Audit 5 PDF - Internal Control Study

Summary

This document provides a study of internal control, covering various aspects such as introduction, definitions (internal control, COSO), and the components of internal control. It also covers examples of economic decisions and internal control procedures.

Full Transcript

CHAPTER 5
STUDY AND EVALUATION OF
INTERNAL CONTROL
INTRODUCTION
PSA 315 (Redrafted) provides that the auditor shall obtain an
understanding of internal control relevant to the audit.
The objectives of the auditor in obtaining an understanding of the
client’s internal control are to:
1. Identify types of potential misstatements in the financial statements.
2. Identify factors that affect the risk of material misstatements in the
financial statements.
3. Design the nature, extent and timing of further audit procedures
(tests of controls and substantive tests).
INTERNAL CONTROL DEFINED
Internal Control is the process designed and effected by
those charged with governance, management, and other
personnel to provide reasonable assurance about the
achievement of the entity’s objectives with regard to
reliability of financial reporting effectiveness and efficiency
of operations, and compliance with laws and regulations.
INTERNAL CONTROL DEFINED
Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
Internal control is a process, effected by an entity’s board
of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives in the following categories: Effectiveness and
efficiency of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.
INTERNAL CONTROL DEFINED
Internal Control is a Process
Internal Control Involves People
Internal Control Provides Reasonable Assurance
Internal Control is Geared Towards the Achievement of an
Entity’s Objectives
Objectives fall into three categories: operations, financial
reporting, and compliance. This categorization allows
focusing on separate aspects of internal control.
Examples of Economic Decisions Made by Users of Financial
Statements
Operations Relating to effective and efficient use of the entity’s resources.
These pertain to effectiveness and efficiency of the entity’s
operations.
They vary based on management’s choices about structure and
performance.
Financial Reporting Relating to preparation of reliable published financial statements,
including prevention of fraudulent public financial reporting.
They are driven primarily by external requirements.
Compliance Relating to the entity’s compliance with applicable laws and
regulations.
They are dependent in external factors.
Tend to be similar across all entities in some cases and across an
industry in others.
INTERNAL CONTROL DEFINED
Internal Control System – consists of all the policies and
procedures adopted by the management of an entity to
assist in achieving management’s objective of ensuring, as
far as practicable, the orderly and efficient conduct of its
business, including adherence to management policies, the
safeguarding of assets, the prevention and detection of
fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable
information.
COMPONENTS OF INTERNAL CONTROL
Five inter-related components of internal control:
1. Control Environment
2. Risk Assessment Process
3. Control Activities
4. Information System and Related Business Processes
Relevant to Financial Reporting and Communication
5. Monitoring of Controls
CONTROL ENVIRONMENT
Control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the
foundation for all other components of internal control,
providing discipline and structure. It includes the
governance and management function and the attitudes,
awareness, and actions of those charged with governance
and management concerning the entity’s internal control
and its importance in the entity.
CONTROL ENVIRONMENT
Elements of the Control Environment
1. Communication and enforcement of integrity and ethical values.
2. Commitment to Competence
3. Participation by Those Charged with Governance
4. Management Philosophy and Operating Style
5. Organizational Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Practices
Communication and Enforcement of Integrity and
Ethical values
Integrity is a prerequisite for ethical behavior in all
aspects of an enterprise’s activities.
Integrity and ethical values are expressed through:
1. Existence and implementation of codes of conduct and other policies
regarding acceptable business practice, conflicts of interest, or expected
standards or ethical and moral behavior.
Communication and Enforcement of Integrity and
Ethical values
Integrity and ethical values are expressed through:
2. Dealings with employees, suppliers, customers, investors,
creditors, insurers, competitors, and auditors.
3. Pressure to meet unrealistic performance targets –
particularly for short-term results – and extent to which
compensation is based on achieving those performance
targets.
Commitment to Competence
Competence should reflect the knowledge and skills needed
to accomplish tasks that define the individual’s job.

Commitment to competence is expressed through:
1. Formal or informal job description or other means of
defining tasks that comprise particular jobs.
2. Analyses of the knowledge and skills needed to perform
jobs adequately.
Participation by those Charged with Governance
The control environment is influenced significantly by the
entity’s board of directors and audit committee.

