CHAPTER 11: RISK ASSESSMENT III regard to reliability of financial reporting, effectiveness and efficiency of

operations and compliance with applicable laws and regulations

PSA 315 (Redrafted)
Summary of definition
Scope: Identifying and assessing the risks of material misstatement through
understanding the entity and its environment including its internal control. 1. Policy & Procedure adopted by
Introduction • Those charged with governance
• Management
The success of the business operations and performance of the entity relies in
its ability to achieve operating and organizational goals and objectives • Employees

How to attain these objectives and goals: 2. To achieve objectives of:

• Combined efforts of those charged with governance, management, and • Reliability of financial reporting
personnel within the entity • Effective and efficient operation
• A system to oversee the carrying out of policies and procedures to • Compliance with applicable laws and regulations
achieve the objectives and goals Note: Internal control is designed and implemented to address identified
Widely accepted concept in audit theory and practice: business risks that threaten the achievement of the entity’s goals and
objectives
The importance of the client’s system of internal control to generate reliable
financial information Internal control system – consists of all policies and procedures adopted by
management of an entity to assist in achieving management’s objective of
An excellent system of internal control that includes adequate controls for: ensuring, as far as practical the orderly and efficient conduct of its business
including adherence to management policies, the safeguarding of assets, the
• Providing reliable date
prevention and detection of fraud and error, the accuracy and completeness of
• Safeguarding assets and records
the accounting records, and the timely preparation or reliable financial
Result: The amount of audit evidence to be accumulated can be significantly information.
less than when controls are not adequate.
Functions of internal control:
Internal Control – the process designed, implemented, and maintained by
❖ Preventive controls – deter problems before they arise
those charged with governance, management and other personnel to provide
❖ Detective controls – needed to discover problem as they arise
reasonable assurance about the achievement of an entity’s objectives with
❖ Corrective controls – remedy the problem discovered with detective
controls
People responsible for effective internal control: Management should establish ethical standards that discourage
employees from engaging in dishonest, unethical, or illegal acts that
➢ Management
could materially affect the financial statements.
➢ Those charged with governance
➢ Employees and other personnel B. Commitment to competence
➢ Competence is the knowledge and skills necessary to accomplish
Elements of internal control:
jobs
❖ Control environment ➢ Management gives impetus on competence level for a certain job
❖ Entity’s risk assessment process ➢ The objective is to accomplish the job at the highest application
❖ Information system including relevant business processes and relevant of skill and competence
financial reporting and communication ➢ Management hires employees competent to perform the task
❖ Control activities C. Participation by those charged with governance
❖ Monitoring of control ➢ Active involvement of the directors in the control consciousness
1. Control Environment ➢ Codes of practice and regulations are adopted to ensure active
- The overall attitude, awareness, actions of those charged with involvement
governance, management, and employees on the system and its ➢ Oversight of the design and effective operation of whistle blower
importance to the entity. procedures
❖ it sets the tone of an organization, influencing the control ➢ Review o the effectiveness of the entity’s internal control
consciousness providing disciplines and structure D. Management’s philosophy and operating style
❖ Governs behaviour as envisioned in the culture created by ➢ Consideration and monitoring business risk
management and directors ➢ Conservative or aggressive selection from alternative accounting
principles
Some factors: ➢ Consciousness and conservatism in developing accounting
A. Communication and enforcement of integrity and ethical values estimates
➢ Integrity and ethical values include the removal and reduction ➢ Attitude toward information processing, accounting function,
process to eliminate temptation for personnel to commit fraud, illegal personnel
acts ➢ Meeting budget, profit and established goals affecting financial
➢ Communication of values and behavioural standards to personnel statements
through policy statement E. Organizational structure
➢ Assist the entity in meeting goals and objectives
➢ Transactions are processed, recorded summarized, and reported Entity’s risk assessment process
accurately and timely
➢ Identification, analysis, management of risk pertaining to preparation of
➢ Refers to the framework that dictates how activities are planned,
financial statements
executed, controlled, and reviewed
➢ Identifying and responding to business risk and results thereof
➢ Considers key areas of authority and responsibilities and
➢ Estimating the significance of the risk
appropriate lines of reporting
➢ Assessing the likelihood of their occurrence
➢ Depends on the size and nature of activities
➢ Deciding about actions to address those risks
F. Assignment of authority and responsibility
➢ Delineation of authority and functions Relevant risk include:
➢ No overlapping of functions for effective attainment of objectives
(job description) ➢ External and internal events and circumstances that may occur
G. Human resources policies and procedures ➢ Adversely affect ability to initiate, record, process and report financial
➢ Policies on recruitment, orientation, training, counselling data consistent with the assertions in the financial statement
➢ Hiring standards and requirements to achieve all these factors in Risk may arise from these circumstances:
control environment
➢ Change in operating environment
Limitations of the control environment ➢ New personnel
➢ New or revamped information system
• Not an absolute deterrent in fraud
➢ Rapid growth
• Weaknesses in control environment undermine effectiveness of internal
➢ New technology
control system
➢ New business models, products, or activities
• Does not prevent or detect or correct a material misstatement
➢ Corporate restructuring
However, it may influence evaluation of effectiveness of other controls ➢ Expanded foreign operations
➢ New accounting pronouncements
Specific examples of control environment
Specific examples of risk assessment:
➢ Organizational chart
➢ Corporate governance ➢ Relocation of site
➢ Board risk committees ➢ Conversion to IT system
➢ Internal audit / audit committee ➢ New appointed managers & supervisors
➢ Identification card ➢ New board members
➢ Company uniforms / working hours ➢ Branching
➢ Consolidation &merger Non-standard journal entries
➢ Overseas expansion
To record non-standard transactions or adjustments
Information system
Business processes:
- Consists of infrastructure (physical and hardware components)
➢ Develop, purchase, produce, sell, and distribute products and services
software, people, procedures, and data
➢ Ensure compliance with laws and regulations
- Well designed information systems is effective in reducing risk of
material misstatement Consists of procedures and records established to:
- Auditor should know, understand
➢ Identify and record all valid transaction s
• The process that affects significant balances
➢ Describe the transaction in detail for proper classification
• How transactions are initiated
➢ Measure the value of transactions for proper monetary value
• How documents and records are generated
➢ Determine the time period to record transactions in the proper
• How the documents and records flow to the financial statements accounting period
Consists of procedures and records established to: ➢ Present the transactions and disclosures in the financial statements

