AAP - Module 9: Internal Control PDF

Summary

This document details Internal Control systems and their use by auditors. It covers the components of internal control and how to evaluate them, including for computerized environments. It also explores control risk in small companies.

Full Transcript

Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

Module 9:
Internal Control

At the end of this module, you will learn:
1. Internal control systems;
2. The use of internal control systems by auditors;
3. The evaluation of internal control components; and
4. Internal controls in a computerized environment,.

Internal Control Systems

The auditors must understand the accounting system and control environment in order to determine their audit
approach.

Internal control is the process designed, implemented and maintained by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives
with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations.

An understanding of internal control assists the auditor in identifying types of potential misstatements and factors that
affect the risks of material misstatement, and in designing the nature, timing and extent of further audit procedures.

Initially, gaining an understanding of internal control helps auditors to determine which are relevant to the audit. PSA
315 (Revised) points out that there is a direct relationship between an entity’s objectives and the controls it implements
to provide reasonable assurance about their achievement. Many of these controls will relate to financial reporting,
operations and compliance, but not all of the entity’s objectives and controls will be relevant to the auditor’s risk
assessment.

Having determined which controls are relevant, and are adequately designed to aid in the prevention of material
misstatements in the financial statements, the auditor can then decide whether it is more efficient to seek reliance on
those controls and perform tests of controls in that area, or more efficient to perform substantive testing over that area.

If the controls are not adequately designed, the auditor needs
to perform sufficient substantive testing over that financial
statement area in light of the apparent lack of control and
increased risk. Any deficiencies are noted and, where
appropriate, these will be communicated to management

PSA 315 (Revised) deals with the whole area of controls.

Internal control has five components:
§ The control environment
§ The entity’s risk assessment process
§ Control activities
§ The information system relevant to financial
reporting
§ Monitoring of controls

1
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

In obtaining an understanding of internal control, the auditor must understand the design of the internal control and
the implementation of that control.

Control Environment

The control environment is the framework within which controls operate. The control environment is very much
determined by the management of a business. It includes governance and management functions and the attitudes,
awareness and actions of those charged with governance and management concerning the entity’s internal control and
its importance in the entity.

A strong control environment does not, by itself, ensure the effectiveness of the overall internal control system, but
can be a positive factor when assessing the risks of material misstatement. A weak control environment can undermine
the effectiveness of controls.

Aspects of the control environment (such as management attitudes towards control) will nevertheless be a significant
factor in determining how controls operate. Controls are more likely to operate well in an environment where they are
treated as being important. In addition, consideration of the control environment will mean determining whether
certain controls (internal auditors, budgets) actually exist.

PSA 315 states that auditor shall have an understanding of the control environment. As part of this understanding, the
auditor shall evaluate whether:
a. Management has created and maintained a culture of honesty and ethical behavior.
b. The strengths in the control environment provide an appropriate foundation for the other components of
internal control and whether those components are not undermined by deficiencies in the control environment.

The following table illustrates the elements of the control environment that may be relevant when obtaining an
understanding of the control environment.

CONTROL ENVIRONMENT
Communication and Essential elements which influence the effectiveness of the design, administration
enforcement of integrity and and monitoring of controls
ethical values
Commitment to competence Management's consideration of the competence levels for particular jobs and how
those levels translate into requisite skills and knowledge
Participation by those § Independence from management
charged with governance § Experience and stature
§ Extent of involvement and scrutiny of activities
§ Appropriateness of actions and interaction with internal and external
auditors
Management/s philosophy § Approach to taking and managing business risks
and operating style § Attitudes and actions towards financial reporting
§ Attitudes towards information processing and accounting functions and
personnel
Organizational structure The framework within which an entity's activities for achieving its objectives are
planned, executed, controlled and reviewed

2
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

Assignment of authority and How authority and responsibility for operating activities are assigned and how
responsibility reporting relationships and authorization hierarchies are established
Human resource policies and Recruitment, orientation, training, evaluating, counselling, promoting,
practices compensation and remedial actions

The auditor shall assess whether these elements of the control environment have been implemented using a
combination of inquiries of management, observation and inspection.

Entity’s Risk Assessment Process

PSA 315 says the auditor shall obtain an understanding of whether the entity has a process for:
§ Identifying business risks relevant to financial reporting objectives
§ Estimating the significance of the risks
§ Assessing the likelihood of their occurrence
§ Deciding on actions to address those risks

If the entity has established such a process, the auditor shall obtain an understanding of it. If there is not a process, the
auditor shall discuss with management whether relevant business risks have been identified and how they have been
addressed.

