Activity Sheet - Module 6

1. Define internal control.

Internal controls are the mechanisms, rules, and procedures implemented by a

company to ensure the integrity of financial and accounting information, promote

accountability, and prevent fraud. Besides complying with laws and regulations and

preventing employees from stealing assets or committing fraud, internal controls can help

improve operational efficiency by improving the accuracy and timeliness of financial

reporting.

2. Internal control provides reasonable assurance. Explain.

Internal controls provide reasonable assurance by performing and audit to obtain

evidence that is sufficient to obtain reasonable assurance about whether material

weaknesses exist as of the date specified in management’s assessment and to give a

reliability of financial reporting and the preparation of financial statements for external

purposes.

3. What are the objectives of a system of internal control?

The primary purpose of internal controls is to help safeguard an organization and

further its objectives. Internal controls function to minimize risks and protect assets,

ensure accuracy of records, promote operational efficiency, and encourage adherence to

policies, rules, regulations, and laws.

Control Environment. The control environment is the attitude toward internal control

and control consciousness established and maintained by the management and the

employees of an organization. It is the foundation for all other components of internal

control, providing discipline and structures. The primary responsibility for the prevention

and detection of fraud and error rests with both those charged with governance and the

management of the entity.

Risk Assessment Process. The risk assessment process is the identification and analysis of

relevant risks to achievement of the objective, forming a basis for determining how the

risks should be managed. They ultimately impact an organization’s ability to accomplish its

mission. To have reasonable assurance that the organization will achieve its objectives,

management should ensure each risk is assessed and handled properly.

Control Activities. Control activities are that help prevent or reduce the risks that can

impede accomplishment of the organization’s objectives and mission. Management should

establish control activities to accomplish the organization’s objectives and mission

effectively and efficiently.

Information System and Communication. Control activities is the exchange of useful

information between and among people and organizations to support decisions and

coordinate activities. Within an organization, information should be communicated to

management and other employees who need it in a form and within a time frame that helps

them to carry out their responsibilities. Communication also takes place with outside

parties such as customers, suppliers, and regulators. It is needed at all levels of the of an
 organization to run business and move toward achievement of the entity’s objectives in all

departments.

Monitoring of Controls. Monitoring of controls is a process to assess the quality of

internal control performance over time. It involves assessing the design and operation of

controls on a timely basis and taking necessary corrective actions. Its purpose is to ensure

that controls continue to operate effectively.

5. What is the control environment? What are the elements that comprise the control

environment?

Control environment is the attitude toward internal control and control

consciousness established and maintained by the management and the employees of an

organization. It is the foundation for all other components of internal control, providing

discipline and structures. The elements of the control environment are the communication

and enforcement of integrity and ethical values, commitment to competence, participation

by those charged with governance, management’s philosophy and operating style,

organizational structure, assignment of authority and responsibility, and human resources

policies and practices.

6. What is meant by risk assessment process?

Risk assessment process is the process for identifying and responding to business

risk and the results thereof. The process of identifying and analyzing risk is an ongoing

iterative process and is a critical component of an effective internal control system.

Management must focus carefully on risks at all levels of the entity and take the

necessary actions to manage them.

Information system are interrelated components working together to collect,

process, store, and disseminate information to support decision making, coordination,

control, analysis, and visualization in an organization. Information system are tools used

to support processes, operations, intelligence, and IT. Information system tools move data

and manage information. They produce data-driven reports that help businesses make the

right decisions at the right time.

8. What are control activities?

Control activities are policies and procedures, which are the actions of the people

to implement the policies, to help ensure that management directives identified as

necessary to address risks are carried out. Control activities can be preventive or detective

activities. Control activities occur at all levels and functions of the agency. Management

should establish control activities that are effective and efficient. The commonly used

control activities are performance reviews, information processing, physical controls, and

segregation of duties. Control activities, no matter how well designed and executed, can

provide only reasonable assurance regarding achievement of objectives.

9. Give the different types of control activities.

Performance reviews. Provide management with an overall indication of weather

personnel at various levels are effectively pursuing the objectives of the organization. By

investigating the reasons for unexpected performance, management may make timely

changes in strategies and plans or take other appropriate corrective action.

accuracy, completeness, and authorization of transaction. The two broad categories of

information processing controls include general control activities, which apply to all

information processing procedures, and application control activities, which apply only

tone particular activity.

