Written By: Zainab AlEkri Ch.

10 Typed By: Ali Jameel

Chapter.10
Section 404 “Audits of Internal control risk”

To audit Financial Statement, there are two main parts:

1. Audit internal control
2. Audit Financial Statements.
 No specific definition for “Internal control”, because we don’t have 1 internal control for all business/type of
organization.

General definition:
 Internal Control is Policies, ways, procedures, strategies > the client use to manage his business and achieve his
objectives.
 If we have excellent internal control system it must be affected by its components, “policies, strategies and system
inside it”.
 It is affecting “Accounting system” which is a part of it.

Internal Control objectives:

1. It will add to the reliability of Financial Statements “Having good and effective internal control system mean good
and reliable F/S”.
2. Efficiency and effectiveness of operations. “Internal control system helps in operations to achieve organization
goal”.
3. Compliance with laws and regulations. “Compulsory to establish good and effective internal control system. “In
public sector, forced by Sarbanes-Oxley-Act”

________
 Management responsibilities for establishing good and effective internal control -in general- :
1. Establish internal control system
2. Prepare Financial Statements.

They will provide reasonable assurance -which is good level of assurance, but not 100%-, because internal control can
never be regarded as completely effective, therefore it is expected that there is “inherent risk” -which mean errors,
mistakes- >This may appear in the presentation of F/S or in other parts of the system, rather than F/S. “So F/S may be
affected and may be not”.
 Management responsibilities in section 404 of Sarbanes-Oxley-Act:

 Section 404 require management of all public companies to issue an internal control report that include the
following:
1. A statement that clarify management responsible for establishing an adequate and effective internal control system
and prepare F/S.
 This is -the statement- required from them to put pressure on them, so they are responsible for it.
2. An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the
end of the company fiscal year.

 Management should measure, evaluate their internal control system, and give it to CPA, because they are the one
who establish it, so they must know everything about its strengths and weaknesses.
 CPA will audit internal control system first, and then compare it with the given assessment from the management
after finishing auditing it, and he will express his opinion.

1
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
Management assessment

1- Design of the system. 2- Operations.

CPA is interested to know if the system is
able to prevent/detect misstatement in the
Financial Statements or not
> Good designed system must be able to
prevent anyone from manipulating F/S.
(If they trying to bypass rules or polices)
The more is the information given from
management to the CPA; the better is it for
CPA.
The minimum amount of information
required from management is to give:
 Design of the system
 Operations.
___
Effective system does affect the operations.
The objective of testing the operating
effectiveness of controls is met by
answering these two questions:
1. [Dose it fit will within the operation of
organization? If yes, then the system is
good and effective. –The system is
suitable for our operations-]
2. Who operate the system? Employees
who are dealing with it and use it for
the operations > Are they qualified to
do that? If they are not, they may not
be able to deal with it, therefore the
system won’t work will as it must to,
mistake, errors will occur > expected
that F/S will affected
 It’s important to know the “authority”
to change data in the system.

 Auditor responsibilities: (In general)

1- Understand and document

CPA
Responsibilities
3- Reporting in public sector 2- Evaluate and Test
1- CPA should understand the client internal control system. He must know everything about it. (Before doing anything).
 CPA must keep/document these information in the audit file as evidence when any problem happens between him
and his client.
 The responsibilities is the same for audits of both public and nonpublic companies
 CPA are primary concerned about controls related to :
1) Reliability of financial reporting. 2) Controls over class of transactions.
2- CPA will start to evaluate and test the system. “Why does it important to test?”
 Because there are some information/Facts about the internal control, may appear differently than understood.
 CPA will perform tests of controls over: Significant account balances, Classes of transactions, disclosure and related
financial statement assertions.
3- This step is required in public sector in USA. > CPA will issue separate report for internal control, and other one for
F/S.
 In private sector, CPA is free to add/highlight any information about the internal control system in his report.
(All together - one report only -)

2
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel

 Why separate report?

Issuing a report mean talking in details, which put more pressure on the CPA, to audit it carefully and they will forced to
do their best with the internal control system.

 Having a good/effective control system, will affect Accounting system -which is a part of it positively-.
> What is the evidence?
 All transaction will be recoded when they are happened and real, exist “occur”. All of them will be completed
“recorded and posted” and by accurate -correct- amounts > and posted, summarized correctly, classified correctly
in Journal + recorded at the time they are happened. [Occurrence, completeness, accuracy, posting and
summarization, classification, timing >Are all met]

1- (There is a direct relationship “link” between Internal control system and transaction.