Information System Relevant to Financial Reporting

The information system relevant to financial reporting is a component of internal control that includes the financial
reporting system, and consists of the procedures and records established to initiate, record, process and report entity
transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and
equity.

The auditor shall obtain an understanding of the information system relevant to financial reporting objectives,
including the following areas:
§ The classes of transactions in the entity's operations that are significant to the financial statements
§ The procedures, within both IT and manual systems, by which those transactions are initiated, recorded,
processed, corrected, transferred to the general ledger and reported in the financial statements
§ The related accounting records, supporting information and specific accounts in the financial statements, in
respect of initiating, recording, processing and reporting transactions
§ How the information system captures events and conditions, other than transactions, that are significant to
the financial statements
§ The financial reporting process used to prepare the entity's financial statements, including significant
accounting estimates and disclosures
§ Controls surrounding journal entries, including non-standard journal entries used to record non- recurring,
unusual transactions or adjustments

The auditor shall obtain an understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting.

PSA 315 point out that auditors must gain an understanding of the system relating to information obtained outside of
the ledgers. Such information may include information disclosed in the financial statements, which has been derived
from:

3
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ Lease agreements disclosed in the financial statements
§ The entity’s risk management system
§ Fair value reports produced by management’s experts
§ Calculations and models developed about accounting estimates, including internal assumptions about assets’
useful lives and external interest rates
§ Sensitivity analyses performed by management to consider alternative assumptions
§ The entity’s tax records
§ Analyses to support management’s assessment on the going concern assumption

Control Activities

Control activities are those policies and procedures that help ensure that management directives are carried out.

PSA 315 states that the auditor shall obtain an understanding of control activities relevant to the audit and how the
entity has responded to risks arising from IT.

Control activities include those activities designed to prevent or to detect and correct errors.

There are five major control activities.
1. Transaction authorization. It ensures all material transactions processed are valid an in accordance with
management’s objectives.
2. Segregation of duties (SOD). It minimizes incompatible functions. In addition, supervision. Implementing
adequate segregation of duties that a firm employ a sufficiently large number of employees. Achieving
adequate segregation of duties often presents difficulties for smaller organizations. Thus, small organizations
or in functional areas that lack sufficient personnel, management must compensate for the absence of SOD
with close supervision.
3. Accounting records (or audit trail). It consist of source documents, journals, and ledgers. These records
capture the economic essence of transactions and provide an audit trail of economic events.
4. Physical controls (or access controls). It ensures that only authorized personnel have access to the firm’s
assets. Unauthorized access exposes assets to misappropriation, damage, and theft.
5. Independent verifications are independent checks of the accounting system to identify errors and
misrepresentations. It takes place after the fact of errors and misrepresentations.

Examples of control activities
Example Explanation Category
Approval and control of Transactions should be approved by an appropriate person. Authorization
documents For example, overtime should be approved by depart-
mental managers
Controls over computerized We shall look at computer controls later in this chapter. Audit trail
applications
Checking the arithmetical For example, checking to see if individual invoices have Audit trail
accuracy of records been added up correctly.
Maintaining and reviewing Control accounts bring together transactions in individual Independent
control accounts and trial ledgers. Trial balances bring together transactions for the verification
balances organization as a whole. Preparing these can highlight
unusual transactions or accounts.

4
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

Reconciliations Reconciliations involve comparison of a specific balance Audit trail
in the accounting records with what another source says
the balance should be; for example, a bank reconciliation.
Differences between the two figures should only be
reconciling items (resulting from e.g., timing differences).
Comparing the results of For example, in a physical count of petty cash, the balance Independent
cash, security and inventory shown in the cash book should be the same as the amount verification
counts with accounting held.
records
Comparing internal data For example, comparing records of goods dispatched to Independent
with external sources of customers with customers’ acknowledgement of goods verification
information that have been received.
Limiting physical access to Only authorized personnel should have access to certain Physical control
assets and records assets (particularly valuable or portable ones), e.g.,
ensuring that the inventory stores locked are unless store
personnel are there.
Segregation of duties Assigning different people the responsibility of author- Segregation of duties
izing transactions, recording transactions and maintaining
custody of assets

Segregation of Duties

Segregation implies a number of people involved in the accounting process. This makes it more difficult for fraudulent
transactions to be processed (since a number of people would have to collude in the fraud), and it is also more difficult
for accidental errors to be processed (since the more people are involved, the more checking there can be). Segregation
should take place in various ways.
a. Segregation function. The key functions that should be segregated are the authorization of a transaction,
recording that transaction in the accounting records and maintaining custody of assets that arise from the
transaction.
b. The various steps in authorizing the transactions should also be segregated.
c. The carrying out of various accounting operations should be segregated. For example, the same staff should
not records transactions and carry out the reconciliations at the period end.

