Chapter 6 - Study and Evaluation of Internal Control CHAPTER 6 STUDY AND EVALUATION OF INTERNAL CONTROL Chapter Overview and Objectives: This chapter discusses fundamental principles of internal controls and its impact in the audit process, At the end of this chapter, readers should be able to discuss 1. The definition, characteristics and scope of internal control 2. The difference between accounting system and internal control system 3. The different controls related to audit 4. The components of internal control a. Control environment b. Risk assessment process c. Information system d. Control activities relevant to audit e. Monitoring of controls 5. The requirements of effective internal control Internal control deficiencies 7. Audit procedures to be performed related to internal control a. Risk assessment procedures b. Further audit procedures 2 —— Relevant references: PSA 315 (Revised) - Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment PSA 265 - Communicating Deficiencies in Internal Control to Those Charged with Governance and Management Page 203Chapter 6 — Study and Evaluation of Internal Control OL. ON TO INTERNAL CONTR ' he audios siti consider and obtain an understanding of the accounting an internal control systems sufficient to plan the audit and develop an effective ang efficient audit approach. The consideration of internal control system by the auditor is supported by th controls are effective (one of rules on generalizations about reliability o¢ evidence discussed in Chapter 1). | + Effective internal control system reduces the possibility of error ang fraud (one of the assumptions in Theoretical Framework of FS Aut discussed in Chapter 2). If the auditor can obtain evidence that the entity's internal control is operating effectively, this could lead to less extensive further audit procedures, Thus, improving audit efficiency without compromising audit effectiveness. The auditor uses the understanding of internal control to a. identify types of potential misstatements, b. consider factors that affect the risks of material misstatement, and c. design the nature, timing, and extent of further audit procedures. INTERNAL CONTROL Definition Internal control is the process designed, implemented and maintained by those charged with governance, Management and other personnel to Provide reasonable assurance about the achievement of an entity's objectives with regard to a. reliability of financial reporting; b. effectiveness and efficiency of operations; and ©: _ compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of 7 tne way in which internal control is designed: aries with an entity's size and complexity. Characteristics of internal control From the defir be drawn: 1. Internal control is a Process Internal control is a means to an end. Iti 2 .Itis desi it inordet to achieve the entity’s objectives, ve nelimplermented = nition of internal contro, the following essential characteristics bec. PageChapter 6 — Study and Evaluation of Internal Control 2. Internal control is effected by entity’s personnel Internal control is effected by those charged with governance, management and other personnel. In order to achieve internal control’s objectives, each member of the organization must perform their respective roles and responsibilities. Management and those charged with governance shall establish policies and procedures that will assist the entity in achieving its objectives. On the other hand, staff personnel shall comply with these established policies and procedures. 3. Internal control provides reasonable assurance of achieving its objectives There is a direct relationship between an entity's objectives and the controls it implements to provide assurance about their achievement. However, no matter how effective, internal control can only provide an entity with reasonable assurance about achieving the entity’s objectives. This is due to existence of inherent limitations that may affect the effectiveness of internal controls. Such limitations include: (COC CHA) * Management usual requirement that a control be cost-effective (Cost- benefit consideration); The possibility that a person responsible for exercising control could abuse that responsibility (Management Overriding the control); and © The possibility of circumvention of controls through Collusion with parties outside the entity or with employees of the entity; © The possibility that procedures may become inadequate due to Changes in condition and compliance with procedures may deteriorate. © The potential for Human error due to carelessness, distraction, mistakes of judgment or the misunderstanding of instructions; «The fact that most controls tend to be directed at Anticipated types (routine) of transactions and not at unusual (non-routine) transactions; 4. Internal control is geared toward attainment of entity's objectives The achievement of internal control objectives will greatly contribute to the attainment of entity’s objectives. As provided above, the objectives of internal control fall in the following categories: a. Financial: Reliability of financial reporting : b. Operational: Effectiveness and efficiency of operations ¢. Compliance: Compliance with applicable laws and regulations Having the ability to generate reliable financial reports, which will be used as basis in making business decisions, will