Here is how I would explain the trade-offs between tests of controls and substantive procedures based on the table: If control risk is assessed at the maximum level, regardless of inherent risk, the auditor would need to perform substantive procedures with the lowest level of detection risk (highest scope). This means performing a high level of substantive procedures. However, if the auditor performs tests of controls and determines controls are effective, they can assess control risk at a lower level. For example, if controls are effective in addressing some inherent risks, control risk could be assessed at a moderate level. In that case, for a moderate inherent risk, the auditor could perform substantive procedures with a moderate detection risk (moderate scope). This allows the auditor to reduce the

1. 7-1
Chapter 5 Internal Control

2. Internal Control
A process, effected by the entity’s board of directors, management, and
other personnel, designed to provide reasonable assurance regarding,
achievement of (the entity’s) objectives relating to:
❑Operations
❑Reporting, and
❑Compliance

3. Control Objectives
In each area of internal control (Reporting, Operations and
Compliance)
◦ Control objectives and
◦ Sub objectives exist
External Reporting Example: Accounts Receivable (A/R)
Top level objective – prepare and issue reliable financial information
◦ Detailed level applied to A/R sub objectives
◦ All goods shipped are accurately billed in the proper period
◦ Invoices are accurately recorded for all authorized shipments and only for such
shipments
◦ Authorized and only authorized sales returns and allowances are accurately
recorded
◦ The continued completeness and accuracy of A/R is ensured
◦ Accounts receivable records are safeguarded

4. Foreign Corrupt Practices Act
Passed in 1977 in response to American corporation
practice of paying bribes and kickbacks to officials in
foreign countries to obtain business
The Act
◦ Requires an effective system of internal control
◦ Makes the payment of bribes to foreign officials illegal

5. Components of Internal Control - CRIME
The Control Environment
Risk Assessment
Control Activities
Information System Relevant to Financial Reporting and
Communication
Monitoring Activities

6. Control Environment
Commitment to integrity and ethical values.
Board of directors demonstrates independence from
management and exercises oversight of internal control.
Establishment of effective structure, including reporting
lines, and appropriate authorities and responsibilities.
Commitment to attract, develop, and retain competent
employees.
Holding employees accountable for internal control
responsibilities.

7. Risk Assessment
Clearly specify ROC objectives to allow the
identification and assessment of risks related to
those objectives.
Identify and analyze risks to the achievement of its
objectives to determine how they may be
managed.
Consider potential fraud relating to the
achievement of objectives.
Identify and assess changes that could impact
internal control.

8. Control Activities
Performance reviews
Transaction control activities
Physical controls
Segregation of duties
◦ Segregate Proper authorization, access, recording, and custody of assets (SPARC)
◦ Fundamental principle – ensure two or more persons participate in every transaction

9. Objectives of an Accounting Information System
Identify and record valid transactions
Describe on a timely basis the transactions in sufficient
detail to permit proper classification of transactions
Measure the value of transactions appropriately
Determine the time period in which the transactions
occurred to permit recording in the proper period
Present properly the transactions and related disclosures in
the financial statements

10. Monitoring
Ongoing monitoring activities
◦ Regularly performed supervisory and management activities
◦ Example: Continuous monitoring of customer complaints
Separate evaluations of internal control
◦ Performed on nonroutine basis
◦ Example: Periodic audits by internal audit

11. Controls over Financial Reporting
Preventive
◦ Aimed at avoiding the occurrence of misstatements in the financial
statements
◦ Example: Segregation of duties
Detective
◦ Designed to discover misstatements after they have occurred
◦ Example: Monthly bank reconciliations
Corrective
◦ Needed to remedy the situation uncovered by detective controls
◦ Example: Backups of master file
Controls overlap
◦ Complementary – function together
◦ Redundant – address same assertion or control objective
◦ Compensating – reduces risk existing weakness will result in misstatement

12. Limitations of Internal Control
Errors may arise from misunderstandings of
instructions, mistakes of judgment, fatigue, etc.
Controls that depend on the segregation of
duties may be circumvented by collusion
Management may override the structure
Compliance may deteriorate over time

13. Enterprise Risk Management (ERM)
COSO issued a framework in 2004 (revised in 2017) on
Enterprise Risk Management (ERM). It does not replace
the original COSO internal control framework.
It goes beyond internal control to focus on how
organizations can effectively manage risks and
opportunities.
The auditing standards are still structured around the
original COSO internal control framework but the risk
management framework is useful in evaluating the risk
assessment component of internal control.

