9.401 Auditing
Chapter 9
The Study of Internal Control and
Assessment of Control Risk
Generally Accepted Auditing
Standard

5100.02 (ii)
A sufficient understanding of
internal control should be obtained to plan the
audit. When control risk is assessed below
maximum, sufficient appropriate audit evidence
should be obtained through tests of controls to
support the assessment. [Oct. 1992]
Internal Control
consists of the
policies and procedures
established and maintained by
management
to assist in achieving its objectives
Those objectives are…
Effectiveness and efficiency of operations

safeguarding of assets

Prevention and detection of fraud
2) Reliability of financial reporting
3) Compliance with applicable laws,
regulations and policies
As far as is practical. Mgmt can and should
consider consequences and risks of noncontrol and costs of control
implementation.
1)
Factors Affecting Internal Control






The entity’s size
The entity’s organization and ownership
characteristics
The nature of the entity’s business
The diversity and complexity of the
entity’s operations
The entity’s methods of transmitting,
processing, maintaining, and accessing
information
Applicable legal and regulatory
requirements
Criteria of Control (COCO)
Board of the CICA
Purpose
Commitment
Monitoring &
Learning
Action

Capability
A person performs a task guided by an understanding of its
purpose (the objective to be achieved) and supported by capability
(information, resources, supplies, and skills). The person will need
a sense of commitment to perform the task well over time. The
person will monitor his or her performance and the external
environment to learn about how to do the task better and about
changes to be made. The same is true of any team or work group
Elements of Internal Control
 Elements
of internal control include:
Control environment
 General computer control systems and
procedures
 Accounting System
 Accounting System Control Procedures

Control Environment


the collective effect of various factors on establishing,
enhancing or reducing the effectiveness of internal control
policies and procedures
. Such factors include:
 Management Philosophy and Operating Style;
 The functioning of the board of directors and internal
control, particularly the audit committee;
 Organizational Structure;
 Methods of Assigning Authority and Responsibility;
 Management Monitoring Methods; Internal Audit; and
Personnel Policies and Practices
 Management reaction to external Influences
 Systems Development Methodology
Control Environment


Reflects the overall attitude, awareness, commitment and
actions of management concerning the importance of
internal control and its emphasis in the entity.
Strengths and weaknesses in control environment factors are
likely to have a pervasive effect on the financial statements.
 An effective control environment interacts with control
systems. It may reduce the impact that the absence of
certain control systems might otherwise have. It also
strengthens the impact of controls in place.
 An ineffective control system may impair the
effectiveness of control systems.
General computer control
systems
Establish controls over info system
processing activities
 Affect multiple classes of transactions

General computer control systems
General Control
Means…
System
Org and Mgmt controls -policies and procedures are
established
-programmer and operator functions
separate
Systems acquisition,
-policies and procedures to ensure
development and
systems are authorized, efficient and
maintenance controls
function according to objectives
Operations and
-system should be available and
Information Systems
used for authorized purposes
Support
(=training, documentation,
controlled access, backup and
The Accounting System
= the policies and procedures involving the
 Collection
 Transcribing
 Processing
 And reporting of data
Accounting System Control
Procedures
= policies and procedures that enhance the reliability
of accounting data
 Occurrence
 Completeness
 Accuracy (valuation), Posting
 Classification
 Timing
-often involves “checks”, “reconciles”, “compares”,
“verifies”, “ensures”…..
Segregation of duties
Ensures that no-one is in a position to
commit or profit from an error/fraud and
cover it up.
 To work, these duties MUST be separate:
 Authorization of transaction
 Custody of assets (including cheques,
cash, inventory etc.)
 Recording of transaction
 Periodic reconciliation

Other Controls
Proper Authorization (general or specific)
 Adequate documents
 Prenumbered or sequentially numbered +
follow-up of missing items
 Prepared on a timely basis
 Sufficiently simple, easy to fill out

