Study and evaluation of Internal Control 3 Classifications of objectives:

Objective of the auditor: 1.Financial Reporting and Reliability

1. To be able to identify potential misstatements 2.Compliance with laws, rules and regulations

2. To be able to determine factors that affect the risk of significant 3.Effectiveness and efficiency of operations
misstatement Internal Control System:
3. To be able to determine the nature, timing, and extent of audit -policies and procedures adopted by management
procedures
Examples: (SOAPAT)
Reminder: internal control structure of the client is always subject to
study, but it is not always subject to evaluation. You only do test of 1- safeguarding of assets
controls when the preliminary assessment of risk is set at LESS THAN
2- orderly and efficient conduct of business
HIGH and you plan on adopting RELIANCE APPROACH, otherwise,
no need. 3- adherence to mgmt. policy

Definition of Internal Control: 4- prevention and detection of fraud

As defined by PSA 315 & COSO ( COSO – private organization of 5- accuracy and completeness of records
concerned citizen) 6- timely preparation of accounting information
- It is rocess effected and designed by those charged with
Components of IC – C.R.I.M.E.
governance and the management in order to provide reasonable
assurance of achieving the entity’s objective. Reasonable  Control activities
assurance lang ma-achieve because of inherent limitations  Risk Assessment Process
[Inherent limitations - POCHCR  Information System and Related business process
 Monitoring of controls
1. possibility that the procedure is inadequate due to changes in  Environment (most important!)
circumstances
*control environment is the MOST IMPORTANT because it sets the
2. override by management of the internal control overall tone of the organization in order to give a preliminary
3. collusion assessment of the control risk

4. human error
5. cost benefit
6. routine transaction ]
CONTROL ENVIRONMENT
Factors that make up the Control Environment– C.H.A.M.P.O.I.

- Commitment to competence - Participation by BOD

-> Competence-knowledge and skills; look at the client, are the -> minimum requirement: INDEPENDENT and UPDATED
positions in HR, is there a job description? Is there a matching between
Independent- immediate frontliners of the corporation. (ex. Case in
the knowledge and skills and the need to perform the job and the job
corporation law, Gokongwei was the BOD of Asia Brewery, wanted to
requirement; seminars, trainings to make sure employees are up-to-
be BOD in San Mig also, San Mig created a bylaw that no person who
date to the accounting standards
has a shares of stock in a competitor should be allowed to be a BOD, is
- HR Policies and Practices that valid? YES.)

-> before hiring, company should do background check, NBI Updated- always attend meetings, have access o sufficient and timely
clearance, policies on hiring, training, promotion and compensation, info, whenever there are crises, problems, they must investigate
policies when it comes to employee retention and promotion. The violators
higher the employee turnover of a particular entity, the higher the
- Organizational Structure
assessment of control risk
-> ask for the flowchart of the entity, key personnel chart to check
-Assignment of Duties and Responsibilities
appropriate positions are not given to one person (ex- internal auditor
-> functions that are supposed to be segregated: reporting directly to management, it defeats the purpose of being
C.A.R.E. - Custody, Authorization, Recording, Execution internal auditor.)