14. Auditors’
Consideration of
Internal Control
Roadmap

15. Auditors’ Overall Approach with Internal
Control
Review: Overall approach of an audit
1. Plan the audit
2. Obtain an understanding of the client and its environment, including
internal control
3. Assess the risks of material misstatement and design further audit
procedures
4. Perform further audit procedures
5. Complete the audit
6. Form an opinion and issue the audit report
Steps 2-4 relate most directly to the role of internal
control in financial statement audits

16. Obtain an understanding of the client and its
environment, including internal control
The understanding of internal control is used to help the auditors
to
◦ Identify types of potential misstatements
◦ Consider factors that affect the risks of material misstatement
◦ Design tests of controls (when applicable) and substantive procedures
Auditors must consider all five internal control components
◦ Control environment
◦ Accounting information system
◦ Risk assessment
◦ Control activities
◦ Monitoring
In doing so, the auditors should also consider areas difficult to
control like non-routine transactions

17. Obtaining the Understanding
Procedures include
◦ Inquiring of entity personnel
◦ Observing the application of specific controls
◦ Inspecting documents and reports
◦ Tracing transactions through the information system relevant to financial reporting
May also obtain evidence on operating effectiveness of various controls

18. Documenting the Understanding of Internal Control
Questionnaires
◦ Typically standardized by firm
Written Narratives
◦ Memos that describe flow of transactions
Flowcharts
◦ Systems flowcharts
Walk-through
◦ Trace one or two transactions through cycle

21. 7-21
Flowchart Symbols

23. Assess the Risks of Material Misstatement
General approach
◦ Identify risks while obtaining an understanding of the client
and its environment, including its internal control
◦ Relate the identified risks to what can go wrong at the relevant
assertion level
◦ Consider whether the risks are of a magnitude that could result
in a material misstatement
◦ Consider the likelihood that the risks could result in a material
misstatement

24. The Nature of Transactions
Consider the nature of the transactions
◦ Routine transactions—e.g., revenue, purchases, and cash receipts and
disbursements
◦ Non-routine transactions—e.g., taking of inventory, calculating depreciation
expense
◦ Estimation transactions—e.g., determining the allowance for doubtful accounts
Generally routine transactions have the strongest
controls

25. Assessing Risks at the Financial
Statement Level
Examples
◦ Preparing the period-end financial statements, including the development
of significant accounting estimate and preparation of the notes
◦ The selection and application of significant accounting policies
◦ IT general controls
◦ The control environment
Responses to high risks
◦ Assigning more experience staff or those with specialized skills
◦ Providing more supervision and emphasizing the need to maintain
professional skepticism
◦ Incorporating additional elements of unpredictability in the selection of
further audit procedures to be performed
◦ Increasing the overall scope of audit procedures, including the nature,
timing or extent

26. Assessing Risks at the Assertion Level
Examples
◦ Failure to recognize an impairment loss on a long-lived asset affects only the
valuation assertion
◦ Inaccurate counting of inventory at year-end affect the valuation of inventory and
the accuracy of cost of goods sold
Responses
◦ Decisions are made here as to the appropriate combination of tests of controls and
substantive procedures

27. Perform Further Audit Procedures – Test of Controls
Approach:
◦ Identify controls likely to prevent or detect material
misstatements
◦ Perform tests of controls to determine whether they are
operating effectively
Tests of controls address:
◦ How controls were applied
◦ The consistency with which controls were applied
◦ By whom or by what means (e.g., electronically) the controls
were applied