Monitoring of Controls

Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It includes
assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for
changes in conditions.

The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over
financial reporting, including those related to control activities relevant to the audit, and how the entity initiates
corrective actions to deficiencies in its controls.

If the entity has an internal audit function, the auditor shall obtain an understanding of the nature of its responsibilities,
its organizational status and the activities performed/to be performed.

5
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

The auditor shall also obtain an understanding of the sources of the information used in the monitoring activities and
the basis on which management considers it reliable.

Small Companies – The Problem of Control

Many of the controls which would be relevant to a large entity are neither practical nor appropriate for a small company
which often have simple internal control systems. For a small company, the most important form of internal control is
generally the close involvement of the directors or proprietors.

However, it is also important to note that close involvement by management will enable them to override controls and,
if they wish, to exclude transactions from the records.

Auditors can also have difficulties, not because there is a general lack of controls but because the evidence available
as to their operation and the completeness of the records is insufficient. For example, an owner-manager may well
perform an independent review of payroll records, but will not sign and date to indicate the review has taken place,
and may not document the investigation of anomalies or how problems were resolved. Therefore it is very difficult
for the auditor to obtain evidence that a control is operating effectively, even if it is.

Segregation of duties will often appear inadequate in enterprises having a small number of staff. Similarly, because of
the scale of the operation, organization and management controls are likely to be rudimentary at best.

As discussed above, the onus is on the proprietor, by virtue of their day to day involvement, to compensate for this
lack. This involvement should encompass physical, authorization, arithmetical and accounting controls as well as
supervision.

Where the manager of a small business is not the owner, the manager may not possess the same degree of commitment
to the running of it as an owner-manager would. In such cases, the auditors will have to consider the adequacy of
controls exercised by the shareholders over the manager in assessing internal control.

Evidence Available in Relation to Internal Control in Small Companies

We discussed above the fact that audit evidence for elements of the control environment in smaller entities may not
be available in documentary form, in particular where communication between management and other personnel may
be informal but effective. However, although not documented, small companies may develop a culture that emphasizes
the importance of integrity and ethical behavior through verbal communication and where management sets a good
example. As a result, the attitudes, awareness and actions of management are very important to the auditor’s
understanding of a smaller entity’s control environment.

Although size and economic considerations in smaller entities often reduce the opportunity for formal control activities,
there is still likely to be some evidence available in relation to internal controls. Some basic control activities are likely
to exist for the main transaction cycles, such as revenues, purchases and payroll costs.

In a small company, often management's sole authority for approval of, for example, purchases and payments can
provide strong control over important account balances and the auditor can seek to test and rely on these controls.
These key controls lessen or remove the need for more detailed control activities and if the auditor can gain enough
evidence that these key controls are operating effectively substantive testing can be reduced.

6
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

However, because of the factors discussed in the preceding section, the auditor will often choose or be forced to turn
to substantive procedures to gain sufficient appropriate audit evidence when auditing a smaller entity. This can often
mean use of:
§ Confirmations
§ Agreeing samples related to different financial statement areas to source documents
§ Analytical procedures where these are considered suitable

Limitations of Accounting and Control Systems

Any control system can only provide the directors with reasonable assurance that their objectives are reached, because
of inherent limitations. These include:
§ The cost of control not outweigh their benefits
§ The potential for human error
§ Collusion between employees
§ The possibility of controls being bypassed or overridden by management
§ Controls being designed to cope with routine and non-routine transactions

These factors demonstrate why auditors cannot obtain all their evidence from tests of the systems of internal control.
The key factors in the limitations of control systems are human error and potential for fraud.

The safeguard of segregation of duties can help deter fraud. However, if employees decide to perpetrate frauds by
collusion, or management commit fraud by overriding systems, the accounting system will not be able to prevent such
frauds.