- Management Philosophy and Operating Style -> look at whether is it appropriate and whether it is adequate; there
must be a definition and understanding of their responsibilities, and the
-> 1- what are the types of business risks accepted by mgmt. higher knowledge and the skills of the managers
business risk accepted, the higher control risk assessment.
2- Frequency of interaction between senior mgmt. and operation - Integrity and Ethical Values (most important)
mgmt. Is there a harmonious or conflicting relationship between them. -> 1- look at how BOD actually sees or values Financial Reporting,
Why so? If their objectives are not aligned, the risk of fraudulent whether or not it complies with a code of conduct as a whole. If not,
financial reporting also increases and likewise increases then the more reason the company will just say those are just financial
assessment of control risk. If senior would set unrealistic target,
statements, it doesn’t have to be exactly the right amount. Control risk
operations mgmt. would manipulate the financial records or the
assessment will go up higher. 2- how do they deal with people, how
amount of sales that is actually reported by the company
they treat employees, are they treated as dispensable items? If yes,
control risk is higher. 3- whether or not the company is in pressure to
meet unrealistic performance target, which increases fraudulent
financial reporting
 how will the mgmt. do that? They will identify. ‘ we are now adopting
oracle instead of SAP’ 2: risk analysis – assess the likelihood what
are the possible setbacks of adopting a new AIS. FS could be misstated
because of the adoption of the new system. 3: risk management – what
are the methods adopted by mgmt. in order to address that particular
RISK ASSESSMENT PROCESS business risk. To avoid the misapplication of the system, t ensure that
-conducted by the client, procedures done by the client to address the people that will be using the system would undergo training,
business risk seminar, man to man system – a literate man or equipped with the
skills in oracle would be on site assisting)
Business risk – risk that the entity will not reach its objective due to
internal and external factors like technology, economic changes, and Ex. Now. Is there a business risk now? Yes, the pandemic. 1:
customer demand. identification – substantial decrease in sales. 2: risk analysis – there
will be substantial operating losses, going concern assumption of the
*Business risk cannot be eliminated to ZERO. entity could be affected. 3:management- how will they increase their
- RAP is the process of identifying and responding to the business risk sales despite the ongoing pandemic
and the results thereof.
INFORMATION SYSTEM and COMMUNICATION
3 stages
Information system – hardware, software, people, procedure, and data.
1) Risk Identification Pertains to Information technology
- “Clean sheet of paper” approach – the client should not roll Purpose:
over the business risk from year 1, year 2, year 3 (ex. Pandemic
Financial Reporting
right now, different business risk in 2020 than 2017 where there
was no pandemic) Stages
2) Risk Analysis 1.Recording
- whether or not the entity can estimate the significance or impact -consist of identifying and capturing economic events and
and assess the likelihood of how that particular risk will affect the transactions
business
2. Processing
3) Risk Management
-calculation and measurement of the items to be presented on the FS
- actions taken by mgmt.. in order to address business risk
3.Reporting
*keyword is CHANGE. Whenever there is change, business risk
arises. (ex. When the entity will adopt new accounting information -preparation of the financial statements
system or whenever there is a new technology. 1: Risk Identification-
*we try to analyze how does the client ensure that all these stages, or
what is the role of their IT when it comes to recording, processing and
reporting of information. Also, to ensure that at the end of the day,
through the use of their IT system, they are able to identify and record
only valid transaction, these reports are available in a timely manner,
and there is proper measurement, proper accounting period, and proper
presentation of the FS. At a minimum, the quality of info that should
be achieved by the information system should be CURRENT,
ACCURATE, ACCESSIBLE, APPROPRIATE and TIMELY.

CONTROL ACTIVITIES – P.I.P.S.

- Implementation aspect of the internal control structure. This pertains
to the policies and procedures that ensure management directives are MONITORING OF CONTROLS
carried out -assess the quality of internal control performance over time
 Performance Reviews Not just having an internal control structure, determine also whether or
- Comparison between the actual performance vs. budgeted not those internal control structures are placed over time
performance. Try to create a relation between financial and
operating data for improvement of operations. Both internal Why?
and external factors are taken into consideration. Reviews Whenever there is change, you have to check whether the control are
functional or activity performance (ex. Variance analysis in still applicable to that particular circumstance.
cost accounting)
 Information Processing
- Controls to check the accuracy completeness of transaction. 2 methods of monitoring
Pertains to the general IT Controls
 Physical Controls 1. Ongoing monitoring– ex. You have periodic cash count,
- Authorization for access whether or not entity has secured inventory count. Continually checked on a periodic basis
facilities (ex. UST – cannot enter bldg. w/o ID; cash account- 2. Separate Evaluation – ex. Internal audit
there should be a deposit box for PCF under lock and key;
inventory items- not lying around in the warehouse)
 Segregation of Duties CARE
- Functions of custody, authorization , recording and execution