Because of its importance, an active and involved board of
directors, boards of trustees or comparable body is critical to
effective internal control.
Participation by those Charged with Governance
Controls involving Board of Directors or Audit Committee include:
1. Independence from management, such that necessary, even if
difficult and probing, questions are raised.
2. Frequency and timeliness with which meetings are held with chief
financial and/or accounting officers, internal auditors and external
auditors.
3. Sufficiency and timeliness with which information is provided to
board or committee members, to allow monitoring of management’s
objectives and strategies, the entity’s financial position and
operating results, and terms of significant agreements.
4. Sufficiency and timeliness with which the board or audit committee
is appraised of sensitive information, investigations and improper
acts of officers.
Management’s Philosophy and Operating Style
This factor affects the way the enterprise is managed, including
the kinds of business risks accepted.

Controls involving Management’s Philosophy and Operating Style:
1. Nature of business risk accepted
2. Frequency of interaction between senior and operating
management
3. Attitudes and actions toward financial reporting
Organizational Structure
An entity’s organization structure provides the framework
within which its activities for achieving entity-wide objectives
are planned, executed, controlled and monitored. Activities
may relate to what is sometimes referred to as the value
chain: inbound activities, operation or production, outbound,
marketing, sales and services.
Organizational Structure
Controls involving organizational structure are expressed
through:
1. Appropriateness of the entity’s organization structure, and
its ability to provide the necessary information flow to
manage its activities.
2. Adequacy of definition of key manager’s responsibilities,
and their understanding of these responsibilities.
3. Adequacy of knowledge and experience of key managers in
light of responsibilities.
Assignment of Authority and Responsibility
This element pertains to how an organization assigns
authority and responsibility for operating activities, and
how reposting relationships and authorization hierarchies
are established.
Human Resources Policies And Practices
Human resources practices send messages to employees
regarding expected levels of integrity, ethical behaviour and
competence. Such practices relate to hiring, orientation,
training, evaluating, counselling, promoting, compensating and
remedial actions.

Controls involving human resources policies and practices include:
1. The extent to which policies and procedures for hiring, training,
promoting and compensating employees are in place.
2. Appropriateness of remedial action taken in response to departures
from approve policies and procedures.
Human Resources Policies And Practices
Controls involving human resources policies and practices include:

3. Adequacy of employee candidate background checks, particularly
with regard to prior actions or activities considered to be unacceptable
by the entity.
4. Adequacy of employee retention and promotion criteria and
information-gathering techniques and relation to the code of conduct
or other behavioral guidelines.
THE ENTITY’S RISK ASSESSMENT PROCESS
Risk Assessment is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for determining how
the risks should be managed.
All entities regardless of size, structure, nature or industry, encounter
risks at all levels within their organizations.

The goal of internal control in this area focuses primarily on:
Developing consistency of objectives and goals throughout the
organization,
Identifying key success factors, and
Timely reporting to management on performance and expectations.
THE ENTITY’S RISK ASSESSMENT PROCESS
An entity’s risk assessment process is its process for identifying
and responding to business risks and results thereof. The process of
identifying and analyzing risk is an on-going iterative process and it a
critical component of an effective internal control system.

Risk Identification
An entity’s performance can be at risk due to internal or external
factors. Risk arises as objectives increasingly differ from past
performance. It is important that risk identification be
comprehensive. It should consider all significant interactions between
an entity and relevant external parties.
Examples of Economic Decisions Made by Users
of Financial Statements
External Factors Internal Factors
Technological developments Disruption in information systems
processing
Changing customer needs or Quality of personnel hired and
expectations methods of training and motivation
New legislation and regulation Change in management
responsibilities
Natural catastrophes Nature of the entity’s activities and
employee accessibility to assets,
Economic changes Unassertive or ineffective board or
audit committee
Risk Analysis and Management
After the entity has identified entity-wide and activity risks, a risk
analysis needs to be performed. The process includes:
1. Estimating the significance of a risk;
2. Assessing the likelihood of the risk occurring;
3. Considering how the risk should be managed.
Circumstances Demanding Special Attention
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New technology
New business models, products, or activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
INFORMATION SYSTEM AND COMMUNICATION
Information system consists of infrastructure, software, people,
procedures, and data.