assist the entity in having favorable outcomes for each activity it performs. ee —————— Aim... Believe... Claim... Page 205 | ——valuation of Internal Control ' tions are conducted effectively and efficiently and ay, i is will enabl i nd regulations, this wil le ent iant with applicable laws al , eevrate revenues, (2) minimize costs and expenses, and (3) avoig tine Ccrabes These conditions will definitely enable the entity to achieye overall objective as a business. Chapter 6 - Study and E) If the entity’s opera' Areas of internal control Areas of internal control cat accounting control. ‘Administrative | Includes, but is not limited to, plan of organization and the] procedures and records that are concerned with the decision n be classified as either administrative contro Control n he de processes leading to management's authorization of transactions. Administrative controls promote operational efficiency and adherence to managerial policies. ‘Accounting | Comprises of the plan of organization and the procedures | Control and records that are concerned with the safeguarding of assets and the reliability of financial records. It involves systems of authorization and approval controls over assets, internal audit and all other financial matters. Accounting system vs. Internal control system. Accounting system means the series of tasks and records of an entity by which transactions are processed as a means of maintaining financial records. Such systems identify, assemble, analyze, calculate, classify, record, summarize and report transactions and other events. Internal Control System means all the policies and procedures (internal control) adopted by the management of an entity to assist in achieving management's objective of ensuring, as far as practicable: * orderly and efficient conduct of its business, including adherence to management policies; safeguarding of assets; Prevention and detection of fraud and error; accuracy and completeness of the accounting records; and timely preparation of reliable financial information. eee From these characteristics, broader than accounting extends beyond those m; accounting system, we can conclude that internal control system is mu? system. It encompasses accounting system sinc? atters which relate directly to the functions of th Aim... Believe... Clai page 20°Chapter 6 — Study and Evaluation of Internal Control Controls Relevant to the Audit It is a matter of professional judgment, subject to the requirements of PSA, whether a control, individually or in combination with others, is relevant to the auditor's considerations in assessing the risks of material misstatement and designing and performing further procedures in response to assessed risks. In exercising that judgment, the auditor considers the applicable component and factors such as the following: a. The auditor's judgment about materiality b. The significance of the related risk c. The size of the entity d. The nature of the entity’s business, including its organization and ownership characteristics e. The diversity and complexity of the entity’s operations f. Applicable legal and regulatory requirements g. The circumstances and the applicable component of internal control h. The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations i. Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement. Generally, auditor’s consideration of such controls is limited to those relevant to the reliability of financial reporting. These controls include, but not limited to, the following: 1. Controls over the completeness and accuracy of information produced by the entity if the auditor intends to make use of the information in designing and performing further procedures Controls relating to operations and compliance objectives if they relate to data the auditor evaluates or uses in applying audit procedures Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to both financial reporting and operations objectives. IMPORTANT NOTES: v v Other controls relating to objectives that are not relevant to an audit need not be considered. | Although internal control applies to the entire entity or to any of its operating units or business processes, an understanding of internal control relating to each of the entity's operating units and business processes may not be relevant to the audit. Aim... Believe... Claim... Page 207Chapter 6 — Study and Evaluation of Internal Control COMPONENTS OF INTERNAL CONTROL _—_— Control Environment Components of Internal Control and its Objectives Internal control, as discussed in PSA 315, consists of the following components: (CRIME) a. Control Environment b. _Entity’s Risk assessment process c. Information and communication systems d. Control Activities @. Monitoring of Controls A. The control environment The control environment describes a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. Control environment is the foundation on which an effective system of internal control is built and operated in an organization. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control andits importance in the entity. The control environment sets the tone of at organization, influencing the control consciousness of its people. Elements of control environment (IM CPA HO), that could be relevant whet obtaining an understanding of the control environment include the following: 1. Communication and enforcement of Integrity and ethical values > These are essential elements that influence the effectiveness of the design, administration and Monitoring of controls. 