INTERNAL CONTROL

Methodology For Evaluation through Internal control: Evaluation of internal control

systems can be done in a variety of ways. It would be reasonable to expect that the desired
degree of documentation would be in proportion with the size and activities of the
organisation. The following are the general methods adopted:-

Appraisal by workflow,
Appraisal by duties,
Appraisal by questionnaire.

The adoption of any of the above methods, does not preclude the use of one or more methods
in connection.

Evaluation of Internal Controls by the questionnaire methods (used in

conjunction with other methods.) is a convenient and efficient medium for documented
evidence of such review having actually taken place.

A standard Internal Control Questionnaire has therefore, been presented by the Research
Committee of Chartered Accountants of India. The questions are so framed that most of the
answers can be given by "Yes" or "No" or "Not applicable". Affirmative answers generally
indicate good internal controls while negative answers indicate weaknesses. In such cases, it
would be advisable to add explanatory note. The arrears of coverage by the questionnaire
relate to :-

Cash and Bank Receipts

System of Accounts in Branches and Factories
Cash and Bank Payments
Salaries and Wages
Purchases and Creditors
Sales and Debtors
Investments
Stocks
Fixed Assets
Borrowings
 Share Capital
Loans and Advances.

Sample questions on some of the above mentioned areas could include :-

1. Is an organisation chart readily available ?

2. Does the organisation chart show a clear definition and allocation of duties and
responsibilities of officials and employees?
3. Is a chart of Accounts in use?
4. Are the accounting records kept up-to-date?
5. Are they balanced monthly ?
6. Are control accounts kept in the general ledger in respect of all transactions where the
volume justifies it?
7. Are subsidiary records reconciled with the respective control accounts periodically?
8. Are daily returns and reports received from branches/factories for collections, sales
and despatches, production and receipt of goods?
9. Is an Internal Audit Manual in use?
10. Is there reconciliation of proofs of collection with amounts banked?
11. Is purchasing centralised in the purchase department?
12. Are purchases made only from approved suppliers?

Methodology For Adoption While Using The Questionnaire: The Auditors may
obtain answers on separate sheets , duly indexed against the questions to which they relate.
Inevitably a standard format for a questionnaire may not be feasible for universal
applicability as individual variations may be required. The following methods could be
adopted:-

Answers could be compiled by the auditor on the basis of his observations and
personal interaction with the auditee.
Alternatively, the questionnaire may be given to auditee who could furnish answers
on separate sheets. The advantage of this method is that the auditee would have an
opportunity to review his own systems of internal control through the mere process of
answering the questionnaire.
The auditor should then conduct a test check in order to ascertain the accuracy of the
replies and the actual operation of the system.
 All negative answers are to be reviewed by the auditor with the auditee. The auditor
may also decide whether any qualification would be necessary in his report.
In the light of the questionnaire, the auditor should formulate his Audit Plan and
Programme.
A review of the questionnaire, in the event of any major changes that may have taken
place in the auditee organisation, should be conducted by the auditor.

INTERNAL CONTROL QUESTIONNAIRE

Having ascertained, confirmed and recorded the system, the auditor now needs to carry out a
preliminary evaluation of the system in order to make a decision as to whether he will:

Rely on internal controls and adopt a systems audit approach

Perform extensive substantive testing. Using a verification approach to the audit.

Internal Control Questionnaire

An ICQ is a formal and usually standardized document which comprises:

1. A list of internal controls in existence and

2. Highlights any weaknesses.

Features:

Used in large company audit

Used to place reliance on internal controls
Used to design audit approach

Objectives:

i. To ascertain a clients systems of accounting and internal control

ii. To evaluate the control system thus recorded, and hence
iii. To identify those controls which indicate strengths in the system upon which the
auditor will seek to place reliance, and
iv. To identify those areas over which there are weak or no controls and which therefore
must be subjected to more extensive substantive testing and reported by inclusion in
the Management Letter.
Construction of an ICQ
I. It is good practice when designing ICQs to state, as a brief introduction:
a list of control objectives which each sub-system under consideration should
seek to achieve
any business considerations specific to the enterprise under review which
should be taken into account. The reason for this is essentially to highlight for
the audit staff key areas for their consideration to the audit
staff.
II. The questions in an ICQ should be designed to ascertain whether the control objectives are
being achieved and should therefore cover such aspects as:
instructions given to staff in the performance of their duties
authorization procedures
documents and procedures used to originate transactions
recording procedures
sequence of procedures
custody procedures
relative independence of the persons involved at each stage of a transaction
(i.e. segregation of duties).
III. The questions should be framed such that a Yes/No answer is given, with a No answer
usually indicating a control weakness.
IV. An ICQ should carry such basic information as:
the name of the document (ICQ)
the system to which it relates (e.g. purchasing cycle)
the client to whom it relates
the accounting period under review
evidence of who has prepared and reviewed the document
the provision of columns for:- Yes and No answers -comments where neither
Yes or No are applicable - indicating the significance or otherwise of apparent
weaknesses
Audit risk

Audit Risk is the risk that an auditor expresses an inappropriate opinion on the financial
statements.

Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements.
Examples of inappropriate audit opinions include the following:

Issuing an unqualified audit report where a qualification is reasonably justified;

Issuing a qualified audit opinion where no qualification is necessary;
Failing to emphasize a significant matter in the audit report;
Providing an opinion on financial statements where no such opinion may be reasonably
given due to a significant limitation of scope in the performance of the audit.
Model

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Audit risk may be considered as the product of the various risks which may be encountered in
the performance of the audit. In order to keep the overall audit risk of engagements below
acceptable limit, the auditor must assess the level of risk pertaining to each component of
audit risk.

Components

Explanation of the 3 elements of audit risk is as follows:

Inherent Risk is the risk of a material misstatement in the financial statements arising due to
error or omission as a result of factors other than the failure of controls (factors that may
cause a misstatement due to absence or lapse of controls are considered separately in the
assessment of control risk).

Inherent risk is generally considered to be higher where a high degree of judgment and
estimation is involved or where transactions of the entity are highly complex.

For example, the inherent risk in the audit of a newly formed financial institution which has a
significant trade and exposure in complex derivative instruments may be considered to be
significantly higher as compared to the audit of a well established manufacturing concern
operating in a relatively stable competitive environment.

Control Risk is the risk of a material misstatement in the financial statements arising due to
absence or failure in the operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of
fraud and error. Control risk is considered to be high where the audit entity does not have
adequate internal controls to prevent and detect instances of fraud and error in the financial
statements.

Assessment of control risk may be higher for example in case of a small sized entity in which
segregation of duties is not well defined and the financial statements are prepared by
individuals who do not have the necessary technical knowledge of accounting and finance.

Detection Risk is the risk that the auditors fail to detect a material misstatement in the
financial statements.

An auditor must apply audit procedures to detect material misstatements in the financial
statements whether due to fraud or error. Misapplication or omission of critical audit
procedures may result in a material misstatement remaining undetected by the auditor. Some
detection risk is always present due to the inherent limitations of the audit such as the use of
sampling for the selection of transactions.

Detection risk can be reduced by auditors by increasing the number of sampled transactions
for detailed testing.

Application

Audit risk model is used by the auditors to manage the overall risk of an audit engagement.

Auditors proceed by examining the inherent and control risks pertaining to an audit
engagement while gaining an understanding of the entity and its environment.

Detection risk forms the residual risk after taking into consideration the inherent and control
risks pertaining to the audit engagement and the overall audit risk that the auditor is willing to
accept.
Where the auditor's assessment of inherent and control risk is high, the detection risk is set at
a lower level to keep the audit risk at an acceptable level. Lower detection risk may be
achieved by increasing the sample size for audit testing. Conversely, where the auditor
believes the inherent and control risks of an engagement to be low, detection risk is allowed
to be set at a relatively higher level.

How to Follow Risk Assessment Procedures in an Audit

When performing an audit, you use risk assessment procedures to assess the risk that material
misstatement exists. This step is very important because the whole point of a financial
statement audit is finding out if the financial statements are materially correct.

A clients contribution to audit risk the risk of a material misstatement existing in the
financial records due to errors and fraud influences your firms plans regarding what audit
evidence is necessary and which personnel will be assigned to the job. With higher risk
comes the need for more involved audit risk procedures.

How exactly do you assess audit risk? You follow various risk assessment procedures:
recognizing the nature of the company and management, interviewing employees, performing
analytical procedures, observing employees at work, and inspecting company records. After
you run through all applicable risk-assessment procedures, you use the results to figure out
how high the chance is that your client has material financial-statement mistakes. Not every
mistake is important.

Recognizing the nature of the company: Here are some crucial questions to ask the
client during your risk assessment procedures:

o Whats the companys market overview? For example, if the client is a

bank, in how many states does it operate?

o Who (if anyone) regulates the client? Many businesses dont have an outside
regulatory agency, but any publicly traded company is required to file its
financial statements with the Securities and Exchange Commission (SEC).

o Whats the companys business strategy? Most business strategies are to

maximize shareholder value by increasing profitability and serving the
 community in which theyre located. The answer may lead you to more
probing follow-up questions.

