CHAPTER 6: STUDY AND

EVALUATION OF INTERNAL
CONTROL

PREPARED BY: INST. JOHN PAUL C. DE GUZMAN, CPA

INTERNAL
CONTROL
• It is the process designed,
implemented, and maintained by
TCWG, management, and other
personnel to provide reasonable
assurance about the achievement of
an entity’s objectives with regard to:

 Reliability of financial reporting

 Effectiveness and efficiency of
operations
 Compliance with applicable laws and
regulation
CHARACTERISTICS OF INTERNAL
CONTROL
It is
designed
and
It is a
implement
process.
ed by
entity’s
personnel

It provides It is geared
reasonable towards
assurance the
of attainment
achieving of the
its entity’s
objectives objectives
 • Cost-benefit consideration
• Management overriding the control
• Circumvention of controls through collusion
with parties outside the entity or with
INHERENT employees of the entity
LIMITATIO • Procedures may become inadequate due to
changes in condition and compliance with
NS OF procedures may deteriorate
• The potential of Human error due to
INTERNAL carelessness, distraction, mistakes of
CONTROL judgment or misunderstanding of
instructions
• Facts that most controls tend to be directed
at anticipated (routine) types of
transactions and not at unusual (non-
routine) transactions
 Control Environment

Risk Assessment Process

COMPONENT
S OF Information system and communication
INTERNAL
CONTROL Monitoring the system of internal control

Control Activities
CONTROL
ENVIRONMENT

• It sets the internal culture of the

organization. It creates the tone at
the top by influencing the control
consciousness of its people and
provides the overall foundation for the
operation of the other components of
the entity’s system of internal control.
ELEMENTS OF CONTROL
ENVIRONMENT (OLD)

• Commitment to competence
• Human resources policies and
procedures
• Assignment and authority and
responsibility
• Management’s philosophy and
operating style
• Participation of those charged with
governance
• Organizational structure
• Communication and enforcement of
integrity and ethical values
 ELEMENTS OF CONTROL
ENVIRONMENT (NEW)

Maintaining entity’s
Attracts, develops culture and
Assigns authority and
and competent demonstrating
responsibility in
individuals in management’s
pursuit of its
alignment of its commitment to
objectives
objectives integrity and ethical
values
ELEMENTS OF CONTROL ENVIRONMENT (NEW)

When Those charged with governance are separate from

management, how do those TCWG demonstrate
independence from management and exercise oversight of
the entity’s system of internal control

Holds individuals accountable for their responsibilities in

pursuit of the objectives of the entity’s system of internal
control
 Management, with the oversight of
TCWG, has created and maintained
a culture of honesty and ethical
behavior
EVALUATING Provides an appropriate foundation
CONTROL for the other components of the
entity’s system of internal control
ENVIRONME considering the nature and
complexity of the entity
NT
Control deficiencies identified in the
control environment undermine the
other components of the entity’s
system of internal control.
RISK
ASSESSMENT
PROCESS

• It is its process for identifying

and responding to business risk
for identifying and responding to
business risk and results thereof
• When there is change, there is
risk.
RISK ASSESSMENT PROCESS
RELEVANT TO AUDIT
• Identify business risks relevant to financial reporting
• Assess significance and likelihood of risks
• Manage or address the risks
 EVALUATING THE
ENTITY’S RISK
ASSESSMENT PROCESS
• Through the evaluation, the
auditor understands where the
entity has identified risks that
may occur, and how the entity
responded to those risks.
• The evaluation may assist the
auditor with identifying and
assessing FS level and
assertion level risks of material
misstatement.
INFORMATION SYSTEM
AND COMMUNICATION

• Information is obtained or generated

by management from both internal
and external sources to support
internal control components.

