Study and Evaluation of Internal Control

1. Auditor’s procedures regarding acceptance and continuance of the client relationship of the audit engagement

2. When applicable, other engagements performed by the engagement partner for the entity

In obtaining audit evidence by performing RAP, the auditor shall consider the following information from:

1. Entity and its environment

2. The applicable financial reporting framework

3. How inherent factors affect susceptibility of assertions to misstatements

In risk assessment, the auditor should obtain the understanding of:

Internal Control

The process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives

Policies

These are declarations or statements on what should be or should not be done within the entity to implement controls

Procedures

These are steps taken to put policies into action

• Human Judgement

• Breakdowns in controls

• Errors or mistakes

• Collusion

No system of internal control is perfect, limitations include:

1. Reliability of financial reporting (main concern of auditor)

2. Efficiency and effectiveness of operations

3. Compliance with internal and external requirements

The entity’s objectives in the system of internal control includes:

Direct Controls

These refers to controls that sufficiently precise to prevent, detect, or correct misstatements at the assertion level

1. Control Activities

2. Information system and communication

kinds of direct controls

Indirect Controls

Controls that supports the direct controls

1. Risk assessment process

2. Monitoring of controls

3. Control environment

Kinds of indirect controls

CRIME

1. Control Activities

2. Risk assessment procedures

3. Information system and communication

4. Monitoring of controls

5. Control environment

Components of Internal Control

Control Activities

Are policies and procedures to help ensure that management directives are carried out. Examples are authorization, performance reviews, information processing, physical controls, and segregation of duties

Risk Assessment Process

The entity’s process for identifying and responding to business risks and results thereof.

Information System

This consists of infrastructure (physical and hardware components), software, people, procedures, and data.

Communication

This involves providing an understanding of individual roles and responsibilities pertaining to internal controls

Monitoring of Controls

This involves assessing the design and operation of controls on a timely basis and taking corrective actions modified for changes in conditions.

Control Environment

This includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity.

1. Narratives

2. Internal Control Questionnaires

3. Flowcharts

The methods of documentation

Narratives

A method of documentation that is easy to create, but may become unwieldy/lengthy. This requires review and editing and best partnered with flowcharts

Internal Control Questionnaires

This is a servey type method of documentation that is easy to use as it is logically and carefully sequenced. It highlights the weakeness in the system but might be inflexible in certain cases.

Flowcharts

This is a method of documentation that uses visual representation. It is easy to read for fast review and assessment. This is best partnerd with narratives. However, this requires skills in preparation and presentation.

1. How were the controls applied

2. Were the controls applied consistnely

3. Who performed these controls

Questions to ask while performing Test of Controls

once every 3rd year

For reccuring audits, if the controls have not changed, it is tested at least?

Increased Professional Skepticism, Experienced Team Members, and Unpredictability of Audit Procedures

The overall response at the Risk of Material Misstatements at the FS level includes

Set CR at high or maximum (100%) making RMM equal to IR

What is the preliminary assessment of CR if controls are missing, seem unreliable, or it is not efficient to test controls

Assess preliminary CR at less than high or below maximum (100%)

What is the preliminary assessment of CR if controls seem reliable

1. Obtain an understanding of, and evaluate the client’s internal control

2. Make a preliminary assessment of CR

3. Determine the appropriate response to preliminary CR assessment

4. Reassess the CR

5. Determine the nature, extent, and timing of substantive tests

These are the auditor’s consideraion of internal control

• More effective (more ToD, less Analytical Procedures)

• Larger sample size

• Year end

If the reassed CR is still at high or at maximum, the appropriate nature, extent, and timing of subtantive tests shall be

• Less effective (less ToD, more analytical procedures)

• Smaller sample size

• Interim plus year end

If the reassed CR is still at low or at below maximum, the appropriate nature, extent, and timing of subtantive tests shall be

• Management’s oversight responsibilities

• Independence and oversight by those charged with governance

• Assignment of authority and responsibility

• Attract, develop, retain competent individuals

• Hold individuals accountable for responsibilities

The necessary understanding of Control Environment are

• Culture of honesty and ethical behavior

• Control environment provides an appropriate foundation for other components of Internal Control

• Control deficiencies identified undermine other components of Internal Controls

The following are evaluated by the auditor in Control Environment

• Identifying business risks relevant to financial reporting objectives

• Estimating the significance of the risks

• Assessing the likelihood of their occurance

• Deciding about actions to address those risks

The necessary understanding of Risk assessment process are

The appropriateness of risk assessment process of the client

This is evaluated by the auditor in Risk Assessment Process

• On going and separate evaluations for monitoring the effectiveness of controls

  • Identification and remediation of control deficiencies identified

• Internal audit function

• Sources of Information used for monitioring of controls

The necessary understanding of Monitoring of Controls are

Appropriateness of Monitoring Process

This is evaluated by the auditor in Risk Assessment Process

• Information processing activities data and infomation resources used

• Policies that define , for significant classess of transactions, account balances and disclosures.

The necessary understanding of Information System and Communication are

• Whether the Internal System and Communication appropriately support the preparation of the entity’s FS in accordance with the applicable financial reporting framework

This is evaluated by the auditor in Information system and Communication

• Identifying controls that address risk of material misstatement at the assertion level

  • IT applications and other aspects of the entity’s IT environment that are subject to risk arising from the use of IT

  • Related risks arising from the use of IT, and the general controls that address these risks

The necessary understanding of Control Activities are

Design and implementation of the control

This is evaluated by the auditor in Control Activities