➢ Initiate, record, process, and report entity transactions Communication

➢ Maintain accountability for the related assets, liability, equity ➢ Providing and understanding individual roles and responsibilities
➢ Resolve incorrect processing transactions pertaining to internal control
➢ Process and account for system overrides or bypass to controls ➢ Takes forms as policy manuals, accounting and financial reporting
➢ Transfer information from transaction processing system to the general manuals memoranda
ledger ➢ Produced electronically or orally
➢ Capture information relevant to financial reporting other than ➢ Through the action of management
transactions
➢ Ensure information to be disclosed is accumulated, recorded, Specific examples of information & communication
processed, summarized and appropriately reported in the financial
• Journal entries
statements
• Accounting cycle
Journal entries • Assertion level
An entity’s information system includes the use of: Standard journal entries • Flow chart
• Classes of transactions
Required on a recurring basis to record transactions • IFRS/PFRS
• Financial statements ➢ Application controls
• Checking arithmetical accuracy or records
Control Activities
• Maintaining and reviewing accounts and trial balance
➢ Policies and procedures that help ensure that management’s directives • Automated controls thru edit checks of input data
are carried out • Numerical sequence checks
➢ Various objectives applied at various organizational and functional levels • Manual follow-up of audit exceptions
Major categories of control activities ➢ General – IT controls:
• Activities to prevent or detect errors or irregularities
➢ Performance review (actual vs standard) • Policies and procedures applications to support the effective
➢ Information processing controls functioning of information system
➢ Physical control and access to assets • Controls that restrict access to programs or data
➢ Adequate documents and records • Controls over the implementation of new releases of software
Performance reviews: applications
• Protections from hacking, piracy, unauthorized access to data
➢ Actual performance with
• Budget, forecast Internal controls in accounting system to achieve objectives:
• Prior period performance ✓ Transactions are performed in accordance with management's proper
• Competitors data authorization
• Tracking major initiative or cost reduction program ✓ Prompt booking or recognition of all transaction and events in correct
➢ Investigative performance and corrective actions amount, appropriate account, and proper accounting period
• Purchase price variance s ✓ Access to assets is permitted only in accordance with management's
• Percentage of returns authorization
• Causes of anomalies committed ✓ Existing assets is compared against recorded assets at reasonable
➢ Review of functional or activity performance intervals and appropriate actions are taken against discrepancies
Information processing controls Control activities related to the transaction process:
Policies and procedures designed to require authorization of transactions and Proper authorization of transaction activities:
ensure the accuracy and completeness of transactions processing
➤Certain conditions to be met prior to booking of transactions
Classified as:
➤Flows from stockholders to governance to management to subordinates
➤Creation of accounting and auditing path Independent check on performance Periodically compare the actual asset with
the recorded balance
• Periodic count of assets and comparing the counts to the balances in
Segregation of duties: the GL account
➤Safeguards assets • Examples: inventory count, bank reconciliation