• Communication involves providing an

understanding of individual roles and
responsibilities of the entity’s system
of internal control.
RELEVANT OBJECTIVES OF INFORMATION SYSTEM

• Initiate, record, and process entity transactions

• Resolve incorrect processing of transactions
• Process and account for system from transaction processing
in the general ledger.
• Incorporate information from transaction processing in the
general ledger.
• Capture and process information relevant to the preparation
of the financial statements.
EVALUATING THE ENTITY’S
INFORMATION SYSTEM AND
COMMUNICATION
• The auditor shall evaluate whether it appropriately
support the preparation of the entity’s financial
statements in accordance with the applicable financial
reporting framework.
MONITORING THE
SYSTEM OF INTERNAL
CONTROL

• Monitoring is the process of

assessing the quality of internal
control performance over time.
• It involves assessing the design and
operations of controls on a timely
basis and taking necessary corrective
actions.
TYPES OF MONITORING ACTIVITIES

Ongoing monitoring
activities

Separate
evaluations

Combination of
ongoing and
separate
evaluations
SUPERVISORY
REVIEWS
• They are not automatically classified as
monitoring activities, and it may be a
matter of judgment whether such
review is classified as control related to
the information system or monitoring
activity.
• Controls related to information system
– specific risks
• Monitoring activity – assess whether
controls within each components of
internal controls are operating as
intended
EVALUATING • It assists the auditor in
understanding whether the other
THE ENTITY’S components of the system of
internal control are present and
MONITORING functioning, and therefore assists
PROCESS with understanding the other
components of the entity’s
system of internal control
CONTROL
ACTIVITIES

• These are actions that help

management mitigate risks to ensure
the achievement of objectives.
INFORMATION
PROCESSING
CONTROLS

• These are procedures that support

the effective implementation of the
entity’s information policies.
• It may be automated or manual and
may rely on other controls, including
other information processing controls
or general IT controls.
 Physical controls

CATEGORIES Authorization

OF CONTROL
ACTIVITIES Performance reviews
(OLD)
Segregation of duties

Information processing
 Physical or Authorization
logical and
controls approvals
CATEGORIES
OF CONTROL Inspections
ACTIVITIES Reconciliatio
or
(NEW) ns
verifications

Segregation
of duties
 THREE FUNCTIONS THAT MUST BE
SEGREGATED

CUSTODY OF AUTHORIZATION RECORDING OF

ASSETS OF TRANSACTIONS TRANSACTIONS
 As to Design

• Whether the control,

individually or in combination
EVALUATIN with other controls, is capable
G of effectively preventing or
detecting and correcting,
CONTROL material misstatements
ACTIVITIES As to Implementation

• The control exists and that

the entity is using it
CAVEAT!

The effectiveness of
When obtaining an
the controls is
understanding, the
evaluated during the
auditor focuses on the
tests of controls since
design and
procedures performed
implementation and
are not sufficient to
not the effectiveness
test the controls
 Inquiry

SPECIFIC
AUDIT Observation
PROCEDURE
S
Inspection

Tracing transactions through the

information system relevant to financial
reporting (walk-through)
DOCUMENTATION
• PSA 315 requires the auditor to document the
following
a. The discussion among the engagement
team and the significant decisions
reached
b. Key elements of the understanding
obtained regarding
 Each of the aspects of the entity and
its environment
 Each of the internal control
components
 Sources of information from which the
understanding was obtained
 Risk assessment procedures
performed
DOCUMENTATION

The evaluation of the design of identified controls, and determination of

whether such controls have been implemented

The identified and assessed risks of Significant risks and risks for which substantive
procedures alone cannot provide sufficient
material misstatement at the financial appropriate evidence
statement level and at the assertion The rationale for the significant judgments
level, including made.
 FORM AND CONTENT OF AUDIT
DOCUMENTATION

FLOWCHARTS NARRATIVE INTERNAL RISK AND POLICY AND

DESCRIPTIONS CONTROL CONTROL PROCEDURE
QUESTIONNAIRE MATRICES MANUALS
 AREAS OF INTERNAL CONTROL

Administrative control – promote operational

efficiency and adherence to managerial policies.

