Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Consideration of Internal Control

No description
by

Miko Lazaro

on 14 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Consideration of Internal Control

Consideration of Internal Control
Introduction
Once the auditor has set the desired level of audit risk and assessed the appropriate level of inherent risk, the next step is to assess the level of control risk



Idea 2
Idea 3
Idea 4
Conclusion
Operating effectiveness vs. Implementation
When obtaining audit evidence of implementation by performing risk assessment procedure, the auditor determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively.

Using the results of tests of controls
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as intended. The conclusion reached as a result of this evaluation is called the assessed level of control risk. If the combined assessed level of inherent and control risk is high, detection risk needs to be low to reduce audit risk to an acceptably low level.

Timing of tests of controls
Auditors usually perform tests of controls during an interim visit in advance of period end. However, auditors cannot rely on the results of such tests without considering the need to obtain further evidence relating to the remainder of the period.
In determining whether or not to test the remaining period, the following factors must be considered:
The results of the interim tests.
The length of the remaining period.
Whether changes have occurred in the accounting and internal control systems during the remaining period.

Nature of tests control
Tests of controls generally consist of one (or a combination) of the following evidence gathering techniques
Inquiry
Observation
Inspection
Reperformance

Walk-through test
- This task involves tracing one or two transactions through the entire accounting systems, from their initial recording at source to their final destination as a component of an account balance in the financial statements.
- also confirms the auditor’s understanding of how the accounting systems and control procedures function

Auditors are not responsible for establishing and maintaining an entity’s accounting and internal controls systems: that is the responsibility of the entity’s management.

3. Physical controls
These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records.
4. Segregation of duties
Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.

The definition embodies four (4) essential concepts:
Internal control is a process
Internal control is effected by those charged with governance, management and other personnel
Internal control can be expected to provide reasonable assurance of achieving the entity’s objectives

Nature of Internal control

In this regard, the auditor may consider modifying
The nature of substantive tests from less effective to more effective procedures
The timing of substantive tests by performing them at year-end rather than at interim
The extent of substantive tests from smaller to larger sample size.

Extent of tests of control
The auditor can not possibly examine all transactions related to certain control procedures. In an audit, the auditor should determine the size of a sample sufficient to support the assessed level of control risk.


Consequently, obtaining understanding of the entity’s internal control system and assessing control risks are often done simultaneously.

Reperformance
- involves repeating the activity performed by the client to determine whether proper results were obtained. For example, the auditor may reperform the procedure by tracing the sales prices to authorized price list in effect at the date of the transaction. If no errors are found, the auditor can conclude that the procedure is operating as intended.

Inquiry
- consists of searching for the appropriate information about the effectiveness of internal control from knowledgeable persons inside or outside the entity.
Observation
- refers to looking at the process being performed by others. For example, the auditor may observe the payroll payoff procedures or the performance of internal control procedures that leave no evidence of performance.
Inspection
- involves the examination of documents and records to provide evidence of reliability depending on their nature and source and the effectiveness of internal control over their processing

According to PSA 400, the auditor should obtain audit evidence through tests of control to support any assessment of control risk at less than high level. The lower the assessment of control risk, the more support the auditor should obtain that the internal control is suitably designed and operating effectively.

Tests of controls are performed to obtain evidence about the effectiveness of the
Design of the accounting and internal control systems; or
Operation of the internal controls throughout the period
It is important to note that the auditor will only tests the operating effectiveness of controls that are likely to detect or prevent material misstatements

Performing Tests of Controls

If the auditor concludes that it is more efficient to rely on the entity’s internal control systems, the auditor would plan to assess control risk at less than high level.
For this purpose, the auditor should
Identify specific internal control policies or procedures that are likely to prevent or detect and correct material misstatement relevant to financial statement assertion; and
Perform tests of control to determine the effectiveness of such policies or procedures.

It is to be emphasized that the auditor is not required to obtain knowledge about the operating effectiveness of the internal control when obtaining an understanding of the entity’s internal control system.
The auditor uses the understanding of internal control to
Identify types of potential misstatements that can occur.
Consider factors that affect the risk of material misstatements.
Design the nature, timing and extent audit procedures to be performed.

An initial understanding of the design of the entity’s internal control systems is ordinarily obtained by
Making inquiries of appropriate individuals;
Inspecting documents and records; and
Observing of entity’s activities and operations.