The information system relevant to financial reporting objectives,
which includes the financial reporting system, consists of the
procedures and records established to initiate, record, process and
report entity transactions.

Processes which are part of the information system are recording,
processing, and reporting.
INFORMATION SYSTEM AND COMMUNICATION
An information system encompasses methods and records that:
1. Identify and record all valid transactions.
2. Describe on timely basis the transactions in sufficient detail.
3. Measure the value of transactions that permits their proper
monetary value.
4. Determine the time period in which transactions occurred to permit
recording of transaction in the proper accounting period
5. Present properly the transactions and related disclosures in the
financial statements.
INFORMATION SYSTEM AND COMMUNICATION
Information
Information is needed at all levels of an organization to run the
business, and move toward achievement of the entity’s objectives
in all categories. An array of information is used.

Information Quality
The quality of system-generated information affects management’s
ability to make appropriate decisions in managing and controlling
the entity’s activities.
It is critical that reports containing enough appropriate data to
support effective control.
Guide Questions – Quality of Information

Content is appropriate – Is the needed information there?
Information is timely – Is it where required?
Information is current – Is it the latest available?
Information is accurate – Are the data correct?
Information is accessible – Can it be obtained easily by appropriate parties?

All of these questions must be addressed by the system design.
INFORMATION SYSTEM AND COMMUNICATION
Communication
Communication involves providing an understanding of
individual roles and responsibilities pertaining to internal
control over financial reporting.

Means of Communication
Communication takes such forms as policy manuals,
memoranda, bulletin boards notices and videotaped
messages.
CONTROL ACTIVITIES
Control Activities are policies and procedures, which are the
actions of people to implement the policies, to help ensure
that management directives identified as necessary to
address risks are carried out
Types of Control Activities
Control Activities can be divided into three categories, based
on the nature of the entity’s objectives to which they relate:
operations, financial reporting, or compliance.

1. Performance Reviews
2. Information Processing
3. Physical Controls
4. Segregation of duties
1. Performance Reviews
These include:

Reviews and analyses of actual performance versus budgets,
forecasts, and prior period performance;
Relating different sets of data – operating or financial – to one
another, together with analyses of the relationships and
investigative and corrective actions;
Comparing internal data with external sources of information;
Review of functional or activity performance
2. Information Processing
These controls are performed to check accuracy,
completeness, and authorization of transactions.

Two Broad Groupings of Information Systems
General Controls
Application Controls
Two Broad Groupings of Information Systems
General Controls Policies and Procedures that relate to
many applications and support the
effective functioning of application
controls by helping to ensure the
continued proper operation of
information systems.
Application Controls Controls that apply to the processing of
individual applications. These controls
help ensure that transactions occurred,
are authorized, and are completely and
accurately recorded and processed.
3. Physical Controls
These activities encompass the physical security of assets.
Including adequate safeguards such as;

Secured facilities over access to assets and records;
Authorization of access to computer programs and data files;
Periodic counting and comparison, with amounts shown on
control records (for example comparing the results of cash,
security and inventory counts with accounting records).
4. Segregation of Duties
Assigning different people the responsibilities of
authorizing transactions, recording transactions, and
maintaining custody of assets is intended to reduce the
opportunity to allow any person to be in a position to both
perpetrate and conceal errors or fraud in the normal course
of the person’s duties.
CONTROL ACTIVITIES
Policies and Procedures
Control activities usually involve two elements;
a policy establishing what should be done and, serving as a basis
for the second element, procedures to implement the policy.

Evaluation of Control Activities
Control activities must be evaluated in the context of
management directives to address risks associated with
established objectives for each significant activity.
MONITORING OF CONTROLS
Monitoring of Controls is a process to assess the quality of
internal control performance over time. It involves assessing
the design and operation of controls on a timely basis and
taking necessary corrective actions.
The Need to Monitor Controls
Internal control systems change over time. The way controls are
applied may evolve. Once-effective procedures can become less
effective, or perhaps are no longer performed.

