Chapter 11: Risk Assessment Part III

Consideration of Internal Control in

a Financial Statement Audit

Reported By: Anna Bianca Estrada, CPA

https://www.freeppt7.com
Nature & Purpose of
Internal Control
Internal control is the process designated and
effected by those charged with governance, management
and other personnel to provide a reasonable assurance
about the achievement of the entity’s objectives with
regard to reliability of financial reporting, effectiveness
and efficiency of operations and compliance with
applicable laws and regulations.
OBJECTIVES OF INTERNAL CONTROL FALLS INTO THREE:

Effectiveness and efficiency

Com
y’s plian
entit of operations ce w
o f the Law ith a
bility port
ing s an pplic
Relia re d reg able
n cial ulati
Fina on
Internal Control System

- means all the policies and procedures (internal controls) adopted by the management of an entity to
assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient
conduct of its business, including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, and the accuracy and completeness of the accounting
records and the timely preparation of reliable financial information.
5

Making money is art and working is art

The internal control system extends beyond these matters which relate directly to functions
and good business the best art.
Of the accounting system and consists of the following components

A. The control C. The information

environment system
E. Monitoring of controls

B. The entity’s risk D. Control

assessment activities
 Control Environment
Create Account -means overall attitude, awareness, and actions of directors and management
regarding the internal control system and its importance in the entity. The control
Email Address

Control Environment

Country environment has an effect on the effectiveness of the specific control

Your text

procedures. A strong control environment, for example, one with tight budgetary
City

Your city
controls and an effective internal audit function, can significantly complement
Password

Entry password
specific control procedures.

R E G is T er
Factors affected in the control environment Google Slides

The function of the board of directors and it’s committees

Management’s philosophy and operating style

The entity’s organizational structure and methods of assigning authority and responsibility

Management’s control system including the internal audit function, personnel

policies and procedures and segregation of duties
 Several factors comprise the control
environment

Communication and Enforcement of

Integrity and Ethical values
Participation by those
Commitment to competence
charged with Governance

Management’s Philosophy Organizational Assignment of authority Human resources policies and

and operating style structure and responsibility procedures
Risk Assessment Process
Risk assessment is the identification, analysis and
management of risks pertaining to the preparation of financial
statements”. For example risk assessment may focus on how
the entity considers the possibility of transactions not being
recorded or identifies and assesses significant estimates
recorded in the financial statements.

For financial reporting purposes, the entity’s risk assessment

process includes how the management identifies risk relevant
to the preparation of financial statements that are presented
fairly, in all material respects in accordance with the entity’s
applicable financial reporting framework, estimates their
significance, assesses the likelihood of their occurrence, and
decides upon actions to manage them.
Changes in operating New Personnel Rapid growth New or revamped New technology
management information system

New business models, Corporate Expanded foreign New accounting

product or activities restructuring operations pronouncements
Information System, including Business
Processes, Relevant to Financial Reporting and Communication

An information system consists of infrastructure (physical and hardware

components) software people, procedures and data. Infrastructure and software will
be absent, or have less significance, in systems that are exclusively or primary
manual. Many information systems make intensive use of IT.
Business processes result in the transactions that are recorded processed and reported by the information system.

Accordingly, an information system encompasses methods and records that:

• Identify and record all valid transactions

• Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting
• Measure the value of transactions in a manner that permits recording their proper monetary value in financial statements
• Determine the time period in which the transactions occurred to permit recording of transactions in the proper accounting
period.
• Present properly the transactions and related disclosures in the financial statements

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over
financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information
system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity.
 Google Slides

CONTROL ACTIVITIES
- Are the policies and procedures that held ensure that management directives are carried
out, for example, the necessary action are taken to address risks that threaten the
achievement of the entity’s objective.

A. Performance Review

B. Information Processing controls

● Segregation of Duties
● Adequate documents and records
● Safeguards over access to assets . and
● Independent checks on performance

C. Physical Controls
Control activities related to the processing of transaction maybe grouped as follows: Google Slides

Proper authorization of transactions and activities – Before a transaction is entered into with another party
certain conditions must usually be met. As part of the evaluation of potential transaction, documentation will
be created.

Segregation of duties – means no person should be assigned duties that would allow the person to
commit an error or fraud.

