Chapter 15

Basic Concepts
of Internal
Control
PSA 315 (Redrafted), “Identifying and Assessing the Risks
of Material Misstatements Through Understanding the
Entity and Its Environment”
establishes standards and provides guidance in obtaining an
understanding of the accounting and internal controls system and on
audit risk and its components: inherent risk, control risk, and
detection risk.

INTERNAL CONTROL is the process designed and effected by those charged

with governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations and
compliance with applicable laws and regulations.

INTERNAL CONTROL SYSTEM means all policies and procedures (internal

controls) adopted by the management of an entity to assist in achieving
management’s objective of ensuring, including adherence to management
policies, the safeguarding of assets, the prevention and detection of fraud and
error, the accuracy and completeness of the accounting records, and the
timely preparation of reliable financial information.
 Elements/Components of Internal Control
a. the control environment
-the overall attitude, awareness and actions of directors and management regarding
the internal control system and its importance in the entity.

b. the entity’s risk assessment process

Risk assessment is the “identification, analysis, and management of risks pertaining
to the preparation of FS.”

c. the information system, including the related business processes, relevant

to financial reporting, and communication
An information system consists of infrastructure (physical and hardware components),
software, people, procedures, and data. Infrastructure and software will be absent,
or have less significance, in systems that are exclusively or primarily manual.

d. control activities
-policies and procedures that help ensure that management directives are carried out,
for example, that necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives.

e. monitoring of controls
Monitoring, the final component of internal control, is the process that an entity uses
to assess the quality of internal control over time. It involves assessing the design and
operation of controls on a timely basis and taking corrective action as necessary.
 A. Control Environment
FACTORS THAT COMPRISE THE CONTROL ENVIRONMENT

1. Communication and Enforcement of Integrity and Ethical Values

2. Commitment to Competence

3. Participation by those charged with governance

4. Management’s Philosophy and Operating Cycle

5. Organizational Structure

6. Assignment of Authority and Responsibility

7. Human Resources Policies and Procedures

 B. Entity’s Risk Assessment Process
CIRCUMSTANCES WHEREIN RISK CAN ARISE OR CHANGE:

Changes in operating environment Expanded foreign operations

New personnel New accounting pronouncements

New or revamped information system Considerations Specific to Smaller

Entities
Many small entities are carried out
Rapid growth entirely by the engagement by the
engagement partner (who may be
New technology a sole practitioner). In such situations,
it is the engagement partner who,
New business models, products, or having personally conducted the
activities planning of the audit, would be
responsible for considering the
Corporate restructurings susceptibility of the entity’s FS to
material misstatement due to fraud or
error.
 C. Information System, including the Business
Processes, Relevant to Financial Reporting and
Communication
AN INFORMATION SYSTEM ENCOMPASSES METHODS AND RECORDS THAT:

Identify and record all valid transactions.

Describe on a timely basis the transactions in sufficient detail to permit proper

classification of transactions for financial reporting.

Measure the value of transactions in a manner that permits recording their proper
monetary value in the FS.

Determine the time period in which transactions occurred to permit recording of

Transactions in the proper accounting period.

Present properly the transactions and related disclosures in the FS.

 D. Control Activities
CATEGORIES OF CONTROL PROCEDURES
A. Performance Review
Management uses accounting and operating data to assess performance, and it
then takes corrective action.

B. Information Processing Controls

Information processing controls are policies and procedures designed to require
authorization of transactions and to ensure the accuracy and completeness of
transaction processing.
General controls are control activities that prevent or detect errors or irregularities
for all accounting systems.
Group of control activities:
1. Proper authorization of transactions and activities.
2. Segregation of duties
3. Adequate documents and records
4. Access to assets
5. Independent checks and performance

C. Physical Controls
Controls that encompass the physical security of assets, authorization for access
to computer programs and data files, and periodic counting and comparison with
amounts shown on control records.
 E. Monitoring of Controls
Monitoring activities may include using information
from communications from external parties that
may indicate problems are highlight areas in
need of improvement. Customers implicitly
corroborate billing data by paying their invoices
or complaining about their charges. In addition,
regulators may communicate with the entity
concerning matters that affect the functioning of
internal control, for example, communications
concerning examinations by bank regulatory
agencies.
 Limitations of Internal Accounting Control
1. Errors by personnel

2. Collusion

3. Management override

4. Present conditions are not guaranteed in the future

5. Cost-benefit relationship

6. Most internal controls tend to be directed at routine

transactions rather than non-routine transactions