3. Assessing control risk- is the
process of evaluating the design
and operating effectiveness of an
entity’s internal control as to how it
prevents or detects material
misstatements in the financial
statements.
3
4. Nature of Internal Control
4 essential concepts:
1. Internal Control is a process
2. Internal Control is effected by those
charged with governance, management and
other personnel.
3. Internal Control can be expected to provide
reasonable assurance of achieving the entity’s
objectives.
4
5. These limitations include:
• Management’s usual requirement that
the cost of an internal control should not
exceed the expected benefits to be
derived.
• Most internal controls tend to be directed
at routine transactions rather than non-
routine transactions.
5
6. • The potential for human error due to
carelessness, distraction, mistakes of
judgment and the misunderstanding of
instructions.
• The possibility of circumvention of
internal controls through the collusion
among employees.
6
7. • The possibility of management overriding
the internal control.
• The possibility that procedures may
become inadequate due to change in
conditions, and compliance with
procedures may deteriorate.
7
8. 4. Internal Control is designed to help
achieve the entity’s objectives.
Internal control is geared towards the
achievement of the entity’s objectives in the
ff. categories:
• Effectiveness and efficiency of operations
• Compliance with laws and regulations
• Reliability of financial reporting
8
9. The objective that is most relevant to
the audit is the financial reporting
objective.
Operational and compliance objectives
may be relevant to the audit only if they
relate to data the auditor evaluates to
determine the reliability of some financial
statement assertions.
9
10. Components of Internal
Control
5 Interrelated Components of the entity’s
internal control, namely;
1.) Control Environment
2.) Risk Assessment
3.) Information and Communicating
Systems
4.) Control Activities
5.) Monitoring
10
11. 1.) Control Environment
Factors reflected in the control environment
include:
1. Integrity and ethical values
2. Management philosophy and operating
style
3. Active participation of those charged with
governance
4. Commitment to competence
5. Personnel policies and procedures
6. Assignment of responsibility and authority/
Organizational structure
11
12. 2.) Risk Assessment
3.) Information and Communicating
Systems
The information system relevant to
financial reporting objectives, which includes
the financial reporting system, consists of the
procedures and records established to
initiate, record, process, and report entity
transactions and to maintain accountability for
the related assets, liability, and equity.
12
13. An information system encompasses
methods and records that:
Identify and record all valid transactions
Describe on a timely basis the transactions
in sufficient detail to permit proper
classification of transactions for financial
reporting.
13
14. Measure the value of transactions in a manner
that permits recording their proper monetary
value in the financial statements.
Determine the time period in which
transactions occurred to permit recording of
transactions in the proper accounting period.
Present properly the transactions and related
disclosures in the financial statements.
14
15. 4.) Control Activities- are the policies and
procedures that help ensure that mgt.
directives are carried out.
Specific control procedures that are relevant to
financial statement audit would include:
Performance Reviews
Information Processing
Physical Controls
Segregation of duties
15
16. 5.) Monitoring-a process of assessing the
quality of internal control performance over time.
- is done to ensure that controls continue
to operate effectively.
Ongoing monitoring activities are built into the
normal recurring activities of an entity and
include regular mgt. and supervisory activities
(e.g. preparing bank reconciliations)
Separate evaluations are montoring activities
that are performed on a non-routine basis (e.g.
fxns performed by internal auditors).
16
17. Internal Control for a small
business
Consideration of the entity’s Internal Control
systems involves the following steps:
1. Obtain understanding of the internal
control
2. Document the understanding of
accounting and internal control systems.
3. Assess the level of control risk
4. Perform tests of controls
5. Document the assessed level of control risks
Consideration of Internal Control
17
18. Understanding Internal
Control
Obtaining an understanding of internal
control involves:
Evaluating the design of a control
Determining whether it has been
implemented
18
19. An initial understanding of the design of the
entity’s internal control systems is ordinarily
obtained by:
Making inquiries of appropriate individuals
Inspecting documents and records
Observing of entity’s activities and operation
19
20. After obtaining sufficient knowledge about the
design of the system, the auditor should
determine whether these controls have been
implemented. This is accomplished by
performing a “walk-through” test.