Consideration of the entity’s internal control systems involves the following steps:
Obtain understanding of the internal control
Document the understanding of accounting and internal control systems.
Assess the level of control risk
Perform tests of controls
Document the assessed level of control risks

Consideration of Internal Control

In small business, with very few office employees, it is difficult to have proper segregation of duties or maintain a separate internal audit department. Consequently, internal control systems in small business tend to be weak compared to the internal control systems of larger entities. These weaknesses, however, can be compensated if the owner/ manager actively participates in the operations of the business.

Internal Control for a small business

Performance Reviews
These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data to one another, together with analyses of the relationships and investigative and corrective actions.
2. Information processing
A variety of controls are performed to check accuracy, completeness, and authorization of transactions. When computer processing is used in significant accounting applications, internal control procedures can be classified into two types: general and application controls.

Control activities are the policies and procedures that help ensure that management directives are carried out.
Specific control procedures that are relevant to financial statement audit would include:
Performance Reviews
Information Processing
Physical Controls
Segregation of duties

Control Activities

Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
Present properly the transactions and related disclosures in the financial statements
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Open communication channels help ensure that exceptions are reported and acted on.

An information system encompasses methods and records that:
Identify and record all valid transactions.
Describe in a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.

Information and Communication Systems

Factors reflected in the control environment include:
Integrity and ethical values
Management philosophy and operating style
Active participation of those charged with governance
Commitment competence
Personnel policies and procedures
Assignment of responsibility and authority/ Organizational structure


Control Environment
Risk Assessment
Information and communication systems
Control Activities
Monitoring

Five Components of Internal Control

Components of internal control

4. Internal control is designed to help achieve the entity’s objectives.
Internal control is geared towards the achievement of the entity’s objectives in the following categories:
Effectiveness and efficiency of operations.
Compliance with laws and regulations
Reliability of financial reporting

The possibility of circumvention of internal controls through the collusion among employees.
The possibility of management overriding the internal control.
The possibility that procedures may become inadequate due to changes in conditions, and compliance with procedures may detoriorate.

According to PSA 315
“Internal control is the process designed and effected by those charged with governance, management, and personnel to provide reasonable assurance about the achievement of the entity’s objective with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Assessing control risk is the process of evaluating the design and operating effectiveness of an entity’s internal control as to how it prevents or detects material misstatements in the financial statement
The conclusion reached as a result of assessing control risk is referred to as the assessed level of control risk

Once the auditor has set the desired level of audit risk and assessed the appropriate level of inherent risk, the next step is to assess the level of control risk



Introduction

Miko Jahred Lazaro
Criosdan Angelo Melgar

Consideration of Internal Control

This communication would ordinarily be in writing and should be done at the earliest opportunity so that appropriate corrective actions may be taken as soon as possible.
Oral communications could also be made provided theses are adequately documented in the audit working papers.
It is to be emphasized that auditors are not required to search for and/or identify control weaknesses.
Theses internal control weaknesses together with other matters of concern are documented in a formal Management Letter.

Communication of Internal Control Weaknesses

If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is at a high level
If control risk is assessed at less than high level, the auditor should document his conclusion that control risk is less than high and the basis for that assessment
Hence, the auditor can not assess control risk at less than high level without performing tests of control.

Documenting the assessed level of control risk

When the auditor’s knowledge of the entity’s internal control indicates that internal controls related to a particular assertion are not effective, the auditor may simply assess control risk at a high level. Hence no tests of controls need to be performed and the auditor will rely primarily on substantive tests.

Assessment of Control Risk

This documentation need not be in any particular form. The extent of documentation may vary depending on the size and complexity of the entity and nature of the entity’s internal control systems
Some commonly used forms of documentation include:
Narrative description of the entity’s internal control;
Flowchart that diagrams the flow of transactions and documents; and
Internal control questionnaire providing management’s responses to question about internal control.

Documenting the auditor’s understanding of internal control

Obtaining an understanding of internal control involves
Evaluating the design of a control; and
Determining whether it has been implemented.


Understanding Internal Control

Monitoring is a process of assessing the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effecrively.

Monitoring

Entity’s business objectives can not be achieved without some risks. Business risk is the risk that the entity’s business objectives will not be attained as a result of internal and external factors such as technological developments, changes in customers demand and other economic changes.

Risk Assessment

The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for the effective internal control, providing discipline and structure.