2- (But, indirect “link” between Internal control system and Balances

Therefore, it is expected to have correct transaction + Balances > Financial statements are free from errors.
____________
Auditor responsibilities in Section 404 in Sarbanes-Oxley-Act:
 CPA is responsible to write two opinions about internal control in his report.
1- Express opinion over management assessment. [Does the assessment fairly stated or not?]
2- Express his personal opinion about internal control system overall.
___

 To decide whether the Internal control system is good and effective, it must be compared with a given standards and
criteria developed by professional bodies in accounting and auditing, who suggest a framework called “COSO system”.
 To have a good system, at least these 5 components are exist: (Minimum requirement)

1- Control environment 2- Risk assessment 3- Control Activities

4- Information and communication 5- Monitoring

 If all them are included it is enough, but “more” is accepted, while “less” is NOT
Why the first component “Control Environment” is the most important one?
 Because it affect all the other components. “It is the main component”.
 If we have a good control environment, it is expected that other component will work effectively > good system
-internal control system-
____
COSO: is used as standard to compare with clients internal control.
It’s about the framework it-self, not details of the system, because there is no one internal control system for all kind of
business and organization
1) The control environment:

Consist of action, polices, and procedures > reflect overall attitudes of top management, directors, and owners about
internal control and its importance to the entry.

 Depending on top management attitude, if they value internal control system and believe in its importance > this
will be reflected in their action > like: improving the system from time to time, hire qualified employees.

3
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
1. Integrity and ethical values:
 Working with other system harmoniously all together, otherwise conflict, problem will occur
 Unethical practices may lead to enter wrong data and information. [Because people will operate the system,
therefore if they are ethical > good result are expected and vice versa]
2. Commitment to competence:
 Management should have the responsibility to do their best regarding their internal control system. -By providing
high quality system- > therefore, effective system is expected.
3. Board of director or audit committee participation:
 Management will work with board of director and the audit committee to run and improve their internal control
system to work efficiency.
4. Management philosophy and operating style:
 How management deal with their employees to run the organization? Dictatorial? Democratic?
 His attitude will affect employee’s attitudes.
5. Organization structure:
Management levels:
1- Top management

2- Middle management In each level there are different -but linked- duties, responsibilities
and authorization > Identified by the top management
3- First line management

4- Employee’s

- When top management believes in the importance of the internal control system, they will have a direct link with it,
therefore when any situation occur, they will be able to solve everything quickly and to update the system continuously.
- The opposite situation, occur when top management don’t believe on internal control system importance, this will
result in occurrence of problems.
- If there is no control over the organization structure, middle, and the first line, management may not inform top
management with the problems when they occur.
6. Human resource policies and practices:
 It is important to choose the employee’s carefully, setting a number of standard to choose them, because they will
operate the system, so they must be qualified to run the system efficiency.
____

2) Risk assessment:
 It is mandatory, because there is nothing like guarantee protecting the organization from different risk and
problems.
 Management should trace risk and assess them > to have the chance to take action toward any problem.
(When they know about it, they will be able to solve it).

General steps to deal with risk:

 Identify the problem and its factors -causes-

 What is the effect of this risk? Does it have significance influence? Important or not?
 The possibility of occurrence. (30%? 50%?)
 Determine action require to manage the risk.

4
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
3) Control Activities: (Minimum require)
1. Adequate separation of duties.
[Each employee/group of employees will be responsible for one duty/function; it is not allowed to let them do more
than one]
Examples:
a) Custody of assets > From > Accounting Books.
(e.g.: The cashier, who holds the cash, cannot work with accounting books)
b) Authorization of transaction > From > The custody of related assets.
(Authorization to make decisions related to the transaction, not only one person to take all the decisions
related to specific transaction.)
c) Operational responsibility > From > Record- Keeping responsibility
(e.g.: Time-card of employees working hours, the employees who will work on computing their working hours > must
not working on recording them in Accounting books)
d) IT duties > From > User departments.
 (IT employees are not allowed to excess other user accounts; their job is to deal with technician problems over
the system)
______
2. Proper Authorization of transaction and Activities:
Ability to take decisions.
Types of Authorizations:
Specific Authorization
General Authorization
For normal decisions: For critical (abnormal) decisions:
 Daily  Very important
 Routine  Doesn’t happen all the time
 This type of decisions are taken over  This type of decisions needs agreement
problems/situations that happen each from top management. “dealing with new
day/daily case -rare-
For CPA it is important to know who is responsible -have the authority- to do anything inside the
organization. (e.g.: the authority to sign checks, to decide whether to accept them or not)

