Internal Control

and Control Risk

Chapter 10

10 - 1

Planning an Audit and

Designing an Approach
Accept client and
perform initial
audit planning

Understand the
clients business
and industry
Assess client
business risk

Set materiality, and

assess acceptable audit
risk and inherent risk
Understand internal
control and assess
control risk

Develop
overall
audit plan
and
audit
program

Gather information to assess

fraud risks

Perform preliminary
analytical procedures
10 - 2

Learning Objective 1
Explain the five components
of internal control

10 - 3

Definisi (SA Seksi 319)

Pengendalian intern adalah suatu proses yang
dijalankan oleh dewan komisaris, manajemen,
dan personel lain entitas yang didesain untuk
memberikan keyakinan memadai tentang
pencapaian tiga golongan tujuan berikut ini:
Keandalan pelaporan keuangan
Efektivitas dan efisiensi operasi

Kepatuhan terhadap hukum dan peraturan yang

berlaku
10 - 4

Five Components
of Internal Control

Control Environment

Risk
Assessment

Control
Activities

Information and
Communication

Monitoring

10 - 5

The Control Environment

Integrity and ethical values

Organizational structure

Commitment to competence

Assignment of authority
and responsibility

Board of directors or audit

committee participation

Human resources
policies and practices

Managements philosophy
and operating style
10 - 6

Risk Assessment
Identify factors affecting risk.
Assess significance of risks
and likelihood of occurrence.
Determine actions necessary
to manage risk.

10 - 7

Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records
5. Independent checks on performance

10 - 8

1. Adequate Separation
of Duties
Custody of assets

Accounting

Authorization
of transactions

The custody of
related assets

Operational
responsibility

Record-keeping
responsibility

IT Duties

User departments

10 - 9

2. Proper Authorization of
Transactions and Activities

General authorization

Specific authorization

10 - 10

3. Adequate Documents
and Records
Prenumbered consecutively
Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple uses
Constructed to encourage correct preparation

10 - 11

4. Physical Control over

Assets and Records
Physical precautions
Controls related to IT equipment,
programs, and data files

Physical
controls

Access
controls

Backup and
recovery
procedures
10 - 12

5. Independent Checks
on Performance

The need for independent checks

arise because internal control tends
to change over time unless there is
a mechanism for frequent review.

10 - 13

Information and
Communication
The purpose of an accounting information
and communication system is to

initiate, record, process, and report the

transactions and to maintain accountability
for the related assets.

10 - 14

Monitoring
Managements ongoing and periodic assessment
of the quality of internal control performance

to determine whether controls are operating

as intended and modified when needed.

10 - 15

Learning Objective 2
Contrast managements need for
internal control with the auditors
need to consider internal control
when designing an audit.

10 - 16

Key Concepts

Managements
Responsibility
Reasonable
Assurance
Inherent
Limitations
10 - 17

Clients Concerns
Reliability of financial reporting
Efficiency and effectiveness of operations

Compliance with applicable laws

and regulations

10 - 18

Auditor Concerns
Controls related to reliability of
financial reporting

Controls over classes of transactions

10 - 19

Sales Transaction-Related
Audit Objectives
Objective General Form

Related Audit Objectives

Recorded transactions
exist (existence).

Sales are for shipments

to existing customers.

Existing transactions are

recorded (completeness).

Existing sales transactions

are recorded.

Transactions are stated

correctly (accuracy).

Sales for goods shipped

are correctly billed.
10 - 20

Sales Transaction-Related
Audit Objectives
Objective General Form

Related Audit Objectives

Transactions are properly

classified (classification).

Sales transactions are

properly classified.

Transactions are recorded

on correct dates (timing).

Sales are recorded on the

correct dates.

Transactions are properly

filed (posting and
summarization).

Sales transactions are

properly included in the
master files.
10 - 21

Learning Objective 3
Explain methods used to
obtain an understanding
of internal control.

10 - 22

Understanding Internal Control

and Assessing Control Risk
Obtain Understanding of Internal Control:
Design and Operation

Assess Control Risk

Test Controls

Decide Planned Detection Risk

and Substantive Tests
10 - 23

Reasons for Sufficiently

Understanding Internal Control
SA Seksi 319 requires the auditor to
obtain an understanding of internal
control for every audit.

Minimum audit
planning matters

Auditability
Potential material
misstatements
Detection risk
Design of test
10 - 24

Procedures to Determine
Design and Placement
Update and evaluate auditors previous
experience with the entity.
Make inquires of client personnel.
Read clients policy and systems manuals.
Examine documents and records.