2. Management's Philosophy and Operating style > Characteristics such as management's: Y Approach to taking and mana i A Aim... Believe... Claim,Chapter 6 — Study and Evaluation of Internal Control | Y Attitudes and actions toward financial reporting . Y Attitudes toward information processing and accounting functions and personnel 3. Commitment to competence > Matters such as management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. 4. Participation by those charged with governance > Attributes of those charged with governance such as: Y Their independence from management ¥ Their experience and stature Y The extent of their involvement and the information they receive, and the scrutiny of activities The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors v 5. Assignment of authority and responsibility > Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established 6. Human resources policies and procedures > Policies and practices that relate to, for example, recruitment, orientation, training, _ evaluation, counseling, promotion, compensation, and remedial actions. 7. Organizational structure > The framework within which an entity’s activitie: s for achieving its objectives are planned, executed, controlled, and reviewed, B. The entity’s risk assessment process An entity's risk assessment process is its process fo r identifying and Fesponding to business risks and the results thereof. The risk assessment forms the basis for determining how risks will be managed. A risk is defined as the possibility that an event will occur and adversely affect the achievement of organizational Objectives. Risk assessment requires management to consider the impact of Possible changes in the internal and external environment and to Potentially take action to manage the impact. Aim... Believe... Clai raze) Page 209Chapter 6 ~ Study and Evaluation of Internal Control For financial reporting purposes, the entity's risk assessment pri includes how management identifies risks relevant to the preparatig, financial statements that are presented fairly, in all material respec. in accordance with the entity's applicable financial reporting framew, estimates their significance, assesses the likelihood of their occurrence, ang decides upon actions to manage them. Risks can arise or change due to circumstances such as the following: Changes in operating environment New personnel New or revamped information systems. Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements rsa mpange The auditor shall obtain an understanding of whether the entity has 2 process for: (IAM) * Identifying business risks relevant to financial reporting objectives Assessing the significance of risks and the likelihood of their occurrence * Deciding how to Manage those risks If this process is appropriate to the circumstances, including the nature, size and complexity of the entity, it assists the auditor in identifying risks of material misstatement. Whether the entity's risk assessment process is appropriate to the circumstances is a matter of judgment. The information system, including the related business processes relevant to financial reporting, and communication. Information system Information is obtained or generated by management from both internal and external sources in order to support internal control components. An information system enables the entity to have the ability to generate timely and meaningful information. An information system consists (Piso) a. People Input or data Infrastructure (physical and h b. c ardware components), d. Software (processes and Procedures) e. Output or Meaningful information. Aim... Believe... Clai —— ee itChapter 6 ~ Study and Evaluation of Internal Control ignificance NOTE: Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures and records designed and established to: > Initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity; > Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to clear suspense items out on a timely basis; > Process and account for system overrides or bypasses to controls; > Transfer information from transaction processing systems to the general ledger; > Capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortization of assets and changes in the recoverability of accounts receivables; and > Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized and appropriately reported in the financial statements. Communication Communication based on internal and external sources is used to disseminate important information throughout and outside of the organization, as needed to respond to and support meeting requirements and expectations. The internal communication of information throughout an organization also allows senior management to demonstrate to employees that control activities should be taken seriously. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting, Communication may take such forms as policy manuals and financial reporting manuals. Communication may be done in writing, orally or through actions of the management. As far as audit is concern, the auditor gives emphasis on the communication of financial reporting roles and responsibilities and significant matters relating to financial reporting. This includes: @. Communications between management and those charged with governance . b. External communications, such as those with regulatory authorities Believe... Claim... Page 211Chapter 6 ~ Study and Evaluation of Internal Control D. Control activities relevant to the audit Control activities are actions (generally described in policies, Procedures standards) that help management mitigate risks in order to ensure x achievement of objectives. Control activities may be preventive or detect in nature and may be performed at all levels of the organization. ive Simply stated, control activities are the policies and procedures to hel ensure that management directives are carried out. Examples of contr, activities include those relating to the following: (APIPS) ‘ a. Authorization * Specific authorization (for unusual, material, or infrequen projects) © General authorization (for regular transactions) b. Performance reviews (actual performance versus budget, forecasts and prior period performance) J ¢. Information processing (from initiation up to the eventual inclusion of transaction in financial reports) d. Physical controls (for both assets and documents) e. Segregation of duties To achieve optimum segregation of duties and responsibilities, the following functions should be performed by different employees: (I CARE) v Independent checks Y Custody of assets ¥ Authorization of transactions Y Recording of transactions v Execution of transactions However, if it is impractical to segregate the above functions, at @ minimum, three functions must be segregated. These are: (CAR) © Custody © Authorization ¢ Recording Consideration to owner-managed small businesses Generally, it is impractical to have adequate segregation of incompatible duties for owner-managed small businesses. ™ compensate for the inadequacy, the owner shall actively ant effectively conduct an oversight over the operations of the business: ie —————— Page neChapter 6 ~ Study and Evaluation of Internal Control Control activities that are relevant to the audit are: a. Those that are required to be treated as such, being control activities that relate to significant risks and those that relate to risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; or b. Those that are considered to be relevant in the judgment of the auditor, —. Monitoring of controls. Monitoring is the process of assessing the quality of internal control performance over time. It involves assessing the design and operations of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls are present and continue to function effectively. Monitoring can be accomplished through (OST) ‘a. Ongoing monitoring activities (performed by persons within the same line function) b. Separate evaluations (performed by internal auditors, audit committee, and/or external auditors) c. Combination of the two Evaluation and communication of deficiencies After the monitoring activities, the entity shall evaluate and communicate deficiencies noted. The purpose of this is for the entity to take corrective actions or introduce improvements that will make the internal controls more effective and efficient. Other Concepts: Components of Internal Control The following discussion relates to other concepts related to the different components of internal control. These concepts include: Entity-Wide Controls and Transaction Controls Requirements of Effective Internal Control Parties affecting Internal Control Internal Control Deficiencies KANN Entity-Wide Controls and Transaction Controls The five components of internal controls may differ depending on the scope of its implementation. Some controls are designed and effected across the whole Organization while others only affect certain business processes, transactions, accounts and assertions. Based on the scale of its implementation, controls may fall into two categories namely, (1) entity-wide controls and (2) transaction controls. Page 213Chapter 6 — Study and Evaluation of Internal Control [ Entity-wide | Entity-wide controls operate across the whole Organiza controls and affect numerous business Processes, accoune transactions and assertions. The ineffectiveness of 4p, controls may have pervasive effects on the organization These controls commonly include the following: Y Controls on management override Y Risk assessment process Y Monitoring of results of operations Y Financial closing and reporting controls Y_Riskmanagement policies Transaction | Transactions controls operate only at a certain leve| OF controls department in an organization and thus, affect only certain business processes, accounts, transactions and assertions, The ineffectiveness of these controls may not have pervasive effects on the organization. These controls commonly include the following: Y Periodic inventory counts ¥ Bank reconciliation v Three-way match and review of supporting documents of purchases v Review of contracts with customers for revenue recognition Requirements of Effective Internal Control For management to conclude that its system of internal control is effective, all five components of internal control and all relevant principles must be present and functioning. Being “present” implies a given component or principle exists within the design and implementation of an entity’s system of