STUDY AND

EVALUATION OF
INTERNAL CONTROL
INTERNAL CONTROL

• The process, devised, implemented, and maintained by those charged

with governance, management, and other personnel in order to provide
reasonable assurance that an entity’s objectives will be met.
• Take note: due to inherent limitations of any system of internal control,
an effective internal control can only minimize but not eliminate
material misstatements, whether due to fraud or error.
INTERNAL CONTROL: INHERENT LIMITATIONS

• Management overriding the internal control.

• Circumvention of internal controls through the collusion among employees.
• The cost-benefit relationship is a primary criterion in designing internal control, that is, the cost of a
control should not exceed its expected benefits.
• Most internal controls tend to be directed at routine transactions rather than non-routine transactions.
• The potential for human error due to carelessness, distraction, mistakes of judgment and the
misunderstanding of instructions.
• The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate.
• Segregation of duties may be difficult to achieve in a smaller entity.
Internal Control is designed to help achieve
the entity’s objectives
• Financial reporting objective: this objective relates to reliability of
financial reporting.
• Operational effectiveness objective: this objective is intended to
enhance effectiveness and efficiency of operations.
• Compliance objective: this objective relates to entity’s compliance with
applicable laws and regulations.
Classification of internal control

• According to objectives:
financial reporting controls: controls to achieve reliability of financial
reporting objective.
operational effectiveness controls: controls to achieve operational
effectiveness objective.
compliance controls: controls to achieve compliance objective.
Classification of internal control

• According to functions:
preventive controls: to deter problems before they arise which includes
segregation of employee duties and control physical access to assets, facilities
and information.
detective controls: to discover problems as they arise which includes
preparing bank reconciliation and preparing monthly trial balance.
corrective controls: to remedy problems discovered with detective controls
which includes maintaining backup copies of transactions and master files
COMPONENTS OF INTERNAL CONTROL

• Control environment
• Risk assessment
• Information and communication system
• Monitoring the controls
• Existing control activities
COMPONENTS OF INTERNAL CONTROL:
CONTROL ENVIRONMENT
• It encompasses governance and management functions, and it sets the
tone for an organization through influencing people’s control
awareness. It provides discipline and structure and serves as the
foundation for effective control.
COMPONENTS OF INTERNAL CONTROL:
CONTROL ENVIRONMENT
Factors involve in the control environment includes:

• integrity and ethical values

• active participation of those charged with governance through assignment of audit

committee in overseeing financial reporting policies and practices of the entity.

• Management philosophy and operating cycle

• Assignment of authority and responsibility

• Commitment to competence

• Personnel or human resource policies and procedures

• Organizational structure
COMPONENTS OF INTERNAL CONTROL: RISK
ASSESSMENT
• The business objectives of the entity cannot be met without some risk.
• Each entity must be aware of the risks it faces. Management should
establish policies and procedures for identifying and analyzing risks to
the entity’s business, as well as taking appropriate action to mitigate
those risks. The auditor is solely concerned with risks that are relevant
to the preparation of reliable financial statements for auditing
purposes.
COMPONENTS OF INTERNAL CONTROL:
INFORMATION AND COMMUNICATION SYSTEM
• Timely information and communication are required for effective
internal control.
• Accounting system means the series of tasks and records of an entity
by which transactions are processed as a means of maintaining
financial records. The tasks identify, assemble, analyze, calculate,
classify, record, summarize and report transactions and other events.
COMPONENTS OF INTERNAL CONTROL:
MONITORING THE CONTROLS
• Refers to the process that assesses the quality of internal control performance on an
ongoing basis. Management monitoring of controls includes considering whether they
are operating as intended and that they are modified as appropriate for changes in
conditions.
• Monitoring assesses the effectiveness of the internal control performance over time.
• Management’s monitoring activities may also include using information from external
parties such as complaints from customers or comments from regulatory bodies that
may indicate problems, highlight areas in need of improvement, or require
communications relating to internal control from external auditors.
COMPONENTS OF INTERNAL CONTROL:
EXISTING CONTROL ACTIVITIES
• Control activities are the policies and procedures that help ensure
management’s directives are carried out and that necessary steps to address
risks are taken. Control activities address risks that if not mitigated would
threaten the achievement of the entity’s objectives.
• Performance reviews
• Information processing controls
• Physical controls
• Segregation of duties
COMPONENTS OF INTERNAL CONTROL:
EXISTING CONTROL ACTIVITIES ,
PERFORMANCE REVIEWS
• Review and analyses of actual performance versus budgets, forecasts,
and prior period performance.
• Relating different sets of data to one another, together with analysis of
the relationships and investigative and corrective actions.
• Comparing internal data with external sources of information
• Review of functional or activity performance (for example, sales
reports, receivable reports, etc.)
COMPONENTS OF INTERNAL CONTROL: EXISTING CONTROL
ACTIVITIES ,INFORMATION PROCESSING CONTROLS