This can be due to :
the arrival of new personnel
the varying effectiveness of training and supervision, time and
resource constraints, or additional pressures.
Methods for Monitoring Controls
Monitoring can be done in two ways: through ongoing
activities or separate evaluations. Internal control systems
usually will be structured to monitor themselves on an
ongoing basis to some degree.

“The greater the degree and effectiveness of ongoing
monitoring, the less need for separate evaluations “
Methods for Monitoring Controls
Examples of Ongoing Monitoring Activities
1. In carrying out its regular management activities, operating
management obtains evidence that the system of internal
control continues to function.
2. Appropriate organizational structure and supervisory
activities provide oversight of control functions and
identification of deficiencies.
3. Training seminars, planning sessions and other meetings
provide important feedback to management on whether
controls are effective.
Issues to Consider
Ongoing Monitoring
1. Extent to which personnel, in carrying out their regular
activities, obtain evidence as to whether the system of
internal control continues to function.
2. Extent to which communications from external parties
corroborate internally generated information, or
indicate problems.
3. Periodic comparison of amounts recorded by the
accounting system with physical assets.
INHERENT LIMITATIONS OF INTERNAL CONTROL
1. Management’s usual requirement that a control be cost effective
2. The fact that most controls tend to be directed at anticipated types of
transactions and not at unusual transactions; the potential for human
error due to carelessness, distraction, mistakes of judgement or the
misunderstanding of instructions;
3. The possibility of circumvention of controls through collusion with
parties outside the entity or with employees of the entity.
4. The possibility that a person reasonable for exercising control could
abuse that responsibility
5. The possibility that procedures may become inadequate due to
changes in condition and compliance and procedures may
deteriorate.
RELEVANCE OF CONTROLS TO THE AUDIT
It is a matter of the auditor’s professional judgement,
whether a control, individually or in combination with
others, is relevant to the auditor’s considerations in
assessing the risk of material misstatement and designing and
performing further procedures in response to assessed risks.
RELEVANCE OF CONTROLS TO THE AUDIT
Factors considered in Determining the Relevance of Controls to the Audit
1. The auditor’s judgement about materiality
2. The size of the entity
3. The nature of the entity’s business, including its organization and
ownership characteristics
4. The diversity and complexity of the entity’s operations
5. Applicable legal and regulatory requirements
6. The nature and complexity of the systems that are part of the
entity’s internal control, including the use of service organizations.
INTERNAL CONTROL EVALUATION IN
FINANCIAL STATEMENT AUDIT
The nature, extent and timing of the audit procedures to be
performed in gathering audit evidence related to class of
transactions, account balances and disclosures take their
most significant momentum from a thorough understanding
of the design and evaluation of the operating effectiveness
of internal control.
INTERNAL CONTROL EVALUATION IN
FINANCIAL STATEMENT AUDIT
An auditor’s approach in the study and evaluation of the client’s
internal control is generally consists of the following steps:
1. Obtain an understanding of the client’s internal control
structure
2. Make a preliminary assessment of control risk
3. Determine the appropriate response to the assessed risks
4. Reassess control risk
5. Determine the nature, extent and timing of substantive tests
STEP 1 – OBTAIN AN UNDERSTANDING OF THE
CLIENT’S INTERNAL CONTROL
The auditor should obtain and document an understanding of the
client’s internal control sufficient to identify potential misstatement
in the financial statements. Obtaining an understanding of the
internal control structure consists of the following:

1. Performing a preliminary review
2. Identifying transaction cycles
3. Documenting the system
4. Performing a transaction walkthrough
5. Identifying controls that are potentially reliable
INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT

Performing a Preliminary Review
In determining the level of understanding necessary to plan the
audit, an auditor uses sources such as past experience with the
client, and an understanding of the industry in which the client
operates to determine the risk of material misstatements.