Physical Controls. These controls include those that provide physical security over both

records and other assets. Activities that safeguard records include maintaining control at

all times over unissued prenumbered documents, as well as other journal and ledgers, and

restricting access to computer programs and data files.

Segregation of duties. No one department or person should handle all aspects of a

transaction from beginning to end.

10. Why is it necessary to monitor controls?

It is necessary to mitigate the risk of fraud in your business or organization. It is

also to see the changes happening in your system that needs an update or adjustments. It

is also necessary to monitor your control to ensures that internal control continues to

operate effectively.

11. What are the inherent limitations of internal controls?

A system of controls does not provide absolute assurance that the control

objectives of an organization will be met. Instead, there are several inherent

limitations in any system that reduce the level of assurance. These inherent

limitations are as follows:

watch over each other could instead collude to circumvent the system.

Human error. A person involved in a control system could simply make a mistake,

perhaps forgetting to use a control step. Or the person does not understand how a

control system is to be used or does not understand the instructions associated with

the system. This may be caused by the assignment of the wrong person to a task.

Management override. Someone on the management team who has the authority to do

so could override any aspect of a control system for his personal advantage.

Missing segregation of duties. A control system might have been designed with an

insufficient segregation of duties, so that one person can interfere with its proper

operation.

12. Enumerate, in chronological order, the steps followed in the study and evaluation of

internal controls. Explain each step briefly.

Obtain an understanding of the client’s internal control. The auditor should obtain

and document an understanding of the client’s financial statements.

Make a preliminary assessment of control risk. The assessment shall be the basis for

determining the nature, timing, and extent of substantive test.

Determine the appropriate response to the assessed risks. To reduce risk to an

acceptable level, the auditor should determine overall responses to assessed risks at the

financial statement level and should design and perform further audit procedures to

respond to the assessed risk at the assertion level.

are designed and operating as contemplated in the preliminary assessment of control risk.

Determine the nature, extent, and timing of substantive tests. The auditor should

design and preform substantive procedures for each material class of transactions,

account balance, and disclosures.

13. What is a transaction walkthrough?

A transaction walkthrough is a procedure used during an audit of an entity’s accounting

system to gauge its reliability. A walk-through test traces a transaction step by step

through the accounting system from its inception to the final disposition. However, walk-

throughs are not required for accountants but can be instrumental in addressing weakness

and problems.

14. What are the different ways by which an understanding of controls is documented?

These following are the different ways by which an understanding of control is

documented.

 Flow Charts

 Narrative descriptions

 Internal control questionnaire

 Risk and Control Matrices

 Policy and procedure manuals

 Sound documentation
15. When is the control risk assessment High? Less than high?

The control risk assessment is high when the entity does not have effective

internal controls to prevent fraud and misstatements. It is less than high when the entity

has effective controls to prevent fraud and misstatements.

16. How does a high control risk assessment affect the planned audit approach?

A high control risk assessment increases the scope of audit in the planned audit

approach.

17. Give examples of responses to the assessed risk of material misstatement.

Conducting more audit procedures. By conducting more audit procedures, it would

help to detect the risk in fraud and material misstatements.

Performing more substantive procedures to obtain more evidence. Focusing on the

on-going procedures would help minimize the errors made and find more evidence.

Increase the scope of audit. Giving the auditor a larger access would help to detect more

fraud and material misstatements in the system.

18. What is the relationship of a less than high control risk assessment to the nature, extent,

and timing of substantive tests?

The auditor’s risk assessment influences nature, extent, and timing of substantive

tests that the lower the assessed level of control risk, the less evidence the auditor needs

from substantive test.

No, the assessed level of control risk cannot be sufficiently low to eliminate the

need to perform any substantive tests for all the financial statements assertions.

Consequently, regardless of the assessed levels of control risk, the auditor should perform

some substantive test for significant account balances and transaction classes.

20. How are audit matters related to internal control communicated to management and to

those charged with governance?

It matters because the auditor shall communicate to management at an appropriate

level of responsibility on a timely basis to know the significant deficiencies in internal

control and other deficiencies in internal control identified during the audit that have not

been communicated to management by other parties.