Control Environment

Management’s usual requirement that the cost of an internal control should not exceed the expected benefits to be derived.
Most internal controls tend to be directed at routine transactions rather than non-routine transactions.
The potential for human error due to carelessness, distraction, mistakes of judgment and the misunderstanding of instructions

These limitations include:

Large entities






Mc Donald’s







Jollibee
Small entities







Khaleb Shawarma






Zagu


Reperformance
- involves repeating the activity performed by the client to determine whether proper results were obtained. For example, the auditor may reperform the procedure by tracing the sales prices to authorized price list in effect at the date of the transaction. If no errors are found, the auditor can conclude that the procedure is operating as intended.

Nature of tests control
Tests of controls generally consist of one (or a combination) of the following evidence gathering techniques
Inquiry
Observation
Inspection
Reperformance

Consideration of the entity’s internal control systems involves the following steps:
Obtain understanding of the internal control
Document the understanding of accounting and internal control systems.
Assess the level of control risk
Perform tests of controls
Document the assessed level of control risks

Auditors are not responsible for establishing and maintaining an entity’s accounting and internal controls systems: that is the responsibility of the entity’s management.

Consideration of Internal Control

In small business, with very few office employees, it is difficult to have proper segregation of duties or maintain a separate internal audit department. Consequently, internal control systems in small business tend to be weak compared to the internal control systems of larger entities. These weaknesses, however, can be compensated if the owner/ manager actively participates in the operations of the business.

Factors reflected in the control environment include:
Integrity and ethical values
Management philosophy and operating style
Active participation of those charged with governance
Commitment competence
Personnel policies and procedures
Assignment of responsibility and authority/ Organizational structure


Components of internal control

The definition embodies four (4) essential concepts:
Internal control is a process
Internal control is effected by those charged with governance, management and other personnel
Internal control can be expected to provide reasonable assurance of achieving the entity’s objectives

According to PSA 315
“Internal control is the process designed and effected by those charged with governance, management, and personnel to provide reasonable assurance about the achievement of the entity’s objective with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Nature of Internal control

Once the auditor has set the desired level of audit risk and assessed the appropriate level of inherent risk, the next step is to assess the level of control risk



Operating effectiveness vs. Implementation
When obtaining audit evidence of implementation by performing risk assessment procedure, the auditor determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively.

In this regard, the auditor may consider modifying
The nature of substantive tests from less effective to more effective procedures
The timing of substantive tests by performing them at year-end rather than at interim
The extent of substantive tests from smaller to larger sample size.

Using the results of tests of controls
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as intended. The conclusion reached as a result of this evaluation is called the assessed level of control risk. If the combined assessed level of inherent and control risk is high, detection risk needs to be low to reduce audit risk to an acceptably low level.

Extent of tests of control
The auditor can not possibly examine all transactions related to certain control procedures. In an audit, the auditor should determine the size of a sample sufficient to support the assessed level of control risk.


Timing of tests of controls
Auditors usually perform tests of controls during an interim visit in advance of period end. However, auditors cannot rely on the results of such tests without considering the need to obtain further evidence relating to the remainder of the period.
In determining whether or not to test the remaining period, the following factors must be considered:
The results of the interim tests.
The length of the remaining period.
Whether changes have occurred in the accounting and internal control systems during the remaining period.

Consequently, obtaining understanding of the entity’s internal control system and assessing control risks are often done simultaneously.

Inquiry
- consists of searching for the appropriate information about the effectiveness of internal control from knowledgeable persons inside or outside the entity.
Observation
- refers to looking at the process being performed by others. For example, the auditor may observe the payroll payoff procedures or the performance of internal control procedures that leave no evidence of performance.
Inspection
- involves the examination of documents and records to provide evidence of reliability depending on their nature and source and the effectiveness of internal control over their processing

According to PSA 400, the auditor should obtain audit evidence through tests of control to support any assessment of control risk at less than high level. The lower the assessment of control risk, the more support the auditor should obtain that the internal control is suitably designed and operating effectively.

If the auditor concludes that it is more efficient to rely on the entity’s internal control systems, the auditor would plan to assess control risk at less than high level.
For this purpose, the auditor should
Identify specific internal control policies or procedures that are likely to prevent or detect and correct material misstatement relevant to financial statement assertion; and
Perform tests of control to determine the effectiveness of such policies or procedures.

This documentation need not be in any particular form. The extent of documentation may vary depending on the size and complexity of the entity and nature of the entity’s internal control systems
Some commonly used forms of documentation include:
Narrative description of the entity’s internal control;
Flowchart that diagrams the flow of transactions and documents; and
Internal control questionnaire providing management’s responses to question about internal control.