Identifying Transaction Cycles
Because the number and nature of transactions vary from
industry to industry and from company to company, an auditor
must identify each client’s major transactions.
INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT

Identifying Transaction Cycles
The major transaction cycles in a commercial and
industrial entity include:
Revenue/receivables/cash receipts cycle
Purchasing/payables/disbursements cycle
Payroll cycle
Production/conversion cycle
Financing and Investing cycle
INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT

Identifying Transaction Cycles
Identifying transaction cycles based on common transaction
flows provides the following advantages:
1. It enables the auditor to gain an adequate understanding of
the flow of transactions from inception to conclusion, to
make sure that he has identified all significant processes and
has noted and evaluated each phase of the transaction flow.
2. It enables the author to better evaluate the impact of
internal control (or lack of it) on specific financial statements
items affected and; therefore, assists him in determining the
nature, timing and extent of substantive tests.
INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT

Documentation of Understanding of Internal Control
Documentation is a means of ensuring that auditors comply with
significant requirements of generally accepted auditing standards.

The following audit processes require documentation:
1. The discussion among the engagement team regarding the
susceptibility of the entity’s financial statements to material
misstatement, and the significant decision reached;
2. The understanding obtained regarding each of the aspects of the
entity and its environment, and each of the five internal control
components in order to assess both the sources of information
from which the understanding was obtained and several risks.
INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT

Documentation of Understanding of Internal Control
NARRATIVES
A narrative is a written description of a particular phrase or phrases
of an accounting system.
INTERNAL CONTROL QUESTIONNAIRES
Internal Control Questionnaires consist of a series of question
designed to identify control points and techniques and detect control
responses.
Questionnaires require Yes, No, or Not Applicable responses
FLOWCHARTS
Flowcharts constitute interrelated symbols which diagram the flow of
transactions and events through a system, or portions thereof.
Combination of Methods
The auditor could use any combination of narratives,
flowcharts, and/or questionnaires to document an entity’s
internal control structure, thereby maximizing the advantages
of each.
Comparison of the methods
Advantages Disadvantages
Narrative Can be tailor-made for May become very long and
engagement time consuming
Internal Control Easy to complete, and Questions may not fit the
Questionnaire strengths and weaknesses internal control structure
can be easily identified adequately
Flowcharting Shows visual Could be time consuming
representation of the
internal control.
Usually unlikely that
important portions of
internal control will be
overlooked
Performing a Transaction Walkthrough
Following documentation, a single transaction for each major
segment of the internal control structure is selected and followed,
or walked through the accounting system.

The purpose of a walkthrough is to verify narrative, questionnaire,
and/or flowchart documentation and to familiarize the auditor
with the audit trail.

If it isolates differences from narratives, questionnaires or
flowcharts, the reason for the differences should be resolved and
the auditor’s documentation revised if necessary.
Factors Considered in Determining the Relevance of
Controls to Audit
1. A walkthrough should be done every year.
2. The walkthrough should be performed after the
flowcharts (or narrative outlines) have been prepared or
updated.
3. The auditor who prepared or updated the flowcharts
should be the one to do the walkthrough.
Relationship of Controls to Assertions
The relationship may be either direct or indirect.

The degree of directness or closeness, of the relationship
determines, in part, how likely a specific policy or procedure is
to have an effect on a particular assertion for a specific
account balance or class of transactions.
PSA 315 (Redrafted) groups financial statement
assertions into the following categories:
1. Assertions about classes of transactions and events for the
period under audit
2. Assertions about account balances at the period end
3. Assertions about presentation and disclosure
Assertions about classes Assertions about account Assertions about
of transactions and balances at the period presentation and
events for the period end disclosure
under audit

Occurrence Existence Occurrence and Rights
and Obligations
Completeness Rights and Obligations Completeness
Accuracy Completeness Classification and
Understandability
Cutoff Valuation and Allocation Accuracy and Valuation
Classification
STEP 2 - MAKE PRELIMINARY ASSESSMENT
OF CONTROL RISK
The combined assessments of control and inherent risk shall be
the basis for determining the nature, timing and extent of
substantive tests. In assessing control risk, the auditor:

1. Considers the error or irregularities that could occur and that
could result in material misstatements in the financial
statements
2. Identifies relevant control procedures designed to prevent the
errors or irregularities
3. Perform test of controls on the control procedures to be relied
on in designing substantive tests.
Pointers When Assessing Control Risks
Control Environment
1. The existence of a satisfactory control environment is not
an absolute deterrent to fraud.
2. The control environment in itself does not prevent, or
detect and correct, material misstatements.