3. Adequate Documents and records:

 The organization should have enough documents, and records. (Important to manage business).
 They should document their actions, so they minimize the ability of risk occurrence, and prevent missing information
and transactions.
Documents characteristics: (Minimum)
a- Pre a numbered consecutively. (Each document has a specific number) > To put control over these documents, these
documents are going to be used to record transactions, their numbers will give the ability to:
 Make sure that there is no transaction been recorded twice.
 Discover any missing transaction that must be recorded, but were not. (cut-off)
b- Prepared at the time of transaction. [Once the transaction happen, it must be recorded to minimize the ability of
recording wrong information related to it]
c- Designed for multiple uses. [Designing document for similar use. “Can be used for a number of uses that are similar in
nature]. > “e.g.: a document for printing different things -multiple uses- to avoid having a huge number of documents”
d- Constructed to encourage correct preparation. [Clear, good designed, focus on the objective, and easy to use in a
correct way]

5
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
4. Physical control over assets and records.
 Keep assets secured as well as the records, so they will be protected from anyone, therefore they will be preserved.
 It’s the most important type of protective measure for safeguarding assets and records is the use of physical
precautions
5. Independent check on performance.
 Other employees from different branches will check the performance of different branch rather than the one they
work at.
 For small business, this policy will be applied between departments. [This is required to make sure that the work is
done properly and legally]
 The need for independent check arises , because internal controls tend to change over time unless there is a
mechanism for frequent review

___
4) Information and communication. (Accounting system)
The purpose of an accounting information and communication system:
 Provide information for decision making
 Initiate, record, process, and report the entity’s transactions, then prepare Financial statements.
 Maintain accountability for the related assets.
___
5) Monitoring.
 Deal with management ongoing and periodic assessment of the quality of internal control performance.
 To trace the system all the time and check if there is any need to make improvement in its performance.
 Make sure that the system will keep working effectively.
________
 Process for understanding internal control and assessing control risk:
(How CPA will audit control system?)
 Phase.1: Obtain and document understanding of internal control design and operation [CPA will know every
details about the system]
 Phase.2: Assess control risk. [After finishing “Phase.1”, CPA must be able to find out if there is any missing in the
system from the requirements].
 Phase.3: Design, perform, and evaluate tests of control. [To be satisfied with his evaluation, CPA need to apply
some tests to confirm his understanding].
 Phase.4: Decide *planned detection risk and substantive tests. (Over F/S)

Acceptable audit risk -To study the impact of internal

*=Control Risk X Inherent Risk control system over F/S.

Planned detection risk: Dangerous type of risk, because it contains of group of risks*, and impact over F/S.
* Acceptable audit risk, control risk, inherent risk. (All of this affect PDR).

This phase -Phase.4- is the connection point between the two main parts of auditing process:
 Audit internal control system.
 Audit Financial Statements.

Substantive Tests: are 3 tests over F/S figures and numbers.

6
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
 Phase.1: Obtain and document understanding of internal control

Minimum** required understanding: ** (Required by SAS 55 and PCAOB Standard 2)

 Design of internal control
 Whether placed In operation
 Uses this information as a basis for the integrated audit.

Methods used to obtain understanding:

1- Narrative. 2-Flowchart. 3- Internal control questionnaire.
 CPA is free to choose any method of the three + audit procedures (actions)

1) Narrative: written description of a client internal control.

[CPA will ask the client -management- to give him this description written with his signature -to be documented-]
Key characteristic of the written description:
a) Does management keep the original documents and record with any other copies. “Original copies are important
to trace the given information, while if they don’t exist, it will be hard for CPA to check if they are real or not”.
b) All processing that takes place. “All actions happen inside the organization been documented”
c) The disposition of any document and record in the system. [Rules and policies of the “disposition process” of
documents, it must be well organized and the process should be documented, mentioning which document has
been dealt with].
d) An indication of the controls relevant to the assessment of control risk.
 [Evidence, sign, or index that shows the existence of “assessment of control risk”]
2) Flowchart: A diagram that summaries clients internal control system. (It’s easy to read and to update information)
 [Documents, sequential flow in the organization.] > includes the same characteristics of the narrative method.
 It should be easy to read and understood.
 It must be updated. “When any change occurs”.

3) Internal control questionnaire: CPA will prepare -design- questionnaire about the internal control system to be
answered by the client’s employees -CPA may choose specific groups to answers it- then he will collect it back and
analyses its outcomes.
 Evaluating internal control operation:
(Audit procedure -actions-) done by CPA over internal control or F/S.
1. Update and evaluate auditor’s previous experience with the entity.
2. Make inquire of the client personnel. Types of evidence to check the
3. Examine documents and records. (A must) internal control system
4. Observe entity activities and operations. (Important)
For example: CPA will go to the cashier to find out if there is any indicator shows the absence of “adequate
separation of duties”, like finding “Accounting Books”.
This procedure is done when CPA has audited his client before -previously-, therefore he already has knowledge about
their internal control, but, CPA must update this knowledge.
5. Perform walkingthroughs of the accounting system.
To find out how operations are done? How the client did record his actions?
 CPA will trace the transactions document from the beginning until the end.
Example:
 Sale transaction: From customer order > Sale invoice > Shipping document > A/C Rec. > Collection.

