Evaluating Internal Control Over Financial Reporting
Examiner’s comments
Internal control questions typically require internal control deficiencies to be identified (½ marks each),
explained (½ marks each), a relevant recommendation to address the control (1 mark), and, often a
test of control the external auditor would perform to assess whether each of these controls, if
implemented, is operating correctly (1 mark).
Internal control questions may also require a covering letter to management to accompany the list of
deficiencies and recommendations.
Occasionally, as in September 2015, candidates may be asked to identify internal control strengths as
well as deficiencies.
Auditors’ Responsibilities Related to Systems of Internal Controls
Decide Extent
Understand Document Test Report of Substantive
Tests
Internal controls: Internal control represents the system or policies and procedures implemented by an
organization.
Internal control over financial reporting: The process designedimplemented maintained by TCWG
to provide reasonable assurance about the reliability of financial reporting, effectiveness of operations
and compliance with laws and regulations.
Why does an auditor need to understand internal controls?
Internal controls assure management of the accuracy of the financial statements, that the operations of
the entity are conducted efficiently and that the entity has complied with all the laws and regulations
which are applicable to the entity.
The objectives of internal controls relevant to audit include:
1. Avoidance of fraud, errors, wastes and inefficiency
2. Maximum accuracy of all records, data and statements
3. Enables auditors to determine the degree of reliance they can place on the various systems. This will
enable the auditors to assess the correctness, truth and fairness of the financial statements.
4. Informing management about weaknesses detected in internal controls so that corrective action can
be taken.
Page | 63
,5. Enabling planning of the audit
6. Understanding the components of internal control: While planning the audit, the auditor
understands the various components of the internal control so as to:
o identify the types of potential misstatements.
o consider the factors that affect the risk of misstatement.
o design effective substantive tests.
Components of internal control over financial reporting
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity
and Its Environment considers the components of an entity’s internal control. It identifies the following
components:
1. Control environment
2. Entity’s risk assessment process
3. Information system and communication
4. Control activities
5. Monitoring of controls
Control Environment
Components of System of
Indirect Controls-Auditor needs to
understand these as they affect the
Internal Control
Risk Assessment risk of material misstatement at the
financial statement level
Monitoring Controls
Control Acvitities Direct Controls-Auditor needs to
understand these as they affect risk of
Information Systems material misstatement at assertion
and Communication level.
Page | 64
, NOTE: this table has been covered before in planning. Make sure you read this carefully for the exam!
Understand client’s Control The control environment sets the tone of an organisation, influencing
Environment-INDIRECT the control consciousness of its people. It includes the attitudes,
CONTROL awareness, and actions of TCWG concerning the entity’s internal
control and its importance in the entity.
The control environment has many elements such as:
1. Maintaining the entity’s culture and demonstrating commitment to
integrity and ethical values- This includes how ethical and
behavioral standards are communicated (e.g., through policy
statements), and how they are reinforced in practice (e.g., through
management actions to eliminate or mitigate incentives or
temptations that might prompt personnel to engage in dishonest,
illegal, or unethical acts
2. Independence of TCWG and oversight of the entity’s system of
internal control-This will include an assessment of whether TCWG
has independent members and whether they ensure that they
supervise management in their responsibilities for designing,
implementing and conducting the system of internal controls
3. Assignment of authority and responsibility-this includes reporting
lines, resources provided for duties and ensuring all individuals
understand entity’s operations.
4. Attracting, developing and retaining competent individuals- this
includes the standards for recruiting most qualified individuals,
training policies and periodic performance appraisals
5. Accountability of individuals-this involves establishing performance
measures, how individuals are disciplined and communicated with
and whether performance measures pressurize individuals for
achievement.
Understand client’s Risk Auditor needs to understand the management’s process to identify and
Assessment Process- assess risks in financial reporting. Auditor also needs to understand
INDIRECT CONTROL actions taken by the management to address these risks. The auditor
will then evaluate whether there are deficiencies in the client’s risk
assessment process.
Understand client’s Auditor will understand how internal controls over financial reporting
Monitoring process monitored (including whether there is an effective internal audit
INDIRECT CONTROL department)
Understand client’s Auditor will understand the process by which transactions and events
Information systems are initiated, recorded, processed, corrected, transferred to general
relevant to financial ledger and reported in the financial statements.
reporting
Page | 65
Examiner’s comments
Internal control questions typically require internal control deficiencies to be identified (½ marks each),
explained (½ marks each), a relevant recommendation to address the control (1 mark), and, often a
test of control the external auditor would perform to assess whether each of these controls, if
implemented, is operating correctly (1 mark).