Other Controls



Safeguards over access to and use of assets
Safeguards over access to and use of records
 Physical and logical
Independent verification of performance and
accuracy of recorded amounts
 Inventory counts, bank recs.
 Input or output checks (eg. Check digits,
reasonableness limits)
 Comparison of documents, quantities, prices
Acquiring Understanding of IC

At minimum, auditor must acquire
understanding of:
 Control environment
 General computer control systems and
procedures
 Accounting System
Purpose of Understanding IC
1)
2)
3)
Assess auditability (depends on mgmt integrity,
adequacy of record and general controls)
Familiarity with client to facilitate audit:

Major classes of transactions

How they’re initiated

What records and documents exist

How transactions are processed and
reported
Therefore, helps auditor design tests and
identify potential misstatements
Assess Preliminary Control Risk
Further Investigation of IC
If auditor believes reliance on IC (ie.
CR<100%) may be possible AND efficient,
investigate further the control procedures in
place
 Make preliminary assessment of Control
Risk

Preliminary Assessment of CR
1)
2)
3)
Identify transaction audit objective
(existence/occurrence, completeness etc.)
Identify specific controls

remember effects of control environment
and general computer controls
Identify and evaluate weaknesses
o
Determine potential misstatements that
could occur and effect on audit
o
Consider compensating controls
How to investigate IC
Update and evaluate previous working papers
Inquiries of Client Personnel
Read client policy and systems manuals
Examine documents and records: perform
transaction walk-through
Observe activities and operations
Documenting the Understanding of the Internal
Control
A number of tools are available to the auditor
for documenting the understanding of the
internal control including:




Copies of the entity's procedures manuals and
organizational charts
Narrative descriptions
Internal control questionnaires
Flowcharts
Further Investigation of IC



If preliminary CR<100%, perform tests of controls
on KEY CONTROLS to ensure:
 Control was operating as described, with
sufficient effectiveness, throughout period of
reliance
Tests may include:
 Inquiry of personnel (requires corroboration)
 Examine documents, records, reports
 Observe activities (eg. Segregation of duties, test
data)
 Reperform procedures if possible
If control is computerized, test and ensure controls
exist over changes to program
Direction of the Test of Controls
Audit Procedures
File of
recorded sales
(sales journal)
File of
shipping
documents
Validity
direction
Completeness
Direction
Evidence
Sample
selection
Vouch to
shipping documents
Trace to recorded sales
Sample
selection
Evidence
Further Investigation of IC
Revise preliminary control risk with results
of tests of controls
 Calculate detection risk and design
substantive procedures
 Combined approach = reliance on both IC
and substantive procedures
 Substantive approach = no reliance on IC
as either unjustified or inefficient

Audit Cost Trade - off
Audit Cost Tradeoff
Audit cost
Year end audit work
cost
Internal control
evaluation cost
Total Cost
High
Medium
Control Risk Assessment
Low
Communications with the Client




Systems improvements are communicated to the
client by the management letter, which is written at
the end of field work
Section 5220 requires communication of all
significant internal control weaknesses
Section 5750 “Communication of Matters Identified
During the Financial Statement Audit” eg. Fraud or
illegal acts
5220 and 5750 don’t have to be in writing
Communicating Internal Control Weaknesses
Reportable conditions
 Absence of appropriate segregation of duties
 Absence of appropriate reviews
and approvals of transactions
 Evidence of failure of control
procedures
 Evidence of intentional
management override
 Evidence of willful wrong doing
by employees or management, including manipulation,
falsification or alteration of accounting records
Material Weaknesses
A material weakness in internal control is defined as a
reportable condition in which the design or operation of
one or more of the specific internal control elements
does not reduce to a relatively low level the risk that
errors or irregularities in amounts that would be material
in relation to the financial statements being audited may
occur and not be detected within a timely period by
employees in the normal course of performing their
assigned functions (AU 325.15).
Limitations of Internal Control





Human failures such as simple errors or mistakes
Management override
Collusion
Cost/benefit
Unusual transactions
Because of these limitations, as long as the
item is material, it is generally necessary to
do at least some substantive testing.