AUD 610

System of Internal Controls

Introduction
Internal control is the responsibility of the
mgt and BOD, not the auditors.
As part of performing a financial statement
audit, the auditor is required to obtain an
understanding of the accounting and internal
control system consisting of:

Accounting system
Control environment
Control procedures

Importance of Internal Control

The scope and size of business has become
so
complex
and
widespread
that
management must rely on numerous reports
and analyses to effectively control operations.
The checks and reviews inherent in a good
system of internal control afford protection
against human weaknesses and reduce the
possibility that errors or irregularities will
occur.
It is impractical for auditors to audit most
companies within economic fee limitations
without relying on the clients system of
internal control.

Fundamental Concepts of
Internal Control
Internal control is a process, consisting or a
series of actions that are pervasive and
integrated with an entitys infrastructure.
Internal control is effected by people.
Internal control can be expected to provide
only reasonable assurance, not absolute
assurance (due to inherent limitation in IC).
Internal control is geared to the achievement
of objectives in the overlapping categories of
fin reporting, compliance and operations.

Elements of the Control

Structure
Control environment
Managements risk assessment
Accounting System
Control Activities
Monitoring

Control Environment
Integrity and ethical values
Commitment to competence
Managements philosophy and operating style
Organizational structure
Board of directors and audit committees
Assignment of authority and responsibility
Internal audit
The use of information technology
Human resources policies and practices

Control Activities
Information processing controls

General Controls
Application Controls

Physical controls

Transaction authorization
Segregation of duties
Accounting records
Access controls
Supervision
Independent verification

Segregation of duties
Custody from accounting
Authorization from custody
Operational responsibility from recordkeeping
Separation of duties within EDP

System analyst
Programmer
Librarian
Computer operator
Data control group

Inherent Limitations
Cost vs benefit considerations
IC tend to be directed at routine
transactions
Human error
Collusion
Management override
Communication breakdown

Proper Authorization of
Transactions and Activities
General

Mgt establishes policies for orgn to follow

E.g fixed price lists, customer credit limit, fixed
reorder points etc

Specific

Has to do with individual transactions

E.g authorization on a case by case basis such as
loan approvals by banks

Authorization

Policy decision for either a gen class of

transactions or specific transactions.

Approval

Implementation of mgts gen authorization

decisions

Application to Smaller Entities

Applicable to all entities of all sizes.
However, degree of formalities and manner in
which components are implemented may vary
Smaller entities are less likely to have written
code of conducts, external directors, formal
policy manuals, sufficient to personnel to
provide adequate segregation of duties and
internal auditors.
But they may have compensating controls by
fostering a culture of integrity, ethical values
and competence as well as close supervision
by the owner managers

Assessing Control Risk

Obtain understanding of accounting and
internal control system
Assess control risk (preliminary
assessments)
Design and perform tests of controls
Decide PDR and substantive tests

Procedures to Gain an
Understanding
Inquiries of appropriate management,
supervisory and staff personnel.
Reviewing previous experience with
entity.
Inspecting documents and records
Observing entity activities and
operations

Procedures to Gain an
Understanding-continued
Documenting the understanding

Questionnaire
Flowchart
Narrative memoranda
Checklists

Confirm

Walkthrough test

Control Risk Assessment

Purpose

Evaluating the effectiveness of the design and

operation of an entitys Ics in preventing and
detecting material misstatements in FS.
Obtain sufficient understanding for planning
Assess control environment
Assess design effectiveness of control procedures
Not cost effective
CR = Max
No controls
CR = Max
Yes

Control Risk Assessment continued

In evaluating design effectiveness in order to
make a preliminary assessment of control risk
for an assertion, auditor has to:

Identify potential misstatements

Identify the necessary controls
Evaluate the evidence and make the assessment

Yes, control exist

Perform TOC
Revise CR based on TOC

Test of Controls
General Procedures
Inspection of documents
Inquiries
Observations
Reperformance of control procedures

Test of Controls
To obtain audit evidence about the
effectiveness of the

Design of the accounting and internal

control system
Operation of the internal control
throughout the period

Factors for Effectiveness of

Operations
How they were applied?
The consistency with which they were
applied during the period?
By whom they were applied?

Timing of Test of Controls

Planned test of controls are performed during
interim work
The need to perform additional tests of
control later in the year depends on:

The length of the remaining period

The occurrence of significant changes in controls
subsequent to interim testing, causing the auditors
to revise his or her understanding of the ICS.
The decision of perform substantive tests of
details on balances before the year end (e.g
confirmation of AR), thus requiring assurance that
controls remained effective in the period between
the date of substantive procedures and year end.