28. Perform Further Audit Procedures – Test of Controls
Tests of controls include:
◦ Inquiries of appropriate client personnel
◦ Inspection of documents and reports
◦ Observation of the application of controls
◦ Reperformance of the controls
The results of the tests of controls are used to determine the nature, timing
and extent of substantive procedures

29. Effects of Data Analytics
Data analytics may be used to perform tests of controls (operating
effectiveness); auditors may test controls over the entire population of
transactions rather than a sample
Will use Urgent Medical Device as an example

30. Use of the Work of Internal Auditors
Work of Internal Auditors may be used in two ways:
◦ Obtaining audit evidence by using the internal auditors’ work performed as a part of
their normal responsibilities, and
◦ Using internal auditors to provide direct assistance on the external audit.

31. Service Organizations
Computer service organizations provide processing services to customers who
decide not to invest in their own processing of particular data
Examples: Outsource processing of payroll or Internet sales; storage of data
and records in the service organization’s Cloud

32. Service Organizations
Auditor should obtain understanding of the outsourced
function by following one or more of:
◦ Contacting service organization to obtain information.
◦ Visiting service organization an performing necessary
procedures.
◦ Obtaining a report from service organization
Terms
◦ Service auditor—provides examination of service
organization’s controls.
◦ User Auditor—Uses that report.

33. 7-33
Service Organizations
Types of Service Auditor Reports
◦ Type 1—Management’s description of the system and
the auditor’s assessment of the suitability of the
design of controls
◦ Type 2—Attributes of 1, plus assurance on the
operating effectiveness of controls
◦ A Type 2 report may provide the user auditor with a basis for
assessing control risk below the maximum.

34. 7-34
Relationships Among Deficiencies
Deficiency in
Internal Control
Less than
Significant
Significant
Deficiency
Material
Weakness

35. Internal Control in the Small Company
Due to lack of employees, internal control is seldom strong in
small businesses
Specific practices for small businesses
◦ Record all cash receipts immediately
◦ Deposit all cash receipts intact daily
◦ Make all payments by serially numbered checks, with exception of petty
cash disbursements
◦ Reconcile bank accounts monthly and retain copies
◦ Use serially numbered invoices, purchase orders, and receiving reports
◦ Issue checks to vendors only in payment of approved invoices that have
been matched with purchase orders and receiving reports
◦ Balance subsidiary ledger with control accounts
◦ Prepare comparative financial statements monthly to disclose significant
variations in any category of revenue or expense

36. Assume that you have been hired by Willington, CPA, as a new staff assistant. He informs you that his approach
to audits has always been to assess control risk at the maximum and perform all the substantive procedures he
considers necessary. However, he has recently read an article in The Journal of Accountancy that indicates that a
more efficient audit may sometimes be achieved by performing some tests of controls and thereby assessing
control risk at a lower level. Willington shows you the following table that came from the article:
Assessed Level of Control Risk
Inherent
Risk Low Moderate Maximum
Low Highest allowable detection risk
(lowest allowable scope of
substantive procedures)
High detection risk (low
scope of substantive
procedures)
Moderate detection
risk (moderate scope of
substantive procedures)
Moderate High detection risk (low scope
of substantive procedures)
Moderate detection risk
(moderate scope of
substantive procedures)
Low detection risk (very high
scope of substantive
procedures)
Maximum Moderate detection risk
(moderate scope of
substantive procedures)
Low detection risk (very
high scope of substantive
procedures)
Lowest detection risk (highest
scope of substantive
procedures)
Willington understands that the table is only for illustrative purposes and that other “in between” levels of the
various risks are possible, but he wants you to use the ones in the table to help him understand the trade-offs
between tests of controls and substantive procedures. He understands that these risks would be assessed at the
assertion level for the various accounts, but he wants to better understand how the various tests performed in an
audit “tie together.” To keep things simple, he says to assume that inherent risk is at the maximum level in all
cases.