Observe entity activities and operations.

10 - 25

Documentation of
the Understanding
Internal
control
questionnaire
Flowchart
Narrative

10 - 26

Learning Objective 4
Obtain Understanding of Internal Control:
Design and Operation

Assess Control Risk

Test Controls

Decide Planned Detection Risk

and Substantive Tests

Assess control
risk by linking
strengths and
weaknesses of
internal control to
transactionrelated audit
objectives.

10 - 27

Assess Control Risk

Obtain sufficient understanding for planning.
Assess whether the entity is auditable.

Determine assessed control risk.

Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.

10 - 28

Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.

10 - 29

Identify and Evaluate

Weaknesses
Identify existing controls.
Identify the absence of key controls.

Determine misstatements that could result.

Consider compensating controls.

10 - 30

The Control Risk Matrix

Auditors use the control risk matrix to

identify both controls and weaknesses
and to asses control risk.

10 - 31

Communication
Reportable conditions letter

Audit committee communications

Management letters

10 - 32

Learning Objective 5
Obtain Understanding of Internal Control:
Design and Operation

Assess Control Risk

Test Controls

Decide Planned Detection Risk

and Substantive Tests

Describe the
process of
designing
and
performing
tests of
controls.
10 - 33

Tests of Controls

The procedures to test effectiveness

of controls in support of a reduced
assessed control risk are called
tests of controls.

10 - 34

Procedures for
Tests of Controls
Make inquiries of client personnel.
Examine documents, records, and reports.

Observe control-related activities.

Reperform client procedures.

10 - 35

Extent of Procedures

Reliance on evidence from prior years audit

Testing less than the entire audit period

10 - 36

Relationship of Assessed Control

Risk and Extend of Procedures

Type of Procedure

Inquiry
Documentation
Observation
Reperformance

Assessed Control Risk

High Level:
Lower Level:
Obtaining an
Tests of
Understanding Only
Controls
Yes extensive
Yes with transaction
walk-through
Yes with transaction
walk-through
No

Yes some
Yes using
sample
Yes multiple
times
Yes sampling
10 - 37

Learning Objective 6
Obtain Understanding of Internal Control:
Design and Operation

Assess Control Risk

Test Controls

Decide Planned Detection Risk

and Substantive Tests

Decide
Planned
Detection Risk
and
Substantive
Tests

10 - 38

Decide Planned Detection Risk

and Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.

The auditor links the control risk assessments

to the balance-related audit objectives.
10 - 39

Tolerable Misstatements,
Risk, and Planned Evidence
Acceptable
audit risk

Inherent
risk
Control
risk

Planned
detection risk

D
I

Planned
audit evidence

Tolerable
misstatement
D = Direct relationship; I = Inverse relationship
10 - 40

End of Chapter 10

10 - 41

Overall Audit Plan

and Audit Program
Chapter 13

10 - 42

Audit Planning
Accept client and
perform initial
audit planning

Perform preliminary
analytical procedures

Understand the
clients business
and industry

Set materiality, and

assess acceptable audit
risk and inherent risk

Assess client
business risk

Understand internal
control and assess
control risk

Develop
overall
audit plan
and
audit
program

10 - 43

Learning Objective 1
Use the five types of audit tests
to determine whether financial
statements are fairly stated

10 - 44

Types of Tests
Risk Assessment Procedures
Further Audit Procedures

10 - 45

Further Audit Procedures

and the Audit Risk Model
Audit risk
model

Tests of
controls

AAR
= PDR
IR CR

Substantive
Analytical
tests of
+
+ procedures +
transactions

Tests of
details of
balances

Sufficient
appropriate
= evidence
per GASS

Further audit procedures

10 - 46

Tests of Control
To determine the appropriateness of
the design and operating effectiveness of
specific internal controls
Make inquiries
Examine documents, records
include

Observe control-related activities

Reperform client procedures
10 - 47

Substantive Tests of Transactions

To determine whether all five transactionrelated audit objectives have been
satisfied for each class of transactions

For efficiency, the STOT are often done

at the same time as TOC

10 - 48

Analytical Procedures
The most important purposes of analytical
procedures in the audit of account balances
are:

Indicate the presence of possible

misstatements in the financial statements
Reduce tests of balances

10 - 49

Tests of Detail of Balances

Focus on the ending general ledger
balances for both balance sheet and
income statements accounts
Confirmation

include

Physical examination

Examination

10 - 50

Role of all Audit Tests in

the Sales and Collection Cycle
Accounts
Receivable

Sales

Cash in
Bank

Sales
transactions

Cash receipts
transactions

Audited by
TOC, STOT, and AP

Audited by
TOC, STOT, and AP

Ending
balance

Ending
balance

Audited by AP and TDB

TOC + STOT + AP + TDB

= Sufficient competent evidence per GAAS
10 - 51

Learning Objective 2
Select the appropriate
types of audit tests

10 - 52

Relationship Between Further

Audit Procedures and Evidence

10 - 53

Learning Objective 4

Design an audit program

10 - 54

Audit Program

The list of audit procedures for an audit area

or an entire audit
Contents:

Types of tests
Audit objectives
Procedures
Sample size
Items to select
Timing
10 - 55

Audit Program
Part 1:
Tests of controls and substantive
tests of transactions
Part 2:
Analytical procedures
Part 3:
Tests of details and balances
10 - 56

Audit Procedures
1. Apply the transaction-related audit objectives
to the class of transactions being tested.

2. Identify key controls that should reduce

control risk for each audit objective.
3. Develop appropriate tests of controls.
4. Design substantive tests of transactions.

10 - 57

Methodology for Designing

Controls and Substantive Tests
Perform procedures
to understand
internal control.

Design tests of controls

and substantive tests
of transactions to meet
transaction-related
audit objectives.

Assess control risk.

Audit procedures

Sample size
Evaluate cost-benefit
of testing controls.

Items to select
Timing
10 - 58

Four-Step Approach to Designing

Control and Substantive Tests

10 - 59

Test of Control and Substantive

Tests of Transactions

Sales
Cash receipts
Acquisitions
Cash disbursements
Payroll and personnel

10 - 60

Methodology for Designing Tests of

Balances Accounts Receivable
Identify client business risks
affecting accounts receivable.
Set tolerable misstatement
and assess inherent risk
for accounts receivable.

Assess control risk for sales

and collection cycle.
Design and perform tests of
controls and substantive tests
of transactions for sales and
collection cycle.

Design and perform analytical

procedures for accounts
receivable balance.

Design tests of details of

accounts receivable balance
to satisfy balance-related
audit objectives.
Audit procedures

Sample size

Items to select

Timing

10 - 61

Learning Objective 5
Compare and contrast
transaction-related audit
objectives and balancerelated audit objectives.

10 - 62

Relationship of Transaction- to
Balance-Related Audit Objectives
Transaction-Related
Audit Objective

Balance-Related
Audit Objective

Nature of
Relationship

Occurence

Existence or
completeness

Completeness

Completeness or
existence

Direct

Accuracy

Valuation

Direct

Direct

10 - 63

Relationship of Transaction- to
Balance-Related Audit Objectives
Transaction-Related
Audit Objective

Balance-Related
Audit Objective

Nature of
Relationship

Classification
Cutoff

Right and
obligation

10 - 64

Learning Objective 6
Integrate the four phases
of the audit process.

10 - 65

Summary of the
Audit Process

Phase I

Plan and design

an audit approach.

Phase II

Perform tests of
controls and
substantive tests
of transactions.

Phase III

Perform analytical
procedures and
tests of details
of balances.

Phase IV

Complete the
audit and issue
an audit report.
10 - 66

Summary of the Audit Process

Phase I
Accept client and perform initial planning.
Understand the clients business and industry.

Assess clients business risk.

Perform preliminary analytical procedures.
Set materiality and assess acceptable audit risk
and inherent risk.
Understand internal control and assess control risk.
Develop overall audit plan and audit program.
10 - 67

Summary of the Audit Process

Phase II
Plan to reduce assessed
level of control risk?

No

Yes
Perform tests of controls.

Perform substantive tests of transactions.

Assess likelihood of misstatements in
financial statements.
10 - 68

Summary of the Audit Process

Phase III

Low

Medium

High or
unknown

Perform analytical procedures.

Perform tests of key items.

Perform additional tests of details of balances.

10 - 69

Summary of the Audit Process

Phase IV
Review for contingent liabilities.
Review for subsequent events.
Accumulate final evidence.

Evaluate results.
Issue audit report.

Communicate with audit

committee and management.
10 - 70

End of Chapter 13

10 - 71