Internal Control: ISA 315

Contents
The importance of internal control The elements of internal control Limitations of internal control systems Recording internal control systems Evaluation of controls and audit risk assessment

The importance of internal control

The meaning of internal control How the auditor uses internal controls Summary of the audit approach: tests of controls or substantive tests

The meaning of internal control

Defined as the process designed, put in place and maintained to provide assurance of a reasonable level regarding the achievement of the objectives of an entity These objectives relate to the reliability of the financial reports, the efficiency and effectiveness of operations and adherence to relevant and applicable laws and regulations

Points to be noted from the definition

It is the responsibility of management to design and put in place a suitable system of internal controls. Internal controls are designed to deal with financial risks, operational risks and compliance risks.

Points to be noted from the definition

Since internal controls are established by management, the auditor has to accept what controls there are. However, he can assess and evaluate the controls, and will plan his audit on the basis of his assessment.

How the auditor uses internal controls

Under the systems based audit approach, the auditor relies on the accounting systems and the related controls to ensure that transactions are properly recorded The auditor assumes that if the systems and the internal controls are adequate, the transactions should be processed correctly.

How the auditor uses internal controls

Before the auditor can rely on the systems and controls that are in place, he must establish what those systems and controls are, and carry out an evaluation of the effectiveness of the controls.

How the auditor uses internal controls

The degree of effectiveness of an internal control system will depend on the following two factors:
1. The design of the internal control system and the individual internal controls.
Is the control system able to prevent material misstatements, or is it able to detect and correct material misstatements if they occur?

How the auditor uses internal controls

1. The proper implementation of the controls.
Are the controls operated properly by the clients management and other employees?

Summary of the audit approach: tests of controls or substantive tests?

Turnbull Report comments that: A sound system of internal control reduces, but cannot eliminate, the possibility of poor judgment in decisionmaking; human error; processes being deliberately circumvented by employees and others; management overriding controls; and the occurrence of unforseeable circumstances.

Summary of the audit approach: tests of controls or substantive tests?

The auditor must therefore: Test the underlying internal control systems themselves, using tests of controls, And in addition, perform some tests on the transactions and balances in the financial statements.

Planning and risk assessment Assessment of Internal controls as weak Assessment of internal controls as strong Tests of controls Extensive Substantive testing

Reduced substantive testing

Overall review of Financial statements Issue audit report

The elements of internal control

Internal control systems and internal controls The five elements of internal control system The control environment The entitys risk assessment process

The elements of internal control

The information system Control activities Monitoring of controls Understanding the control system; walk-through tests

Distinction between an internal control system and internal controls

An internal control system encompasses the policies, processes, tasks, behaviors and other aspects of a company that, taken together:
Facilitates its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, financial, compliance and other risks to achieving the companies objectives. This includes the safeguarding of assets from

Distinction between an internal control system and internal controls

Inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed; Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization.

Distinction between an internal control system and internal controls

Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business. Internal controls are a part of the internal control system, but the internal control system is more than just the internal controls.

The five elements of internal control systems

1. The control environment 2. The entitys risk assessment process 3. The information system 4. Control activities (internal controls) 5. Monitoring of controls

The five elements of internal control systems

ISA 315 requires the auditor to: Gain an understanding of each of these elements as part of his evaluation of the control systems operating within an entity Document the relevant features of the control systems together with his evaluation of their effectiveness.

The five elements of internal control systems

Once understanding has been gained, the auditor should confirm that his understanding is correct by performing walk-through tests on each major transactions type (for example, revenue, purchases, payroll)

The five elements of internal control systems

Walk-through testing involves the auditor selecting a small sample of transactions and following them through the various stages in their processing in order to establish whether his understanding of the process is correct.

1. The control environment

Often referred to as the general attitude to internal control of management and employees in the organization. Includes the views, awareness and actions of management regarding an entitys internal control. Includes the governance and functions of management and asserts the premise of an organization. The basis for good internal control, providing guidance and structure.

1. The control environment

Includes the following elements
Communication and enforcement of integrity and ethical values Commitment to competence Participation of management Managements philosophy and operating style Organizational structure

1. The control environment

Assignment of authority and responsibility Human resource policies and practices

Strong internal control environment

high level of commitment to establishing and operating appropriate controls cannot guarantee that controls are operating effectively Without it, the control system as a whole is likely to be weak.

2. The entitys risk assessment process

Significant business risks are any events or omissions that may prevent the entity from achieving its objectives. Identifying means recognizing the existence Assessing means deciding whether they are significant Managing means developing and implementing controls and other measures to deal with them

2. The entitys risk assessment process

The quality of the risk assessment and management process within the client company can be used by the auditor to assess the overall level of an audit risk. If the management has no such process in place, the auditor will need to do more work on this aspect of the audit planning.

3. The information system

Consist of:
Infrastructure (physical and hardware components) Software People Procedures Data

4. Control activities
Policies and procedures, other than the control environment, used to ensure that the entitys objectives are achieved. Application of internal controls Specific procedures designed to:
Prevent errors that may arise in processing information, or Detect and correct errors that may arise in processing information

4. Control activities
Categories of control activities Performance reviews
actual performance vs budgets, forecast and prior period performance supervision made by management of the work of subordinates Managements review of performance and control reporting Variance analysis

4. Control activities
Information processing (used to check the accuracy, completeness and authorization of transactions)
Application controls
Apply to processing of individual applications Ensure that transactions occurred, are authorized and are completely and accurately recorded and processed.

General IT controls
Relate to many applications (revenue, purchases) Support the effective functioning of application controls

4. Control activities
Physical controls
Refer to controls over the physical security of assets and records to prevent unauthorized use, theft or damage Example: limiting access to inventory areas to a restricted number of authorized personnel

4. Control activities
Segregation of duties
Assigning different people the responsibilities of authorizing, and recording transactions and maintaining the custody of assets

Limitations of internal control systems

Reasons why internal controls may be ineffective
Human error may result in incomplete or inaccurate processing which may not be detected by control systems. It may not be cost-effective to establish certain types of controls within an organization.

Limitations of internal control systems

Reasons why internal controls may be ineffective
Controls may be in place, but they may be ignores or overridden by employees or management. Collusion may mean that segregation of duties is ineffective.

Limitations of internal control systems

Problems for small entities
Control activities found in large company may be inappropriate for a small entity because they are too costly or impractical (ex. Segregation of duties) Control systems are based on high level of involvement by the directors or owners

Limitations of internal control systems

Problems for small entities
It is likely that a lower level of reliance will be placed on controls in smaller entity, and that a large amount of substantive testing will therefore be required.