This is one of the reasons why auditors always need to be alert to the possibility of fraud, the subject of PSA 240.

The Use of Internal Control Systems by Auditors

The auditors shall assess the adequacy of the systems as a basis for the financial statements and shall identify risks of
material misstatements to provide a basis for designing and performing further audit procedures.

Auditors are only concerned with assessing policies and procedures which are relevant to the financial statements.
Auditors shall:
§ Assess the adequacy of the accounting system as a basis for preparing the accounts
§ Identify the types of potential misstatements that could occur in the accounts
§ Consider factors that affect the risk of misstatements
§ Design appropriate audit procedures

Risks arising from poor control environments are unlikely to be confined to particular assertions in the financial
statements, and, if severe, may even raise questions about whether the financial statements are capable of being audited;
that is, if control risk is so high that audit risk cannot be reduced to an acceptable level.

On the other hand, some control procedures may be closely connected to an assertion in financial statements; for
example, controls over the inventory count are closely connected with the existence and completeness of inventory in
the financial statements.

7
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

There may be occasions where substantive procedures alone are not sufficient to address the risks arising. Where such
risks exist, auditors shall evaluate the design and determine the implementation of the controls; that is, by controls
testing. This is most likely to be the case in a system which is highly computerized and which does not require much
manual intervention.

Recording Accounting and Control Systems

The auditors must keep a record of the client's systems which must be updated each year. This can be done through
the use of narrative notes, flowcharts, questionnaires or checklists.

There are several techniques for recording the assessment of control risk; that is, the system. One or more of the
following may be used depending on the complexity of the system.
§ Narrative notes § Questionnaires
§ Flowcharts § Checklists

In respect of questionnaires, you should note that there are two types, each with a different purpose.
a. Internal control questionnaires (ICQs) are used to ask whether controls exist which meet specific control
objectives.
b. Internal control evaluation questionnaires (ICEQs) are used to determine whether there are controls which
prevent or detect specified errors or omissions.

Narrative Notes

The purpose of narrative notes is to describe and explain the system, at the same time as making any comments or
criticisms which will help to demonstrate an intelligent understanding of the system.

Advantages Disadvantages
§ They are relatively simple to record and can § Describing something in narrative notes can be a
facilitate understanding by all audit team members. lot more time consuming than representing it as a
§ They can be used for any system due to the simple flowchart, particularly where the system
method’s flexibility. follows a logical flow.
§ Editing in future years can be relatively easy if they § They are awkward to update if written manually.
are computerized. § It can be difficult to identify missing internal
controls because notes record the detail of systems
but may not identify control exceptions clearly.

Flowcharts

Flowcharts can take many forms but in general are graphic illustrations of the physical flow of information through
the accounting system. Flowlines represent the sequences of processes, and other symbols represent the inputs and
outputs to a process. An example of an accounts receivable flowchart follows.

Advantages Disadvantages
§ After a little experience, they can be prepared § They are most suitable for describing standard
quickly. systems. Procedures for dealing with unusual
§ As the information is presented in a standard form, transaction will normally have to be recorded using
they are fairly easy to follow and review. narrative notes.

8
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ They generally ensure that the system is recorded § Major amendment is difficult without redrawing.
in its entirety, as all document flows have to be § Time can sometimes be wasted by charting areas
traced from beginning to end. Any “loose ends” that are of no audit significance.
will be apparent from a cursory examination.
§ They eliminate the need for extensive narrative and
can be of considerable help in highlighting the
salient points of control and any deficiencies in the
system.

Internal Control Questionnaires (ICQs)

The major question which ICQs are designed to
answer is “How good is the system of controls?”

Although there are many different forms of ICQ
in practice, they all conform to the following basic
principles.
a. They comprise a list of questions
designed to determine whether desirable
controls are present.
b. They are formulated so that there is one
list of questions to cover each of the
major transaction cycles.

One of the most effective ways of designing the
questionnaire is to phrase the questions so that all
the answers can be given as “Yes” or “No” and a
“No” answer indicates a deficiency in the system.

Internal Control Evaluation Questionnaires
(ICEQs)

In recent years, many auditing firms have developed and implemented an evaluation technique more concerned with
assessing whether specific errors (or frauds) are possible, rather than establishing whether certain desirable controls
are present. This is achieved by reducing the control criteria for each transaction stream down to a handful of key
questions (or control questions). The characteristic of these questions is that they concentrate on the significant errors
or omissions that could occur at each phase of the appropriate cycle if controls are weak.