7
Written By: Zainab AlEkri
 Phase.2: Assess Control risk.
Key internal control:
 Proper Authorization
 Adequate Documents
records
 Physical control over assets
Control deficiencies:
 Adequate separation of duties
 Independent check
Ch.10 Typed By: Ali Jameel
Audit objectives related to transactions:
Occurrence
/Completeness/Accuracy/Timing/Classification/Posting&summarization
 This is “Control risk matrix” it is used by CPA to assist in the control risk
assessment process by identify: Controls + Weakness
&
 CPA will check if the all 5 items of control activities exist, if not, the missing
item will be consider as “Control deficiency”.
 While internal control system is related directly with the transactions, this is
why
“Audit objectives related to transactions” are placed in the matrix.
CPA will:
1. Identify existing controls
2. Identify audit objectives
3. Link between “1” and “2”
4. Link between “2” and “control deficiencies”.

Professional advice for CPA before preparing control risk matrix:

1) Check the client F/S, are they auditable?
If the client lack of integrity + when they don’t have enough documents and records], CPA will conclude that the
client’s entity is not auditable.
 In this case CPA can either:
 Withdraws from the engagement
 Issue disclaimer audit report.
2) Determine assessed control risk supported by the understanding obtained assuming the controls are being followed.
After finishing phase.1, CPA will expect the level of control risk depending on his understanding, if in phase.1 he found
that the organization has a good and effective internal control system, it is unexpected that the organization has high
level of control risk > therefore, CPA will look for explanation by collecting more evidence and applying more tests to
understand the situation.
[The two phases’ results must support each other]
3) Use control risk matrix to assess control risk.
As what mentioned previously.
1. Identify audit objectives.
2. Identify existing controls.
3. Associate controls with related audit objectives.
4. Identify and evaluate control deficiencies, significant deficiencies, and material weakness.
 It is (the matrix) a methodology used to help the auditor assess control risk by matching:
1. Key internal control.
2. Internal control deficiencies.
3. Transaction related to audit objectives.
 There are three levels of evaluating the absence of internal control for each transaction related to audit objectives:
A) Control deficiencies: The system of internal control has problem related to design of it or to the operations. [This
may or may not affect F/S, this depend on how the company personnel are dealing with the problem, therefore, if they
are aware of it and dealing with it professionally and trying to avoid it > it expected that F/S may not be affected and
vise versa]
B) Significant deficiencies: More than one control deficiencies exist > it is expected that F/S, recording transaction, and
posting them, may be affected.

8
Written By: Zainab AlEkri Ch.10 Typed By: Ali Jameel
C) Material weakness: More than Significant deficiencies, “a combination of Significant deficiencies” > it expected that
there will be “material misstatement in F/S”. [Adverse audit report to be issued is expected]

Types of opinions for audit internal control report:

System Type of report

Good, effective + No material weakness + No
Unqualified audit report
restriction over audit process.

Bad system + Material weakness +F/S are

Adverse audit report
affected.

Qualified > If partially

Limitation and restriction over audit process
Disclaimer > If entirely

5 Steps approach to identify the three level of the absence of internal control:
1. Identify existing controls
2. Identify absence of the key controls. “While CPA identifies existing controls in “first step”, he must be able to
conclude, and assess what missing.
3. Consider the probability of compensating controls. “If CPA has identified missing controls in the system, he will look
for any applied compensation that can cover the absence of those specific controls”. [e.g.: adequate separation of
duties is not applied, but as a compensation of its absence, management are watching, and checking closely their
employees work performance
 Management attitude is serving as an alternative for this missing control.
4. Decide whether there is significance deficiency or material weakness.
5. Determine potential -identify possible- misstatements that could results based on step.4 outcomes. “Then it will be
possible to determine what type of opinion to be issued”.
__
 In public sector, after auditing internal control, and discovering significant deficiencies, material weakness > CPA must
communicate with audit committee or governance committee to inform them with what he had found.

 Some public sectors have “audit committee”, other have “Governance committee”, however the two of them are exist
to help CPA in his audit process.
 [Informing the committee is Compulsory}
 When the control weakness is less significant CPA may write “Management letter” > to suggest some improvements for
internal control system.
 [This is optional]
 The scope of auditors report on the internal control is limited to obtaining reasonable assurance that material
weaknesses in internal control are identified.