• It ensures that transactions are valid, properly authorized, and completely and accurately recorded.
• Application controls: controls which to the processing of individual applications such as checking the
arithmetical accuracy of records, maintaining and reviewing accounts and trial balance, automated
controls such as edit checks of input data and numerical sequence checks, manual follow-up of exception
reports, controls surrounding receivables and controls surrounding payroll.
• General controls: these are controls that relate to many applications and support the effective functioning
of application controls by helping to ensure the continued proper operation of information systems.
General controls apply to information processing throughout the company, such as, program change
controls, controls that restrict access to programs or data, controls over the implementation of new
releases of packaged software applications. Controls over system software that restrict access to or
monitor the use of system utilities that could change financial data or records without leaving an audit trail
and controls over data center/network.
COMPONENTS OF INTERNAL CONTROL: EXISTING
CONTROL ACTIVITIES , PHYSICAL CONTROLS
• Physical segregation and security of assets, including adequate safeguards such as secured facilities over
access to assets and records.
• Authorization for access to computer programs and data files (for example, requiring password prior to
access)
• Authorized access to assets and records (such as through the use of computer access codes, prenumbered
forms, and required signatures on documents for the removal or disposition of assets.
• Required signatures on documents for the removal or disposition of assets.
• Periodic counting and comparison with amounts shown on control records.
• The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of
financial statement preparation, and therefore the audit, depends on circumstances such as when assets
are highly susceptible to misappropriation.
COMPONENTS OF INTERNAL CONTROL: EXISTING
CONTROL ACTIVITIES , SEGREGATION OF DUTIES

• It ensures that individuals do not perform incompatible duties. Duties

should be segregated such that the work of one individual provides a
crosscheck on the work of another individual.
• Segregation of duties is intended to reduce the opportunities to allow
any person to be in a position to both perpetrate and conceal errors or
fraud in the normal course of the person’s duties.
INTERNAL CONTROL IN SMALLER ENTITIES

• In smaller entities, there are often few employees, which can limit the extent to which
segregation of duties is practicable and the paper trail of documentation available.
• In such entities, the control environment will be very important to evaluate. This will
involve assessing the behavior, attitudes, and actions of management.
• The presence of a highly involved owner-manager can be both an internal control
strength and an internal control weakness. The strength is that the person will be
knowledgeable about all aspects of operations and that it is highly unlikely material
errors will be missed. The weakness is that the person is also in a good position to
override internal controls.
MANUAL VS. AUTOMATED CONTROLS

• Manual controls may be more appropriate than automated controls in

situations where judgment and discretion is required, such as
circumstances in which misstatements are difficult to define,
anticipate, or predict.
• Manual controls, however, may pose additional risks because they can
be more easily ignored or overridden, they are subject to human error,
and they are less consistent than automated controls.
IT BENEFITS

• The ability to process large volumes of transactions and data

accurately and consistently.
• Improved timeliness and availability of information.
• Facilitation of data analysis and performance monitoring.
• Reduction in the risk that controls will be circumvented.
• Enhanced segregation of duties through effective implementation of
security controls.
IT RISKS

• Potential reliance on inaccurate systems.

• Unauthorized access to data, which may result in loss of data and/or
data inaccuracies.
• Unauthorized changes to data, systems, or programs.
• Failure to make required changes or updates to systems or programs.
CONSIDERATION OF INTERNAL CONTROL

• It involves study and evaluation of internal control.

• The primary purpose is that to provide a basis for planning the audit to
determine the nature, timing, and extent of audit procedures.
• The secondary purpose is that to provide a basis for constructive
suggestions to management about improvements in internal control
structure.
STEPS IN CONSIDERATION OF INTERNAL
CONTROL
• Obtain sufficient understanding of the internal control relevant to the
audit.
• Perform preliminary assessment of control risk.
• Perform tests of controls
• Documentation of the understanding of accounting and internal control
systems
• Documentation of the assessed level of control risk
• STEPS IN CONSIDERATION OF INTERNAL CONTROL: Obtain
sufficient understanding of the internal control relevant to the audit.

• The auditor should use the understanding of the five components of internal control
sufficient to evaluate the design and determine if the control has been implemented.
• Evaluate the design of relevant control: involves determining whether the control,
individually or in combination with other controls, is capable of effectively preventing
or detecting and correcting material misstatements. Major emphasis in the design of
effective control includes: assets are properly detected, duties are segregated and
transactions are authorized.
• Determine whether the control has been implemented. A control has been
implemented if the control exists and is being used by the entity.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Obtain sufficient understanding of the internal control relevant to
the audit.