Advantages Disadvantages
§ If drafted thoroughly, they can ensure all controls § The principal disadvantage is that they can be
are considered. drafted vaguely, hence misunderstood and
§ They are quick to prepare. important controls not identified.
§ They are easy to use and control. § They may contain a large number of irrelevant
§ Because they are drafted in terms of objectives controls.
rather than specific controls, ICEQs are easier to § They may not include unusual controls, which are
apply to a variety of systems than ICQs. nevertheless effective in particular circumstances.

9
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ Answering ICEQs should enable auditors to § They can give the impression that all controls are
identify the key controls which they are most likely of equal weight. In many systems one NO answer
to test during control testing. (for example lack of segregation of duties) will
§ ICEQs can highlight deficiencies where extensive cancel out a string of YES answers.
substantive testing will be required. § The client may be able to overstate controls.

Checklists

Checklists may be used instead of questionnaires to document and evaluate the internal control system. The subtle
difference with these is that, instead of asking questions, statements are made to 'mark off' and tick boxes are used to
indicate where the statement holds true. For example, a checklist may state 'Supplies are examined on arrival as to
quantity and quality' which would be ticked if this does actually occur, or crossed if not. Checklists share many of the
same advantages and disadvantages of ICQs and ICEQs.

The Evaluation of Internal Control Components

Confirming Understanding

In order to confirm their understanding of the control systems, auditors will often carry out walkthrough tests. This
is where they pick up a transaction and follow it through they system to see whether all the controls they anticipate
should be in existence were in operation with regard to that transaction.

Tests of Control

Tests of control (TOC) are tests performed to obtain audit evidence about the effectiveness of the:
§ Design of the accounting and internal control systems, i.e., whether they are suitably designed to prevent, or
detect and correct, material misstatement at the assertion level; and
§ Operation of the internal controls throughout the period.

Tests of control are distinguished from substantive tests which are designed to detect material misstatements in the
financial statements.

Tests of control may include the following:
a. Inspection of documents supporting controls or events to gain audit evidence that internal controls have
operated properly, e.g., verifying that a transaction has been authorized.
b. Inquiries about internal controls which leave no audit trail, e.g., determining who actually performs each
function, not merely who is supposed to perform it.
c. Reperformance of control procedures, e.g., reconciliation of bank accounts, to ensure they were correctly
performed by the entity.
d. Examination of evidence of management views, e.g., minutes of management meetings.
e. Testing of internal controls operating on computerized systems or overall IT function, e.g., access controls
f. Observation of controls to consider the manner in which the control is being operated.

Auditors should consider:
§ How controls were applied
§ The consistency with which they were applied during the period
§ By whom they were applied

10
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

Deviations in the operation of controls (caused by change of staff etc) may increase control risk and tests of control
may need to be modified to confirm effective operation during and after any change.

In a continuing engagement, the auditor will be aware of the accounting and internal control systems through work
carried out previously but will need to update the knowledge gained and consider the need to obtain further audit
evidence of any changes in control.

Revision of Risk Assessment, Audit Strategy and Audit Plan

The auditors may find that the evidence they obtain from controls testing indicates that controls did not operate as
well as they expected. If the evidence contradicts the original risk assessment, the auditors will have to amend the
further procedures they have planned to carry out.

In particular, if controls testing reveals that controls have not operated effectively throughout the year, the auditor may
have to extend substantive testing.

Revising the risk assessment and audit procedures will necessitate an update of the audit strategy, which sets out the
scope, timing and direction of the audit. For example, if tests of controls highlight that many controls are not operating
as expected, this may lead to an increase in the strategy's emphasis on substantive procedures.

Communication of Deficiencies in Internal Control

Significant deficiencies in internal controls shall be communicated in writing to those charged with governance in a
report to management in accordance with PSA 265 which states that the objective of the auditor is to communicate
appropriately to those charged with governance and management deficiencies in internal control identified during the
audit which the auditor considers are of sufficient importance to warrant their attention.

A deficiency in internal control exists when:
a. A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct,
misstatements in the financial statements on a timely basis; or
b. A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely
basis is missing.

A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in
the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance.

