The need in evaluating internal control is for Internal Control System is broader than the

efficiency. Effective internal control reduces Accounting System.

the possibility of fraud and error, leading to a
Parties Responsible for the Internal
more reliable information and less extensive
Control System
substantive testing or procedures.
 Management and those Charged
Internal control is the process effected by the with Governance
entity’s personnel for the achievement of its  The board of directors and
objectives such as: (REC) audit committee have the
responsibility in creating
 Reliability of financial reporting.
adequate internal controls
 Effectiveness and efficiency of
system.
operations; and
 The (top) management has the
 Compliance with applicable laws and
primary responsibility in
regulations.
developing, implementing, and
There will always be a control risk due to maintaining the internal
inherent limitations and that internal control controls.
can only provide reasonable assurance.  Internal auditors
 Ensures that the internal
Inherent limitations (COC IHR) controls are in line with the
 Cost-benefit consideration. achievement of its objectives
 Overriding of control by the through evaluation.
management.  Identify control problems and
 Collusion between third parties or develop solutions.
employees in circumventing the  External auditors
controls.  Assess the effectiveness of
 Inadequacy of controls due to internal controls to plan the FS
changes in condition. audit.
 Human error.  Focus primarily on controls
 Controls tend to be directed to routine that materially affect financial
transactions and not on non-routine reporting.
transactions.  Have responsibility to report
Areas of Internal Control: internal control weaknesses to
 Administrative Control the audit committee and BOD
 Includes plan, procedures and and recommend for
records relating to decision improvement.
processes in the authorization Corporate Governance
of transactions and  A system of direction, feedback, and
organization of the entity. control using regulations, performance,
 Use to promote operational standards, and ethical guidelines
efficiency and adherence to directed towards board of directors and
management policies. senior management in ensuring their
 Accounting Control ethical behaviors and responsibilities
 Includes plan, procedures and toward their shareholders or members.
records in safeguarding assets
and the reliance of financial Purpose: To maximize the organization’s
records. long-term success, thereby creating
 Involves system of sustainable value for its shareholders or
authorization and approval members.
control over assets, internal
Components of Internal Control (CRIME)
audit, and all other financial
 Control Environment
matters.
 Risk Assessment Process
  Information and Communication  Identifying business risks relevant to
Systems the financial reporting objectives.
 Control Activities  Assessing the likelihood of their
 Monitoring occurrence.
 Deciding how to manage those risks.
Indirect Controls
 Does not have a direct control in the MONITORING
components of financial statements.  The process of assessing the quality,
 Not enough to prevent, detect, or design, effectiveness, and operations
correct misstatements at assertion of internal controls on a timely basis
level. and taking necessary corrective
 Supports the direct controls. actions.

Direct Controls Can be accomplished through:

 Used in processing items in the  Ongoing monitoring activities.
financial statements.  Separate evaluations.
 Precise enough to address risks of  Combination of the two.
material misstatement at assertion
level. INFORMATION SYSTEM
 Enables the entity to generate timely
CONTROL ENVIRONMENT and meaningful information.
 Set the standards, processes, and
Consists of: (OPIIS)
structures as a basis of the internal
 Infrastructure
control.
 Software
 Foundation of an effective internal
 People
control systems.
 Input or data
 If deemed effective, auditor should
 Output
proceed to test and understand other
components. If ineffective, control risk COMMUNICATION
is assumed at maximum level. Thus,  Involves providing an understanding
proceed to substantive tests. of individual roles and responsibilities
Relevant elements of control environment in relating to financial reporting.
obtaining an understanding of internal control:
 Management’s commitment to Communication between:
integrity and ethical values.  People within the entity.
 TCWG’s independence from  Management and those charged with
management and exercise oversight governance.
of the entity’s system of internal  External communications, such as
control. those with regulatory authorities.
 Assignment of authority and
CONTROL ACTIVITIES
responsibility.
 Are policies, procedures, and
 Attraction and development of
standards that help the management
competent individuals.
in achieving its objectives.
 Individuals are held accountable for
 May be preventive or detective in
their responsibilities.
nature and may be performed in all
RISK ASSESSMENT PROCESS levels of the organization.
 Process for identifying and responding
Examples of control activities: (APIPS)
to business risks and the results
 Authorization
thereof.
 Specific (need to be
The auditor shall obtain an understanding of authorized in each level; for
whether the entity has a process for: (BOM) nonroutine transactions)
  General (for routine Regardless of a low or high assessed control
transactions) risk, substantive test is a required procedure.
 Performance reviews
 Information processing Preliminary assessment of control risk.
 Physical Controls  Based on the understanding of design
 Segregation of duties (A RICE) and implementation of internal control.
 Authorization
 Recording Indication of Assessment and
 Independent checks Continuation of Procedures
 Custody  High Control Risk
 Execution  Proceed to substantive tests.
 Non-reliance to controls.
Audit Procedures in Internal Control  Low Control Risk
Consideration: (IOI)  Proceed to test of controls.
 Inquiry  Reassessment of control risk
 Observation based on test of controls:
 Inspection o High, substantive test.
 Walk-through test o Low, less substantive
test.
Note: Do not associate analytical procedures
in internal control. Only in planning, Note: Test of control is required once every 3
substantive, and completing. years, even after previous consecutive years
of low control risk with no significant changes
I. UNDERSTANDING OF INTERNAL in controls. If it involves significant risk, test of
CONTROL control is required in a low control risk, no
Design of internal controls. matter what year.
 Assess the existence of policies and
procedures in the internal control. Significant risk
 Inquiry and inspection.  Risk that requires special audit
considerations.
Implementation of policies and procedures.
 Performance of policies and If substantive testing is not enough to obtain
procedures. sufficient appropriate evidence, perform test
 Inquiry and observations. of controls.

With audit trail (documented), inquiry and Required documentation:

design.  Understanding of internal control.
Without audit trail, inquiry, and observation.  Control risk assessment.
 Basis of conclusion in the
Note: In implementing an understanding of ultimate/final assessment of less than
internal control, focus on the design and high control risk and substantive test.
implementation. Evaluation of operating
effectiveness begins in the test of controls. The auditor has the responsibility to
communicate any material weaknesses to the
Required documentation of procedures management and with those charged with
performed, information obtained, and governance at an appropriate level.
conclusion.
Walk-through test, a form of observation and
confirmation in the understanding and
documentation of processes performed.

II. PRELIMINARY ASSESSMENT OF

CONTROL RISK