➤Ensures reliability of the accounting records

Segregation of Duties
➤No one person to control an entire phase of transaction
To achieve optimum segregation of duties and responsibilities, the following
functions should be performed by different employees:
Physical control and access to assets:
• Independent checks or internal audits
➤Physical security of assets • Custody of assets
➤Authorization for access to computer programs and data files • Authorization of transactions
➤ Periodic counting and comparison with control records • Recording of transactions
• Execution of transactions
Adequate documents and records:

➤Reasonable Assurance that all valid transactions have been recorded However, if it is impractical to segregate the above functions, at a minimum,

➤Use of controlling accounts Three functions must be segregated:

• Custody of Assets
➤ Proof of accuracy to assure correctness of operation
• Authorization of Transactions
• Recording of Transactions
Specific Examples of Control Activities: Specific Examples of Monitoring activities:

➤ Warehousing ➤Management Fraud

➤ FIFO valuation method ➤ TCWG Qualification

➤ Cash box ➤ Annual Stockholders' Meeting

➤ Cash vault ➤ Proxy Voting

➤ Non-detachable Equipment Label ➤ Audit Report

➤ Cashiering ➤ Improper disposal of documents

➤ Levels of authorization ➤ Document Retention Period

Monitoring of Controls Limitations of Internal Control System

The process that an entity uses to assess the quality of internal control over ➤ Errors by personnel
time:
➤Collusion
• To establish and maintain internal control on an ongoing basis
➤Management override
•Whether controls are operating and appropriate for changes
➤Present conditions are not guaranteed in the Future
•Communication from external parties to detect problems or areas for
improvement. ➤Cost-Benefit Relationship
•Internal auditors evaluate the design and operation of controls and
➤Controls are directed to routine transactions rather than non-routine
communicate strength and weaknesses
transactions
•Built into the normal activities of an entity and include regular management
and supervisory activities
Auditors are not responsible for establishing and maintaining an entity's
accounting and internal control systems
This is the responsibility of the management Assess control risk below Maximum:
Nevertheless, Auditors should give adequate consideration to these controls Identify, in each assertion, the specific controls to prevent or detect material
misstatements
Reasons:
Evaluate effectiveness of existing controls:
• The quality of the entity's control systems have a significant impact on
the Audit Perform tests to determine if controls are applied
• There is a direct relationship between an entity's objectives and the
(This phase is not required in the planning stage)
control it implements to assure the attainment of these objectives
Factors to consider in Risk Assessment
Responsibilities of an Auditor:
• Design of controls: Existence and Applications
•Plan the audit sufficiently
• Effectiveness of Control: How the controls effectively function
•Assess control risk
Means to accomplish the responsibilities:
Stages of Study and Evaluation of Internal Control
• Obtain an understanding of accounting and internal controls
- Obtaining an understanding the entity's internal control structure
• Use professional judgement to assess audit risk
- Assessing the preliminary level of control risk
• Design audit procedures to reduce risk to an acceptably low level
- Obtaining evidential matter to support the assessed level of control risk
- Evaluating the results of evidential matter
Objectives of the study of Internal Control:
- Determining the necessary level of detection risk
1. Plan the Audit
2. Assess Control Risk
• Assess control risk below maximum,
• Evaluate effectiveness of control placed in operation