Risk Assessment Process
1. Note how management performs the risk assessment
process.
2. Consider the existence of material weaknesses in internal
control.
Information System and Communication
1. There is possibility of inappropriate override of controls
over journal entries.
2. Check the resolution of incorrectly processed
transactions.
3. Focus on communications with the audit committee and
with regulatory authorities.
Pointers When Assessing Control Risks
Control Activities
1. The auditor’s primary consideration is whether, and how, a
specific control activity, prevents or detects and corrects,
material misstatements.
2. Consider the risks associated with the information technology.

Monitoring of Controls
1. In many entities, internal auditors or personnel performing
similar functions contribute to the monitoring of activities.
There are two possible risk assessments pertaining to control
risk:

1. High Control Risk Assessment
The auditor may assess control risk as high or at maximum
level when there is high likelihood that significant misstatements
may exist in the financial statements because internal controls
are inadequate and cannot be relied upon, for all or certain audit
objectives.
There are two possible risk assessments pertaining to control
risk:

2. Less Than High Control Risk Assessment
In order to assess risk at less than high or below the
maximum level, the auditor must be able to identify specific
control structure policies and procedures that are in place and
are likely to prevent or detect material misstatements in
specific financial statements assertions and must test whether
those policies and procedures are designed and operating
effectively.
STEP 3 - DETERMINE THE APPROPRIATE RESPONSE
TO THE ASSESSED RISKS
Overall Responses
To reduce audit risk to an acceptable level, the auditor should
determine overall responses to the assessed risks and should
design and perform further audit procedures to respond to
assessed risks at the assertion level.
Overall Responses the Auditor May Consider

1. Emphasizing to the audit team the need to maintain
professional skepticism in gathering and evaluating audit
evidence.
2. Assigning more experienced staff or those with special skills or
using experts
3. Providing more supervisions
4. Incorporating additional elements of unpredictability in the
selection of audit procedures to be performed
5. Making general changes to the nature, timing, or extent of
audit procedures
Responses at the Assertion Level
Preliminary Control Risk Assessment is High
Adopt audit approach that relies primarily on substantive
tests.
The auditor proceeds to step five and only substantive test
audit programs are prepared.

Preliminary Control Risk Assessment is Less Than High
Use reliance approach.
Two sets of audit programs are prepared: test of controls and
substantive test.
Auditor’s Responses at the Assertion Level

Preliminary Control Effect on Audit TOC? ST?
Risk Assessment Acceptable Approach
Detection Risk
High/Maximum Decrease No Reliance No Yes
Less than High or Increase Reliance Yes Yes
Below the Maximum
TEST OF CONTROLS
used to test either the effectiveness of the design or operation of a client’s
internal control policy or procedure in support of less than high control risk
assessment
applied only to those controls on which the auditor intends to rely when
designing substantive tests of account balances.

Nature of Test of Controls
The test generally consist of one or a combination of the following procedures:

Inquiry of client personnel
Observation of the application of policies and procedures
Inspection
Reperformance or recalculation
TEST OF CONTROLS
Control Deviations
When performing test of controls, an auditor may find differences between
what was expected and what actually occurred. Such differences are
appropriately called exceptions, deviations, or occurrences, rather than
errors, because an exception does not necessarily mean that an error has
been made.

Timing of Test of Controls
The timing of test of controls depends on the auditor’s objective and
determines the period of reliance on those controls.
Another important timing matter is how much to rely on tests of prior
periods as evidence that controls are effectively designed and continue to
operate effectively during the current audit period.
TEST OF CONTROLS
Extent of Test of Controls
The more the auditor relies on the operating effectiveness of
controls in the assessment of risk, the greater is the extent of
test of controls.
As the rate of expected deviation from a control increases, the
auditor increases the extent of testing of the control.
STEP 4 - REASSESS LEVEL OF CONTROL RISK
If the auditor finds that the risk of material misstatement is
higher than originally expected, the auditor should reassess
the level of control risk.