Accounting control – involves systems of

authorization and approval controls over assets,
internal audits and all other financial matters.
ACCOUNTING SYSTEM

• It means the series of tasks and records of an entity by which

transactions are processed as means of maintaining financial
records.
INTERNAL CONTROL SYSTEM

• It means all policies and procedures adopted by the

management of an entity to assist in achieving management’s
objective of ensuring, as far as practicable
Orderly and efficient conduct of its business, including
adherence to management policies
Safeguarding of assets
Prevention and detection of fraud and error
Accuracy and completeness of the accounting records, and
Timely preparation of reliable financial information
ENTITY-WIDE CONTROLS

• They operate across the whole organization and affect

numerous business processes, accounts, transactions, and
assertions. The ineffectiveness of these controls may have
pervasive effects on the organization.
TRANSACTIO • They operate only at a certain level
or department in an organization
N and thus affect only certain
business processes, accounts,
CONTROLS transactions, and assertions. The
ineffectiveness of these controls
may not have pervasive effects on
the organization.
PARTIES AFFECTING INTERNAL
CONTROL

Internal External
Parties Parties
MAKE A PRELIMINARY ASSESSMENT
OF CR

High or Missing controls

Maximum Weak controls
Level Strong controls but it is not efficient to test effectiveness

Less than
High or
Below Controls may be reliable or strong
Maximum
Level
DETERMINE THE APPROPRIATE
RESPONSE AT RISK ASSESSMENT
• Increase in professional skepticism (rely
less on internal documents)
At FS level • Increase in experienced team members
• Increase the unpredictability of audit
procedures

At • CR = HIGH, no Test of Controls anymore.

Go to substantive testing
Assertion • CR = LESS THAN HIGH, perform Test of
Controls
level
TEST OF CONTROL

• It is an audit procedure
designed to evaluate the
operating effectiveness of
controls in preventing, or
detecting and correcting,
material misstatements at
the assertion level
SPECIFIC PROCEDURES TO TEST
OF CONTROLS

Reperforman
Inquiry Inspection Observation
ce
 • If there have been changes that affect
the continuing relevance of the audit
evidence from the previous audit, the
auditor shall test the controls in the
TEST OF current audit.
CONTROL
• If there have not been changes, the
S FOR auditor shall test the controls at least
RECURRIN once in every third audit and shall
test some controls each audit to avoid
G AUDITS the possibility of testing all the
controls on which the auditor intends
to rely in a single period with no
testing of controls in the subsequent
two audit period.
SIGNIFICAN
• In exercising judgment as to which risks are
significant risks, the auditor shall consider the
following:

T RISK
 Whether the risk is a risk of fraud.
 Whether the risk is related to recent significant
economic, accounting or other development
and, therefore, requires specific attention.
 The complexity of transactions
 Whether the risk involves significant
transactions with related parties
 The degree of subjectivity in the measurement
of the financial information related to the risk,
especially those measurements involving a
wide range of measurement uncertainty
 Whether the risk involves significant
transactions that are outside the normal
course of business for the entity, or that
otherwise appear to be unusual
 • Itis a measure that is put in
COMPENSATING place to mitigate the risk
associated with weakness or
CONTROL deficiency identified in the
primary control.
REASSESS PRELIMINAR
Y
ASSESSMEN
TEST OF
CONTROLS
REASSESSMEN
T

CONTROL T
LESS THAN RELIABLE LESS THAN
RISK HIGH HIGH, DECREASE
ST
LESS THAN NOT CR IS NOW HIGH,
HIGH RELIABLE INCREASE ST
DETERMINE NATURE, TIMING, AND
EXTENT OF SUBSTANTIVE TESTING

CR = LESS THAN
CR = HIGH HIGH
NATURE MORE EFFECTIVE LESS EFFECTIVE
PROCEDURES PROCEDURES

TIMING ON YEAR-END OR NEAR INTERIM TESTING

BALANCE SHEET DATE

EXTENT MORE EXTENSIVE LESS EXTENSIVE

(LARGER SAMPLE SIZE) (SMALLER SAMPLE SIZE)
COMMUNICATION OF IDENTIFIED DEFICIENCIES

REQUIREMENT
DEFICIENCY IN INTERNAL CONTROL Determine based on the audit work
performed, whether, individually or in
combination, they constitute
significant deficiencies
SIGNIFICANT DEFICIENCY IN INTERNAL Communicate in writing significant
CONTROL deficiencies I internal control identified
during the audit on a timely basis to:
 Management at the appropriate
level of responsibility
 With TCWG (unless all of TCWG are
involved in managing the entity)