PSA 265 requires the auditor to determine whether one or more deficiencies in internal control have been identified
and, if so, whether these constitute significant deficiencies in internal control. The significance of a deficiency depends
on whether a misstatement has occurred and also on the likelihood of a misstatement occurring and its potential
magnitude. PSA 265 includes examples of matters to consider when determining whether a deficiency in internal
control is a significant deficiency.
§ The likelihood of the deficiencies resulting in material misstatements in the financial statements in the future
§ The susceptibility of loss or fraud of the related asset or liability
§ The subjectivity and complexity of determining estimated amounts
§ The amounts exposed to the deficiencies
§ The volume of activity that has occurred or could occur
§ The importance of the controls to the financial reporting process

11
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ The cause and frequency of the exceptions identified as a result of the deficiencies
§ The interaction of the deficiency with other deficiencies in internal control

The PSA also lists examples of indicators of significant deficiencies in internal control, which include the following:
§ Evidence of ineffective aspects of the control environment
§ Absence of a risk assessment process
§ Evidence of an ineffective entity risk assessment process
§ Evidence of an ineffective response to identified significant risks
§ Misstatements detected by the auditor’s procedures that were not prevented, or detected and corrected, by
the entity’s internal control
§ Restatement of previously issued financial statements that were corrected for a material misstatement due to
fraud or error
§ Evidence of management’s inability to oversee the preparation of the financial statements

The auditor shall communicate any significant deficiencies in internal control to those charged with governance on a
timely basis. The auditor shall also communicate in writing to management on a timely basis significant deficiencies
in internal control that the auditor has communicated or intends to communicate to those charged with governance
and other deficiencies in internal control that have not been communicated to management by other parties and that
the auditor considers are of sufficient importance to warrant management's attention. The communication to
management of other deficiencies in internal control can be done orally.

The auditor shall include the following in the written communication:
a. A description of the deficiencies and an explanation of their potential effects (but there is no need to quantify
the effects)
b. Sufficient information to enable those charged with governance and management to understand the context
of the communication, in particular that:
i. The purpose of the audit was for the auditor to express an opinion on the financial statements.
ii. The audit included consideration of internal control relevant to the preparation of the financial
statements in order to design audit procedures appropriate in the circumstances, but not to express
an opinion on the effectiveness of internal control.
iii. The matters being reported are limited to those deficiencies identified during the audit and which
the auditor has concluded are sufficiently important to merit being reported to those charged with
governance

The auditor may also include suggestions for remedial action on the deficiencies, management’s actual or proposed
responses and a statement as to whether or not the auditor has undertaken any steps to verify whether management’s
responses have been implemented. In addition, the auditor may include the following information:
a. A statement that if the auditor had undertaken more extensive procedures on internal control, more
deficiencies might have been identified or some of the reported deficiencies need not have been reported.
b. The written communication is for the purpose of those charged with governance and may not be suitable for
other purposes.

Impact of Deficiencies on the Auditor’s Reliance on Internal Control

If the controls are not adequately designed or not operating effectively, the auditor needs to revisit the risk assessment
and design sufficient substantive testing over that financial statement area. Therefore, where significant deficiencies
are identified, unless there are robust compensating controls, the auditor will have no choice but to use purely

12
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

substantive procedures to obtain sufficient appropriate audit evidence. The auditor will not seek to place reliance on
internal controls.

It may be that the deficiencies were not identified during planning and risk assessment, but only become apparent later
in the audit process. If this is the case, and the original audit plan was based on a reliance on internal controls, that
audit plan will need to be amended, with the likely result that further audit procedures will need to be performed.

Internal Controls in a Computerized Environment

The internal controls in a computerized environment include both manual procedures and procedures designed into
computer programs. Such control procedures comprise two types of control, IT general controls (ITGCs) and
application controls.

IT general controls are policies and procedures that relate to many applications and support the effective functioning
of application controls by helping to ensure the continued proper operation of information systems. ITGCs commonly
include access to programs and data, program changes and development, and computer operations.

Application controls are manual, automated or IT-dependent manual control procedures that typically operate at a
business process level. Application controls can be preventative or detective in nature and are designed to ensure the
integrity of the accounting records. Accordingly, application controls relate to procedures used to initiate, record,
process and report transactions or other financial data.