Documenting the auditor’s understanding of internal control

It is to be emphasized that the auditor is not required to obtain knowledge about the operating effectiveness of the internal control when obtaining an understanding of the entity’s internal control system.
The auditor uses the understanding of internal control to
Identify types of potential misstatements that can occur.
Consider factors that affect the risk of material misstatements.
Design the nature, timing and extent audit procedures to be performed.

Walk-through test
- This task involves tracing one or two transactions through the entire accounting systems, from their initial recording at source to their final destination as a component of an account balance in the financial statements.
- also confirms the auditor’s understanding of how the accounting systems and control procedures function

An initial understanding of the design of the entity’s internal control systems is ordinarily obtained by
Making inquiries of appropriate individuals;
Inspecting documents and records; and
Observing of entity’s activities and operations.

Internal Control for a small business

Monitoring is a process of assessing the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effecrively.

Monitoring

3. Physical controls
These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records.
4. Segregation of duties
Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.

Performance Reviews
These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data to one another, together with analyses of the relationships and investigative and corrective actions.
2. Information processing
A variety of controls are performed to check accuracy, completeness, and authorization of transactions. When computer processing is used in significant accounting applications, internal control procedures can be classified into two types: general and application controls.

Control activities are the policies and procedures that help ensure that management directives are carried out.
Specific control procedures that are relevant to financial statement audit would include:
Performance Reviews
Information Processing
Physical Controls
Segregation of duties

Control Activities

Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
Present properly the transactions and related disclosures in the financial statements
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Open communication channels help ensure that exceptions are reported and acted on.

Control Environment
Risk Assessment
Information and communication systems
Control Activities
Monitoring

Five Components of Internal Control

4. Internal control is designed to help achieve the entity’s objectives.
Internal control is geared towards the achievement of the entity’s objectives in the following categories:
Effectiveness and efficiency of operations.
Compliance with laws and regulations
Reliability of financial reporting

The possibility of circumvention of internal controls through the collusion among employees.
The possibility of management overriding the internal control.
The possibility that procedures may become inadequate due to changes in conditions, and compliance with procedures may detoriorate.

Assessing control risk is the process of evaluating the design and operating effectiveness of an entity’s internal control as to how it prevents or detects material misstatements in the financial statement
The conclusion reached as a result of assessing control risk is referred to as the assessed level of control risk

Introduction

This communication would ordinarily be in writing and should be done at the earliest opportunity so that appropriate corrective actions may be taken as soon as possible.
Oral communications could also be made provided theses are adequately documented in the audit working papers.
It is to be emphasized that auditors are not required to search for and/or identify control weaknesses.
Theses internal control weaknesses together with other matters of concern are documented in a formal Management Letter.

Communication of Internal Control Weaknesses

If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is at a high level
If control risk is assessed at less than high level, the auditor should document his conclusion that control risk is less than high and the basis for that assessment
Hence, the auditor can not assess control risk at less than high level without performing tests of control.

Documenting the assessed level of control risk

Tests of controls are performed to obtain evidence about the effectiveness of the
Design of the accounting and internal control systems; or
Operation of the internal controls throughout the period
It is important to note that the auditor will only tests the operating effectiveness of controls that are likely to detect or prevent material misstatements

Performing Tests of Controls

When the auditor’s knowledge of the entity’s internal control indicates that internal controls related to a particular assertion are not effective, the auditor may simply assess control risk at a high level. Hence no tests of controls need to be performed and the auditor will rely primarily on substantive tests.

Assessment of Control Risk

Obtaining an understanding of internal control involves
Evaluating the design of a control; and
Determining whether it has been implemented.


Understanding Internal Control

An information system encompasses methods and records that:
Identify and record all valid transactions.
Describe in a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.

Information and Communication Systems

Entity’s business objectives can not be achieved without some risks. Business risk is the risk that the entity’s business objectives will not be attained as a result of internal and external factors such as technological developments, changes in customers demand and other economic changes.

Risk Assessment

The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for the effective internal control, providing discipline and structure.

Control Environment

Management’s usual requirement that the cost of an internal control should not exceed the expected benefits to be derived.
Most internal controls tend to be directed at routine transactions rather than non-routine transactions.
The potential for human error due to carelessness, distraction, mistakes of judgment and the misunderstanding of instructions

These limitations include:

Miko Jahred Lazaro
Criosdan Angelo Melgar

Consideration of Internal Control

Large entities






Mc Donald’s







Jollibee
Small entities







Khaleb Shawarma






Zagu

Full transcript