subject to breakdown

22 Auditors Assessment of Controls

- PSA 315, Understanding the Entity and Its Environment and Assessing the Risk of Material
Misstatement

23 Auditors Procedures
1. Understanding of accounting and internal control system
2. Plan the assessed level of control risk
3. Determine the appropriate response to assessed risk
4. Reassess Control Risk
5. Determine the nature, timing and extent of substantive tests
6.
6.

24 Understand and Document Clients ICS

Auditor is concerned on controls that are relevant to the FS assertions.
Objectives of auditor
Identify potential misstatements
Factors affecting risk of material misstatement
Design appropriate audit procedures.

25 Understand and Document Clients ICS

Steps in understanding internal controls
1. Perform preliminary review
2. Identify transaction cycles
3. Document the system
4. Perform walkthrough
5. Identify reliable controls

26 Plan the Assessed Level of Control Risk

4
 07/08/2017

There will always be some level of control risk

Made at the assertion level for each material account balance or class of transaction

27 Plan the Assessed Level of Control Risk

High level or maximum
ICS are not effective
Evaluation is not cost efficient
Less than high level or below maximum
Identify internal controls relevant to assertions
Plan to perform TOC to support the assessment

28 Determine the appropriate response to assessed risk

The auditor should:

Determine overall response to assessed risk at the FS level.

Design and perform further audit procedures at the assertion level.

29 Determine the appropriate response to assessed risk

Overall Response at the Financial Statement level
Maintain professional skepticism
Assign more experienced staff/experts
Providing more supervision
Incorporate unpredictability
Making changes in nature, timing and extent of audit procedures.

30 Determine the appropriate response to assessed risk

Responses at the Assertion Level

Preliminary Control Risk Assessment is High
No Reliance Approach (Substantive Only)

Preliminary Control Risk Assessment is Less Than High
Reliance Approach (TOC and Substantive Tests)

31 Determine the appropriate response to assessed risk

TOC are performed to obtain evidence about
Design effectiveness of ICS
Operating effectiveness of ICS

TOC
Applied to controls where the auditors intend to rely

5
 07/08/2017

Applied to controls where the auditors intend to rely

32 Test of Controls
Procedures for Test of Controls
Inquiry
Inspection
Observation
Reperformance

33 Test of Control
Timing of TOC
Extent of TOC
Direct relationship with expected reliance
Direct relationship with deviation rate
Consider if deviation would be too high, reliance would not be appropriate anymore.

34 Test of Control
Results of TOC
Evaluate whether the ICS are designed and operating effectively.
Preliminary assessment of CR is supported, or
Preliminary assessment of CR needs to be revised.

35 Reassess Control Risk

36 Required Documentation

37 Determine the Nature, Timing & Extent of Procedures

Final assessment of control risk
Before conclusion of audit, determine whether assessment of CR is confirmed.
Performance of substantive procedures
Assessed level of CR has direct relationship on design of ST.

38 Communication of Weaknesses
- PSA 260, Communication of Audit Matters
with Those Charged with Governance
39 Deficiency
Deficiency
Control is unable to prevent, detect or correct misstatements on timely basis
Necessary control is missing

6
 07/08/2017

Necessary control is missing

40 Deficiency
Not all deficiencies are reportable

Significant deficiency
The auditor shall communicate in writing significant deficiencies in internal control to those
charged with governance on a timely basis.

41 End of Discussion
QUESTIONS