internal control. “Functioning” implies the component or principle continues to exist in the ‘operation and conduct of the control system. Moreover, to be effective, internal control components operate together in an integrated manner. Parties affecting Internal Control The effective design and implementation of an internal control system § influenced by the actions of numerous parties that can affect the system and he? an organization attain its objectives. These parties can be grouped into the following categories: 1. Internal Parties ~ These are parties that are internal to the organizatio® and are part of the internal control system. Through their cumulat® efforts, they help provide reasonable assurance that the pla" objectives of the organization are attained page 2 a Believe... ClaiChapter 6 — Study and Evaluation of internal Control These include, but are not limited to management, the board of directors, internal auditors and other entity personnel. External Parties - Parties that are external to the organization contribute to the efficacy of the internal control system through their actions that provide vital information to the entity in effecting control and achieving objectives. These include, but are not limited to, external auditors, legislators, regulators, financial analysts, bond rating agencies and media providers. Internal Control Deficiencies A major deficiency exists if an internal control deficiency or combination thereof severely reduces the likelihood of an entity achieving its objectives, In other words, if management used its professional judgment to determine that 3 control objective isn’t being met because a relevant principle or associated component isn’t present and functioning, or the five components aren’t Operating together, the entity has a major deficiency. AUDIT PROCEDURES: RESPONSES TO ASSESSED RISKS The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. Moreover, the auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. The succeeding diagram is a summary of procedures performed during the Study and evaluation of internal control to appropriately respond to assessed level of risks at assertion level: Page 215d Evaluation of Internal Control Study and Evaluation of Internal Contro} (B) Further audit procedures Chapter 6 - Study ani Procedures Performed in (A) Risk assessment procedures Control risk at maximum Obtain an Make a preliminary level (A.2.1) understanding of |» assessment of the internal Control Risk (A.2) = Control ris| control (A.1) oat i rato ) maximum control level (A.2.2) te), Perform Control risk at { Substantive tests |] maximum level (8.3) (8.2.1) Makea reassessment Of Contro Rk Perform Control risk at (82) | Substantive tests }¢—} below maximum (8.3) level (8.2.2) ‘A. RISK ASSESSMENT PROCEDURES 1. Obtain an understanding of internal control relevant to the audit As required by the standard, the auditor shall obtain an understanding of internal control relevant to the audit. When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design and implementation of the controls by performing procedures in addition to inquiry of the entitys personnel. a. Design of the controls. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, capable of effectively preventing, or detecting and correcting material misstatements. b. Determine whether controls have been implemented Implementation of a control means that the control exists and tht the entity is using it. There is little point in assessing # implementation of a control that is not effective, and so the desé" of a control is considered first. An improperly designed contro! may represent a material weakness in the entity’s internal control. IMPORTANT NOTES: ¥ When obtaining an understanding, the auditor focuse® . the design and implementation and not on effectivenes* SS Page 6 Aim. ClairChapter 6 - Study and Evaluation of Internal Control v Effectiveness of the controls is evaluated during tests of controls since procedures performed are not sufficient to test the controls. Specific audit procedures Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: Inquiring of entity personnel. Observing the application of specific controls. Inspecting documents and reports. Tracing transactions through the information system relevant to financial reporting (This may be done by performing “walk- through” tests). NOTE: Inquiry alone is not sufficient for such purposes. “54% A Documentation PSA 315 requires the auditor to document the following: a. The discussion among the engagement team and the significant decisions reached; b. Key elements of the understanding obtained regarding ¥ each of the aspects of the entity and its environment; v_ each of the internal control components; Y sources of information from which the understanding was obtained; and Y tisk assessment procedures performed. ¢. The identified and assessed risks of material misstatement at the financial statement level and at the assertion level; and d. The risks identified, and related controls about which the auditor has obtained an understanding. Form and content The manner of documentation may vary and is a matter of auditor’s using professional judgment. The form and extent of the documentation is influenced by Y nature, size and complexity of the entity and its internal control; Y availability of information from the entity; and ¥ audit methodology and technology used in the course of the audit. Believe... Claim. Page 217jon of Internal Control i Chapter 6 ~ Study and Evaluat! monly used forms of Contry om The most well-known and ¢ documentation include: arts to describe the flow of a tors use flowc ivi “ Flowchart as well as the relevant documentation, The», through a dos — a graphical representa” ut of a flowchart Is a process map — a grap! ation of vents performed by a group of panned maps 2m hey auditors better understand business prores ave time oy communicating and confirming us races wn management; _ identify risks, controls, nae es, ang inefficiencies; and develop recommendation: for improvement They enhance supervisory review and provide a method recording systems in considerable detail b. Narrative Descriptions. Narratives describe process flows in written form, without graphical representations. They provide a usefy supplement to flowcharting documentation by detailing existing practices and thereby minimizing potential misunderstandings Independently, however, narrative descriptions do not serve as an effective tool for process description — they can be lengthy and difficult to review, and typically are not considered user-friendly, c. Internal Control Questionnaires. Effective ICQ documents comprise a carefully structured, logically sequenced series of questions that help management and internal auditors document processes and highlight control gaps, strengths, and weaknesses within a system, Typically, ICQs present information in a format that is easy to understand and help simplify and expedite the control evaluation process, d. Risk and Control Matrices. Risk and control matrices link controls with control objectives and related risks. They are designed both to document risks and controls and to facilitate evaluation of the design and effectiveness of the control system. Policy and Procedure Manuals. Policy and procedure manuals establish @ systematic framework and sound guidelines for the specific processes and activities Of an organization, facilitating effective implementation of business strategy on both a strategic and operational level. IMPORTANT NOTES: ¥ Noone particular form of docume: v For recurring audits, forward, updated as n business or Processes, ntation is required. . certain documentation may be cartied }ecessary to reflect changes in the entityChapter 6 - Study and Evaluation of Internal Control ¥ Regardless of the specific methods used, auditors should pay close attention to the control documentation process since control evaluations cannot be performed effectively unless all key risks and controls are adequately identified and documented. 2. Make a preliminary assessment of control risk After obtaining an understanding of the accounting and internal control systems, the auditors should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions. Assessment to be made may either be (1) at high or maximum level; or (2) at less than high or below maximum level. High or maximum level The auditors ordinarily assess control risk at a high level for some or all assertions when: Y the entity's accounting and internal control systems are not effective; or Y evaluating the effectiveness of the entity's accounting and internal control systems would not be efficient. This assessment is commonly known as: a. “no reliance approach” since this assessment will lead the auditor not to rely on the controls. b. “primarily substantive approach” since the auditor will rely heavily on substantive tests. Less than high or below maximum level The preliminary assessment of control risk for a financial statement assertion should be high unless the auditors: Y are able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct a material misstatement; and Y plan to perform tests of control to support the assessment. This assessment Is also known as “reliance approach” since the auditor will place reliance on the controls identified. B, FURTHER AUDIT PROCEDURES When developing the further audit procedures, the auditors consider the preliminary assessment of control risk (in conjunction with the assessment of inherent risk) to determine the appropriate detection risk to accept for the financial statement assertions and to determine the nature, timing and extent of substantive procedures for such assertions. Aim... Believe... Claim... Page 219| control - Evaluation of Internal Cor een er ie auditor is to obtain sufficient appropriate audit vid e 0 bout the assessed risks of material misstatemen's through desig * implenmenting appropriate responses to spammer eal © ache : objective, the auditor shall design and HO qatement ‘t reo ‘ sddress the assessed risks of material ™ fran il statement level. perform further audit procedures whose nay, timing, and extent are based on and are responsive to the assessed Tike g material misstatement at the assertion level. Again, further audit procedin, include (1) Tests of controls and (2) Substantive tests. audit procedures to be performed, the auditor shal s for the assessment given to the risk of materiy r each class of transactions The auditor shall design and In designing the further a. Consider the reason: misstatement at the assertion level fo account balance, and disclosure, including: The likelihood of material misstatement due to the particuls, characteristics