Internal control questions may also require a covering letter to management to accompany the list of
deficiencies and recommendations.
Occasionally, as in September 2015, candidates may be asked to identify internal control strengths as
well as deficiencies.
Auditors’ Responsibilities Related to Systems of Internal Controls
Decide Extent
Understand Document Test Report of Substantive
Tests
Internal controls: Internal control represents the system or policies and procedures implemented by an
organization.
Internal control over financial reporting: The process designedimplemented maintained by TCWG
to provide reasonable assurance about the reliability of financial reporting, effectiveness of operations
and compliance with laws and regulations.
Why does an auditor need to understand internal controls?
Internal controls assure management of the accuracy of the financial statements, that the operations of
the entity are conducted efficiently and that the entity has complied with all the laws and regulations
which are applicable to the entity.
The objectives of internal controls relevant to audit include:
1. Avoidance of fraud, errors, wastes and inefficiency
2. Maximum accuracy of all records, data and statements
3. Enables auditors to determine the degree of reliance they can place on the various systems. This will
enable the auditors to assess the correctness, truth and fairness of the financial statements.
4. Informing management about weaknesses detected in internal controls so that corrective action can
be taken.
Page | 63
,5. Enabling planning of the audit
6. Understanding the components of internal control: While planning the audit, the auditor
understands the various components of the internal control so as to:
o identify the types of potential misstatements.
o consider the factors that affect the risk of misstatement.
o design effective substantive tests.
Components of internal control over financial reporting
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity
and Its Environment considers the components of an entity’s internal control. It identifies the following
components:
1. Control environment
2. Entity’s risk assessment process
3. Information system and communication
4. Control activities
5. Monitoring of controls
Control Environment
Components of System of
Indirect Controls-Auditor needs to
understand these as they affect the
Internal Control
Risk Assessment risk of material misstatement at the
financial statement level
Monitoring Controls
Control Acvitities Direct Controls-Auditor needs to
understand these as they affect risk of
Information Systems material misstatement at assertion
and Communication level.
Page | 64
, NOTE: this table has been covered before in planning. Make sure you read this carefully for the exam!
Understand client’s Control The control environment sets the tone of an organisation, influencing
Environment-INDIRECT the control consciousness of its people. It includes the attitudes,
CONTROL awareness, and actions of TCWG concerning the entity’s internal
control and its importance in the entity.
The control environment has many elements such as:
1. Maintaining the entity’s culture and demonstrating commitment to
integrity and ethical values- This includes how ethical and
behavioral standards are communicated (e.g., through policy
statements), and how they are reinforced in practice (e.g., through
management actions to eliminate or mitigate incentives or
temptations that might prompt personnel to engage in dishonest,
illegal, or unethical acts
2. Independence of TCWG and oversight of the entity’s system of
internal control-This will include an assessment of whether TCWG
has independent members and whether they ensure that they
supervise management in their responsibilities for designing,
implementing and conducting the system of internal controls
3. Assignment of authority and responsibility-this includes reporting
lines, resources provided for duties and ensuring all individuals
understand entity’s operations.
4. Attracting, developing and retaining competent individuals- this
includes the standards for recruiting most qualified individuals,
training policies and periodic performance appraisals
5. Accountability of individuals-this involves establishing performance
measures, how individuals are disciplined and communicated with
and whether performance measures pressurize individuals for
achievement.
Understand client’s Risk Auditor needs to understand the management’s process to identify and
Assessment Process- assess risks in financial reporting. Auditor also needs to understand
INDIRECT CONTROL actions taken by the management to address these risks. The auditor
will then evaluate whether there are deficiencies in the client’s risk
assessment process.
Understand client’s Auditor will understand how internal controls over financial reporting
Monitoring process monitored (including whether there is an effective internal audit
INDIRECT CONTROL department)
Understand client’s Auditor will understand the process by which transactions and events
Information systems are initiated, recorded, processed, corrected, transferred to general
relevant to financial ledger and reported in the financial statements.
reporting
Page | 65