- Involves tracing 1 or 2 transactions through the
entire accounting systems… as a component of
an account balance in the FS.
- Confirms the auditor’s understanding of how
the accounting systems and control procedures
function.
20
21. The auditor uses the understanding of
internal control to:
Identify types of potential misstatements that
can occur
Consider factors that affect the risk of material
misstatements
Design the nature, timing and extent audit
procedures to be performed.
21
22. Documenting the auditor’s
understanding of Internal
Control
Some commonly used forms of documentation
include:
narrative description of the entity’s internal
control
flowchart that diagrams the flow of transactions
and documents
internal control questionnaire providing
management’s responses to questions about
internal control
22
23. Assessment of Control Risk
After obtaining and documenting the
understanding of the accounting and internal
control systems, the auditor should make a
preliminary assessment of control risk (100%
or < high level), at the assertion level, for
each material account balance or class
transaction.
23
24. If the auditor concludes that it is more
efficient to rely on the entity’s control
systems, the auditor would plan to assess
control risk at less than high level.
For this purpose, the auditor should;
Identify specific internal control policies or
procedure that are likely to prevent or detect
and correct material misstatement relevant to
financial assertion
Perform tests f control to determine the
effectiveness of such policies or procedures.
24
25. Performing tests of controls
Tests of controls are performed to obtain
evidence about the effectiveness of the;
Design of the accounting and internal control
systems; or
Operation of the internal controls throughout
the period.
25
26. According to PSA 400, the auditor should
obtain audit evidence through tests of
control to support any assessment of
control risk at less than high level.
The greater assessment of control risk, the
greater the support the auditor should
obtain that the internal control is suitably
deigned and operating effectively.
Thus, higher the reliance the auditor plans
to place internal control, the higher the
extensive the tests of those controls that
need to be performed.
26
27. Nature of tests of control
Tests of controls generally consist of one of
the ff. evidence gathering techniques:
1. Inquiry-searching for the right info.
2. Observation-looking at the process
performed by others
3. Inspection-examination of docs. And
records.
4. Re-performance- repeating the activity
performed by the client to determine whether
proper results were obtained.
27
28. Timing of tests of controls
In determining whether or not to test the
remaining period, the ff. must be considered:
The results of the interim tests
The length of the remaining period
Whether changes have occurred in the
accounting and internal control systems
during the remaining period.
28
29. Extent of tests of control
Assessed level of control risk- conclusion
reached as a result of the evaluation.
-used by auditors to determine the
acceptable level of detection risk.
-there is inverse relationship between
detection risk and the combined level of
inherent and control risks.
Using the result of tests of controls
29
30. In this regard, the auditor may
consider modifying:
The nature of substantive tests from less
effective to more effective procedures
The timing of substantive tests by
performing them at year-end rather than
at interim
The extent of substantive tests from
smaller to larger sample size.
30
31. Operating Effectiveness vs.
Implementation
When obtaining audit evidence of
implementation by performing risk
assessment procedures, the auditor
determines that the relevant controls exist and
that the entity is using them.
When performing tests of the operating
effectiveness of controls, the auditor obtains
audit evidence that controls operate effectively.
31
32. If the control risk is assessed at a high
level, the auditor should document his
conclusion that control risk is at a high
level.
If the control risk is assessed at < high
level, the auditor should document his
conclusion that control risk is < high and
the basis for the assessment.
Documenting the assessed
level of control risk
32
33. Communication of Internal
Control Weakness
The auditor is required to report to the
appropriate level of mgt. material
weaknesses in the design/operation of
the acc. and internal control systems,
which have come to the auditor’s
attention.
33
34. These internal control weaknesses
together with other matters of concern
are documented in a formal
management letter.
34
35. THANK YOU FOR
LISTENING!!!
Group 6:
Princess Malogao
Abdul Mujib Mambuay
Rocanisah Mampao
Mapandi
Nellyn Lou Joy C. Molit
Rahasiah Mustapha
35