of the relevant class of transactions, account balance or disclosure (ie., the inherent risk); and Whether the risk assessment takes account of relevant controls (¢, the control risk), thereby requiring the auditor to obtain aude evidence to determine whether the controls are operating effectively (i., the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and b. Obtain more persuasive audit evidence. Perform tests of control Definition Test of control is an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. = _ To determine the nature, timing, and extent of tests of controls, the auditor should give adequate consideration to controls relevant to the audit. The quality of the entity’s internal control can have a significant impact in determining the nature, timing and extent of the audt procedures in gathering audit evidence related to class of transactions account balances and disclosures. Objective The auditor shall design and perform tests of control to obtain sufficie™ appropriate audit evidence as to the operati i eleva entire wars perating effectiveness of F 1-9 eet) PageChapter 6 — Study and Evaluation of Internal Control a, The auditor's assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (ie,, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or b. Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. Furthermore, another major objective of tests of control is for the auditor to obtain sufficient appropriate evidence to support the preliminary assessment of control risk at less than high or below maximum level. NOTE: Auditor will only test controls that he or she plans to rely on. Specific procedures Tests of controls over the design of a policy or procedure include Y Inquiry; Y Observation (including walk-through tests); Y Inspection; and Y Reperformance; and Inquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly, other audit procedures are performed in combination with inquiry. In this regard, inquiry combined with inspection or reperformance may provide more assurance than inquiry and observation, since an observation is pertinent only at the point in time at which it is made. Recurring audit In case of recurring audit, the auditor shall establish the continuing relevance of the evidence from a previous audit about the operating effectiveness of specific controls by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing inquiry combined with observation or inspection, to confirm the understanding of those specific controls, and: a. Ifthere have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. Aim... Believe... Claim. Page 221trol Chapter 6 - .d Evaluation of Internal Con } vib tthe have not been such changes, ceeraaen te : third audit, and shall teg controls at least once in every i t controls each audit to avoid the possibility of bedi all the Contog on which the auditor intends to rely in @ single audit periog witha testing of controls in the subsequent two audit periods. Significant Risk Definition Significant risk is an identified and assessed risk of Mater misstatement that, in the auditor's judgment, requires speciaj aug consideration. Auditor's consideration a. 7 The auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following: a. Whether the risk is a risk of fraud; b. Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention; c. The complexity of transactions; d. Whether the risk involves significant transactions with related parties; e. The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and f. Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. Controls over significant risk When the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the entity’s controls, including control activities, relevant to that risk. When the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those contro in the current period even if there were no significant changes that have occurred from those controls,Chapter 6 — Study and Evaluation of Internal Control 2, Make a re-assessment of control risk After testing the controls, the auditor shall make a reassessment of control risk. The table below is a summary of the effect of reassessment of control risk on audit approach. _ ema Aporosch Effect on Substantive Test Assessment remains | Reliance Y Less effective procedures at Less than High approach Y Interim testing may be appropriate ¥ Smaller sample size Assessment is | Switch to no | Y More effective changed to High Reliance procedures approach v Tests moved to nearer or at year-end v Larger sample size NOTE: The assessment of control risk is inversely related to the amount of detection risk. 3. Perform substantive procedures Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure. Substantive testing concepts are discussed in details in Chapter 8 DOCUMENTATION Below is a summary of the required documentation by the standards related to. study and evaluation of internal control. Control Risk Understanding of Control risk Basis for the Assessment internal control assessment control risk assessment High Yes Yes No Less than high Yes Yes Yes COMMUNICATION The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. The objective of the auditor is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor’s professional judgment, are of sufficient importance to merit their respective attentions. Page 223i 1 Control Chapter 6 - Study and Evaluation of Internal