The use of adequate documents and records allow the company to obtain reasonable assurance that all
valid transactions are documented.

Access to resources – The resource of a client can be protected by the establishment of physical barriers and
appropriate policies

Independent checks on performance – this is accomplished by periodic counts of assets by the client and
comparing counts to the balances in the general ledger account
MONITORING OF CONTROLS
Monitoring the final component of internal control, is the process of that an entity uses to
assess the quality of internal controls over time. Monitoring involves assessing the design
and operation and controls on a timely basis and taking corrective action if necessary.
Management monitors controls to consider whether they are operating as intended to
modify them as appropriate for changes in conditions. In many entities, internal auditors
evaluate the design and operation of internal control and communicate information about
strengths and weaknesses and recommendations for improving internal control.
In assessing control risk, the auditor must
consider the design of controls whether they
have been placed in operation, and, if they are
in use, effectiveness.

A. To assess control risk below maximum, an auditor

identify, relevant to each assertion, the specific
controls that are likely to prevent or detect material
misstatements in those assertions
B. To evaluate effectiveness of controls that have been
placed in operation, the auditor performs tests to
determine that they are being applied.
 Google Slides

I.INTERNAL ACCOUNTING CONTROL QUESTIONNAIRE

- Internal accounting control questionnaire contains series of questions designed to detect control weaknesses.
Most questionnaires are designed to yield “yes”, “no” or “not applicable” answers to questions.
- Negative answers – indicate weaknesses in a control, they should be completed on a separate weakness
investigation worksheet.
- If material, then it should be reported to a senior management, the board of directors and the audit committee.’

In completing the internal control questionnaire, the auditor should consider the following aspects:
1. Is the system of internal control sound?
2. If it is not reliable, what errors might occur
3. What alternative audit procedures should be adopted?
INTERNAL CONTROL QUESTIONNAIRE
Advantages: Disadvantages:
1. They provide audit assurance that attention is given 1. Auditor may view the questionnaire device
to presence or absence of all controls listed that for accomplishing in automatic evaluation of
certain features of the system are not overlooked. internal control
2. They provide a means of obtaining uniform 2. Controls listed on questionnaires may not
documentation internal control system reviewed. suit the particular circumstances of a
3. They provide inexperienced audit staff members specific audit
with guidance in performing internal control 3. The auditor may overlooked pertinent control
reviews not included in the questionnaire.
4. They facilitate the early detection of potential
weaknesses in the system
FLOWCHART

Flowchart is a symbolic diagram of a specific part of an

internal accounting control system indicating the
sequential flow of data and/or authority. An internal
control flowchart uses standardized symbols,
interconnecting lines, and annotations to represent
information, documents and document flow. It illustrates
the interaction of individuals, records and controls
related to a particular department or class of
transactions.
22

Advantages: Disadvantages:
1. Easily understood 1. Higher level of knowledge and training are
2. Better overall picture or complex system required to prepare a good flowchart
system
3. Parallels EDP documentation
2. Flowcharts take more time to prepare and
4. It is easy to update
require more knowledge
3. It is more difficult to spot internal control
weaknesses
 A primary purpose of the internal control flowchart is
to communicate effectively. The following techniques
Create Account should assist in meeting this goal:
Email Address

· Standardized symbols
Country

Your text

City
· Flow lines
Your city

Password

Entry password
· Documents
R E G is T er

· Processing
· Annotations
The following guidelines may be useful in preparing a
flowchart:
1. Determine the class of transactions or transaction cycle
to be flowcharted
2. Obtain an understanding of internal controls.
3. Organize the flowchart into columns, using a different
column for each department, function or individual. Draw
a sketch of flowchart
4. Draw the flowchart and insert comments and
annotations
5. Test the flowchart for completeness by following a few
transactions through the chart.
III. NARRATIVE DESCRIPTION

A narrative is a written description of a particular phase or phases

or control system. Although useful for describing simple systems,
narratives may be adequate when a system is complicated or
frequently revised. If the systems are extensive or complex,
separate narratives may be prepared for smaller group of controls
which relate to specific classes of transactions or accounts.
Advantages: Disadvantages:

1. Narrative is flexible and may be 1. Auditor may not have the ability to describe
tailor-made for engagement. the system correctly and concisely.
2. Requires a detailed analysis and thus 2. This may require more time and careful study
forces auditor to understand functioning 3. Auditor may overlook important portions of
of the system internal control system.
4. A poorly written internal control narrative can
lead to a misunderstanding of the system thus
resulting in the improper design and
application of compliance tests.
 IV. INTERNAL CONTROL CHECKLIST

This contains a detailed enumeration of the methods

Create Account and practices which characterize good internal
control or of item to be considered in reviewing
Email Address

internal control.
Country

Your text

City

Your city

Password

The checklist basically provides only a guide to

Entry password

R E G is T er

review the internal control of the auditee and does

not represent a record of the auditor’s findings. In
most cases therefore, this tool is used together with
the narrative approach.
V. DECISION TABLES

In this approach, the system is depicted as decision points.

Advantages and disadvantages are similar to those of the
flowchart approach.
35

HOW ADEQUACY AND INADEQUACY OF INTERNAL CONTROL AFFECTS AUDIT

PROCEDURES
The primary reason for studying internal control is to provide a basis for relying upon the system and for determining the
extent of year end substantive to be performed. There is an inverse relationship between the effectiveness of internal
control and the extent of detailed audit procedures; more effective systems require less detailed testing. Strengths and
weaknesses identified during the evaluation of internal accounting control and tests of compliance will affect the nature,
timing, and extent of audit procedures.
Furthermore, if additional evidence indicates that theme are irregularities which may materially affects the financial
statements, it may be appropriate for the auditor to: s
1. Qualify his opinion or disclaim an opinion based on an uncertainty conditions and/or
2. Consider withdrawing from the engagement and notifying the board of directors in writing the reason for the
withdrawal
COMMUNICATIONS OF PERFORMANCE, IMPROVEMENTS AND OBSERVATIONS IN INTERNAL CONTROL TO
MANAGEMENT

As a result of obtaining an understanding of the accounting and internal control systems test of control, the auditor may
become aware of weaknesses in the systems. The auditor should make management aware, as soon as
practical and at an appropriate level of responsibility, of material weaknesses in the design of operation of the accounting and
internal control systems, which have come to the auditor’s attention. The communication of management material weaknesses
would ordinarily be in writing. However if the auditor judges that oral communication is appropriate, such communication would be
documented in the audit working papers.

Management letter may be made that will contain constructive suggestions or improvements in internal control or other suggestions
for increased efficiency in operations. This letter is considered a byproduct rather than the aim of the audit
and is often completed sometime after the completion of field work.
 REPORTABLE CONDITIONS

These are the matters coming to the auditor’s

Create Account
attention that, in his judgment, should be
Email Address
communicated to the audit committee because they
Country represent significant deficiencies in the design or
operation of the internal control structure, which
Your text

City

Your city

could adversely affect the organization’s ability to

record, process, summarize, and report financial data
Password

Entry password

R E G is T er
Deficiencies in internal control structure design. Failures in the operation of the internal control procedures
· Inadequate overall internal control structure design · Evidence of failure of identified controls in preventing or
detecting misstatements of accounting information
· Absence of appropriate segregation of duties
consistent with appropriate control objectives · Evidence that a system, fails to provide complete and
accurate output consistent with the entity’s control
· Absence of appropriate reviews and approvals of
objectives because of the misapplication of control
transactions, accounting entries or systems output
procedures
· Inadequate procedures for appropriately assessing
· Evidence of failure to safeguard assets from loss, damage
and applying accounting principles.
or misappropriation

Others
· Absence of sufficient level of control
consciousness within the organization
· Failure to follow up and correct previously
identified internal control structure deficiencies
REPORTING – FORM AND CONTENT

Conditions noted by the auditor that are considered

reportable under this section or that result or agreement with
the client should be reported, preferably in writing, if
information is communicated orally, the auditor should
document the communication by appropriate memoranda or
notations in the working papers
40

Any report issued on reportable conditions should:

· Indicate that the purpose of the audit was to report on the financial statements and not to
provide assurance on the internal
Making control
money structure
is art and working is art
and good business the best art.
· Include the definition of reportable conditions
· Include the restriction on distribution
Note: if reportable condition is of such magnitude as to be a material weakness, the report can
identify it separately as a material weakness. If no reportable conditions are found, an auditor may
not issue a letter stating that.
THANK YOU!