• Procedures to obtain evidence about the design and implementation of

controls:
• Inquiry of entity personnel
• Inspecting documents and records
• Observing of application of specific controls
• Performing a “walk-through” test- tracing a transaction through the
accounting system, from initial recording to presentation in the financial
statements.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Perform preliminary assessment of control risk

• Assess control risk at a high level:

if internal control is poor or not effective or
if it is inefficient to rely on internal control (inefficient to perform tests
of controls)
• Auditor’s response if control risk is assessed at a high/maximum level:
skip or do not perform tests of controls
rely primarily on substantive tests
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Perform preliminary assessment of control risk

• Assess control risk at less than high level:

if internal control is effective or reliable, and
if it is inefficient to obtain evidence to justify the assessment of
control risk at less than high level
• Auditor’s response if control risk is assessed at less than
high/maximum level: perform tests of controls, to confirm operating
effectiveness of controls.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Perform tests of controls

• Tests of controls are performed when the auditor plans to rely on internal control;
the auditor will only test those controls that he plans to rely upon.
• Tests of controls are performed to test the operative effectiveness, as to design
and operation, of internal controls that are likely to detect or prevent material
misstatements in support of a reduced assessed level of control risk. Thus, tests of
controls are performed to substantiate the reduce assessed level of control risk.
• Unlike substantive test of details, tests of controls are not required audit
procedure. The greater the reliance the auditor plans to place on internal control
the more extensive the tests of those controls that need to be performed.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Perform tests of controls

• Tests of controls generally consist of one (or combination of the following evidence gathering techniques.
Inquiry
Observation
Inspection
Reperformance
• If the result of test of controls does not confirm the effectiveness of controls, the auditor should revise
the preliminary risk assessment of control risk from less than high to high level. The auditor should also
make the necessary revision on the overall audit strategy, audit plan, and preliminary audit program.
• If the result of test of controls confirms the effectiveness of controls, the auditor may rely on entity’s
internal control and decrease substantive testing.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Documentation of the understanding of accounting and internal
control systems

• Internal control questionnaire: consists of a list of questions on internal

control be answered “YES” or “NO” response. A negative response is
designed to draw attention to a possible weakness in internal control.
Written explanations are required for “No” answers.
• Flowcharts: pictorial/symbolic diagram depicting the operation of a
program/system or the sequential flow of authority, processes,
transactions and documents.
• Internal control checklists: a detailed listing of ideal control measures
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Documentation of the understanding of accounting and internal
control systems

• Narrative memoranda: a written version of a flowchart. It is a description of the

auditor’s understanding of the system of internal control. Note that flowcharts
are more appropriate for documenting complex control structures, while written
narratives are more appropriate for less complex structures.
• Decision trees: are graphic illustrations that depict the logic of an operation or
process. They generally employ questions with “Yes” or “No” answers, which
direct the user to the next relevant questions.
• Decision tables: are graphic illustrations that depict the logical relationships of
a system in table form.
STEPS IN CONSIDERATION OF INTERNAL CONTROL:
Documentation of the assessed level of control risk

• If the control risk is assessed at a high level, the auditor should

document his conclusion that control risk is at a high level.
• If the control risk is assessed at less than high level, the auditor should
document: his conclusion that control risk is at less than high level and
the basis for that assessment-results of tests of controls confirming the
assessment of control risk at below high/maximum level.
Communicating with those charged with
governance and management
• Reportable conditions are significant deficiencies/weaknesses in the design or
operation of the internal control which have come to the auditor’s attention that should
be reported to the appropriate level of management such as the highest official of the
company or those charged with governance (usually to the entity’s audit committee of
the board of directors) in writing, in a formal management letter at the earliest
opportunity so that appropriate corrective actions may be taken as soon as possible.
• A deficiency may be of such magnitude as to be considered a material weakness in
internal control. A material internal control weakness is a condition in which material
errors or fraud would ordinarily not be detected within a timely period by employees in
the normal course of performing their assigned functions.
No expression of opinion on entity’s internal
control
• Consideration of internal control in financial statement audit is not
sufficient to express an opinion on an entity’s controls because only
those controls on which an auditor intends to rely are reviewed, tested,
and evaluated. The auditor is not required to identify or search for
internal control weaknesses.
Internal control weaknesses

• Weak control environment

• Weaknesses in IT general controls
• Significant business risks that have not been addressed by policies, procedures or internal controls.
• Inadequate policies and procedures in place for appropriately assessing and applying accounting
principles, determining accounting estimates and assessing their reasonableness, preparing the
financial statements and the disclosures required and safeguarding assets.
• Significant internal control activities or application controls not operating are designed, not applied
consistently by appropriate individuals, or not monitored by appropriate individuals.
• Significant deficiencies previously communicated to management or those charged with governance
that remain uncorrected after some reasonable period of time.