Co The table below presents a summary of required communications "elatng identified deficiencies: Se | _ Definition _ Requirement control is designed, | Determine, on the bagi + "Deficiency in| A internal implemented or operated in the audit work perform i control such a way that it is unable to | whether, individually o, i prevent, or detect and correct, combination, the misstatements in the financial | constitute Sieniticon statements on a timely basis; | deficiencies. or | A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. | ‘Significant’ | A deficiency or combination of | Communicate in writing | deficiency in | deficiencies in internal control | significant deficiencies in| internal that, in the —_auditor’s | internal control identified control professional judgment, is of | during the audit on a sufficient importance to merit | timely basis to: the attention of those charged | a.management at an | with governance. appropriate level of | | responsibility; and with those charged with governance (unless all of those charged with governance are involved in Managing the entity). | | | !Chapter 6 - Study and Evaluation of Internal Control CHAPTER 6: SELF-TEST EXERCISES DISCUSSION QUESTIONS Define internal control and briefly discuss its characteristics and scope. Differentiate accounting system and internal control system. Discuss the controls relevant to the audit of financial statements. Enumerate and briefly discuss the components of internal control. Determine what is meant by an internal control deficiency. Enumerate and differentiate the forms of internal control documentation. Identify the two outcomes of preliminary assessment of control risk. Define the two types of further audit procedures and determine when each must be done. 9. Discuss the importance of re-assessing the control risk. 10. Discuss the documentation and communication requirements related to the study and evaluation of internal control. ONDNEYN 6-1 TRUE OR FALSE 1. Internal control is effected by those charged with governance, management and other personnel. 2. Most controls are directed at routine or standard transactions which impose a limitation affecting their effectiveness. 3. Accounting controls promote operational efficiency and adherence to managerial policies. 4. All controls adopted by management of an entity to assist in achieving management's objectives must be considered in the audit. 5. Acommon control is uniformly designed and is implemented consistently across a single entity or location or at different entities or locations. 6. Control environment is the basis on which an effective system of internal control is built and operated in an organization. 7. The tone at the top regarding the relevance of internal control, including ethical requirements, is established by management. 8. The organizational structure also establishes the flow of information between levels in an entity. 9. The auditor shall identify the business risks relevant to financial reporting objectives of the entity and decide on how to manage those risks. 10. Communication and information are vital in making all relevant Parties understand internal control responsibilities and the importance of internal Control in achieving objectives. bp-rsen-sereepeesrrseeeeee Aim... Believe... Clai Page 225 _....................._.... —t—eChapter 6 — Study and Evaluation of Internal Control 6 — 2 TRUE OR FALSE 1 10. 11, 12. 33. 14. Control activities are designed to detect risks at different levey, ; Of thy organization to ensure the achievement of its objectives. At least majority of the five components of internal contro} Must be implemented and be operated effectively to ensure attainmeng objectives. Segregation of duties over cash receipts and recording is an example of entity-wide control. a After assessing the inherent risk, the auditor may judge to proceed direct, in performing substantive procedures without consideration of int, control. ermal In order to test the controls, their design and implementation are being evaluated. Business process narratives, process maps, risk and control matrices are some of the commonly used forms of control documentation. A gap in internal control may be identified through an effective interns control questionnaire which highlights strengths and weaknesses of the system through a structured series of questions. If the results of inquiry of entity personnel show no changes in the entitys Processes, the prior year documentation of controls may be carried forward Test of controls are designed to obtain sufficient and appropriate evidence as to the operating effectiveness of relevant controls. If an understanding of the design and implementation of a control is obtained, its operating effectiveness must likewise be evaluated. Inquiry alone is not enough to test the Operating effectiveness of controls. If the control risk assessment is set at the maximum level, the auditor is required to document the basis for such judgment. A material weakness in internal controls is Present when a deficiency combination of deficiencies in internal Control is of sufficient importance t merit the attention of those charged with governance. If a significant deficiency in internal control has been identified, the audito” shall communicate those in writing to governance. Management or to those charged wit? page 26