IT General Controls (ITGC)

IT General Controls Examples
Access to programs and Access to program changes and development:
data § Segregation of duties
§ Password protection of programs so that access is limited to computer
operations staff
§ Restricted access to central computer by locked doors, keypads
§ Stricter controls over certain programs (i.e., utility programs) by use of read-
only memory

Access to data:
§ Password protection
§ Restricted access to authorized users only
Program changes § Complete testing procedures
§ Documentation standards
§ Approval of changes by computer users and management
§ Training of staff using programs
§ Full records of program changes
§ Operating controls over programs
Program development § Standards over systems design, programming and documentations
§ Full testing procedures using test data
§ Approval by computer users and management
§ Segregations of duties so that those responsible for design are not responsible
for testing

13
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ Installation procedures so that data is not corrupted in transition
§ Training of staff in new procedures and availability of adequate
documentation
Computer operations § Storing extra copies of programs and data files off-site
§ Protection of equipment against fire and other hazards
§ Back-up power sources
§ Disaster recovery procedures, e.g., availability of back-up computer facilities
§ Maintenance agreements and insurance
§ Virus checks on software: use of anti-virus software and policy prohibiting
use of non-authorized programs or files
§ Back-up copies of programs being taken and stored in other locations
§ Control copies of programs being preserved and regularly compared with
actual programs
§ Operation controls over programs
§ Libraries of programs
§ Proper job scheduling

The auditors will wish to test some or all of the above ITGCs, having considered how they affect the computer
applications significant to the audit.

ITGCs that relate to some or all applications are usually interdependent controls, i.e., their operation is often essential
to the effectiveness of application controls. As application controls may be useless when ITGCs are ineffective, it will
be more efficient to review the design of ITGCs first, before reviewing the application controls.

Application Controls

The purpose of application controls is to establish specific control procedures over the accounting applications in
order to provide reasonable assurance that all transactions are authorized and recorded, and are processed completely,
accurately and on a timely basis.

Application controls include the following.

IT General Controls Examples
Controls over input: § Manual or programmed agreement of control totals
completeness § Document counts
§ One-for-one checking of processed output to source documents
§ Programmed matching of input to an expected input control file
§ Procedures over resubmission of rejected controls
Controls over input: § Programs to check data fields (e.g., value, reference number, date) or input
accuracy transactions for plausibility:
o Digit verification (e.g., reference numbers are as expected)
o Reasonableness test (e.g., sales tax to total value)
o Existence checks (e.g., customer name)
o Character checks (no unexpected characters used in reference)
o Necessary information (no transaction passed with gaps)
o Permitted range (no transaction processed over a certain value)
§ Manual scrutiny of output and reconciliation to source

14
Auditing and Assurance Principles
Module 9: Internal Control
Lex Daniel S. Quequegan, CPA, CFE

§ Agreement of control total (manual/programmed)
Controls over input: § Manual checks to ensure information input was authorized and input by
authorization authorized personnel
Controls over processing § Similar controls to input must be in place when input is completed; for
example, batch reconciliations
§ Screen warnings can prevent people logging out before processing is complete
Controls over master files § One-for-one checking
and standing data § Cyclical reviews of all master files and standing data
§ Record counts (number of documents processed) and hash totals (for example,
the total of all the payroll numbers) used when master files are used to ensure
no deletions
§ Controls over deletion of accounts that have no current balance

Controls over input, processing, data files and output may be carried out by IT personnel, users of the system and a
separate control group and may be programmed into application software. The auditors may wish to test the following
application controls.

TESTING OF APPLICATION CONTROLS
Manual controls exercised by the user If manual controls exercised by the user of the application system are
capable of providing reasonable assurance that the system's output is
complete, accurate and authorized, the auditors may decide to limit
tests of control to these manual controls.
Controls over system output If, in addition to manual controls exercised by the user, the controls to
be tested use information produced by the computer or are contained
within computer programs, such controls may be tested by examining
the system's output using either manual procedures or computers. Such
output may be in the form of magnetic media, microfilm or printouts.
Alternatively, the auditor may test the control by performing it with the
use of computers.
Programmed control procedures In the case of certain computer systems, the auditor may find that it is
not possible or, in some cases, not practical to test controls by
examining only user controls or the system's output. The auditor may
consider performing tests of control by using computers, reprocessing
transaction data or, in unusual situations, examining the coding of the
application program.

As we have already noted, ITGCs may have a pervasive effect on the processing of transactions in application systems.
If these general controls are not effective, there may be a risk that misstatements occur and go undetected in the
application systems. Although weaknesses in ITGCs may preclude testing certain IT application controls, it is possible
that manual procedures exercised by users may provide effective control at the application level.

15