In evaluating the effectiveness of controls, the auditor
considers all the control components taken together.

The entity-level components must be effective for internal
control as a whole to be effective.
Effect of Reassessment of Control Risk on the Audit Approach

Reassessment of Control Risk Audit Approach Effect on ST Audit Program
CR assessment remains at less Reliance Approach Less effective procedures
than high or below the Interim testing may be
maximum appropriate
Lower sample sizes
CR assessment is changed to Switch to More effective procedures
high or maximum No-Reliance Tests moved to nearer or at the
Approach year-end
Larger sample sizes
Documentation
Should the auditor document the…
Understanding Control Risk Basis for the
of Internal Assessment? Control Risk
Risk Assessment Control? Assessment?
High Yes Yes No
Less than high Yes Yes Yes
STEP 5 – DETERMINE THE NATURE, EXTENT AND
TIMING OF SUBSTANTIVE TESTS
Irrespective of the assessed risk of material misstatement, the
auditor should design and perform substantive procedures for
each material class of transactions, account balance and
disclosures.

The lower the assessed level of control risk, the less evidence the
auditor needs from substantive tests.

Regardless of the assessed levels of control risk, the auditor
should perform some substantive tests for significant account
balances and transaction classes.
Possible Modifications to the Substantive Test Audit Program
As the assessed level of control risk decreases, the auditor
may modify substantive tests in the following ways:
1. Changing the nature of substantive tests
2. Changing the timing of substantive tests
3. Changing the extent of substantive tests
DEFICIENCIES IN INTERNAL CONTROL
PSA 265, Communicating Deficiencies in Internal Control to Those
Charged with Governance and Management, provide guidance
on how to communicate significant internal control deficiencies
noted in an audit of financial statements. A deficiency exists
when:
a. A control is designed, implemented or operated in such a way that
it is unable to prevent, or detect and correct, misstatements in the
financial statements on a timely basis; or
b. A control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely basis is
missing.
DEFICIENCIES IN INTERNAL CONTROL
The auditor should communicate to management at an
appropriate level of responsibility on a timely basis:

a. In writing, significant deficiencies in internal control that the
auditor has communicated or intends to communicate to those
charged with governance, unless it would be inappropriate to
communicate directly to management in the circumstances;
b. Other deficiencies in internal control identified during the audit
that have not been communicated to management by other
parties and that, in the auditor’s professional judgment, are of
sufficient importance to merit management’s attention.
DEFICIENCIES IN INTERNAL CONTROL
The auditor shall include in the written communication of
significant deficiencies in internal control:

a. A description of the deficiencies and an explanation of their
potential effects; and
b. Sufficient information to enable those charged with governance
and management to understand the context of the
communication. In particular, the auditor shall explain that:
(i) The purpose of the audit was for the auditor to express an
opinion on the financial statements;
DEFICIENCIES IN INTERNAL CONTROL
(ii) The audit included consideration of internal control relevant to
the preparation of the financial statements in order to design
audit procedures that are appropriate in the circumstances, but
not for the purpose of expressing an opinion on the effectiveness
of internal control; and

(iii) The matters being reported are limited to those deficiencies
that the auditor has identified during the audit and that the
auditor has concluded are of sufficient importance to merit being
reported to those charged with governance.
ENTERPRISE RISK MANAGEMENT- INTEGRATED FRAMEWORK
In response to a need for principle-based guidance to help entities design and
implement effective enterprise-wide approach to risk management, COSO
issued the Enterprise Risk Management- Integrated Framework in 2004.

New COSO Framework
1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
8. Monitoring
ENTERPRISE RISK MANAGEMENT- INTEGRATED FRAMEWORK
Value is maximized when management sets strategy and objectives
to strike an optimal balance between growth and return goals and
related risks, and efficiently and effectively deploys resources in
pursuit of the entity’s objectives.