Examining the quality of company management: Inept management thats

lackadaisical about following or enforcing company policies and procedures
encourage that attitude throughout the organization. You evaluate management
attitude through interviews. Another means is noticing high employee turnover, which
can indicate employees are seeking other employment because upper management
fails to maintain a quality system of reporting.

If key personnel such as the president, chief financial officer, and chief executive
officer have been with the company for many years, thats usually an indication of
quality management. Another good sign is if prior audits have required few, if any,
accounting adjustments and there have been no financial statement restatements.
Heres why:

o Accounting adjustments are given to the client if a mistake or an aggregate of

mistakes is material.

o Financial statement restatements are more serious.

Asking employees for information: When asking for information, you should talk to
many different employees in the organization besides management. To get a well-
rounded idea of the business, talk with individuals holding different levels of
authority, from low-level clerks all the way up to the board of directors.

You need to look at problems that can prevent a company from reaching its desired
objectives. Each of your clients functioning departments has different objectives and
risks, and understanding them can help you identify potential sources of inadvertent
errors or intentional fraud that may affect the financial statements. Here are two real-
life examples to consider:

o A payroll department objective is the accurate and timely processing of

employee payroll payments. A risk associated with this objective is issuing
inaccurate payroll payments.

o A tax department objective is to meet all legal and regulatory tax return filing
obligations. Risks associated with this objective include filing returns that
arent materially correct and missing the filing deadline.
 Analyzing processes and paperwork: Put simply, analytical procedures test to see if
plausible and expected relationships exist in both financial and nonfinancial data.

Here are three common analytical procedures you do while assessing audit risk:

o Trend analysis: You compare current financial figures to the same figures in
the prior year.

o Ratio analysis: Some common ratios are the current ratio, and inventory
turnover.

o Reasonableness: Does what youre seeing make sense based on other facts?
For example, does the depreciation expense appear accurate when you
consider the book value of all fixed assets on the balance sheet?

Observing the client at work: One common type of observation is to watch the staff
take a count of physical inventory. Visiting the companys business locations is
another. Doing so gives you the opportunity to view the companys operations beyond
whats in the books and records and to find out about the companys internal controls.

STAGES IN AUDIT SAMPLING

(a) Planning the sample

When planning how to carry out the sampling the auditor should consider the following:

The objective of the test and the combination of audit procedures which are likely to achieve
these objectives;

The population and sampling units. The population should be appropriate to the objective of
the sampling procedure. E.g. if the auditors objective is to test for overstatement of debtors
an appropriate population would be the debtors listing;

Definition of errors in substantive testing and deviations in compliance testing. Before

performing tests on the chosen sample, the auditor should define clearly those test results and
conditions that will be considered errors or deviations by reference to the audit objective. For
substantive testing the auditor should project monetary errors found in the sample to the
population and should consider the effect of the projected error on the particular test
objectives.
(b) Determination of the sample size

The auditor needs to determine an appropriate size of the sample on which the audit
procedures will be applied. The size is determined by:

The tolerable error or deviation rate- the larger the tolerable error or deviation rate, the
smaller the sample size.

Auditors assessment of inherent risk. The higher the auditors assessment of inherent risk,
the larger the sample size. Higher inherent risk implies that there is a greater risk that the
financial balance will be misstated. To reduce this risk the auditor will need to extend the
level of testing. This is achieved by testing a larger sample.

Auditors assessment of control risk. The higher the auditors assessment of control risk, the
larger the sample size. A high control risk implies that little reliance can be placed on
effective operation of internal controls. To reduce the audit risk the auditor will need to
extend the level of testing, this is achieved by increasing the size of the sample.

Expected error. This refers to the total error that the auditor expects to find in the population.
The greater the amount of error the auditor expects to find in the population, the larger the
size of the sample needed in order to make a reasonable estimate of the actual amount of
error in the population.

Auditors required confidence level. The greater the degree of confidence that the auditor
requires that the results of the sample are in fact representative of the actual amount of error
in the population, the larger the sample needs to be.

(c) Selecting the items to be tested: The sample selected should be representative of the
population so that the auditor can draw conclusions about the entire population. All sampling
units should have an equal chance of being selected. Common methods of selecting samples
include:

Random sampling by use of random number tables or use of computers to select sampling
units

Systematic selection

Haphazard selection
(d) Testing the items: After selecting the sample units, the auditor should carry out the pre-
determined audit tests on each item.

(e) Evaluating the results of the tests: The following procedures should be followed in
evaluating the results of the tests:

All errors identified and deviations should be evaluated;

Projection of error. The auditor should estimate the expected error or deviation rate in the
whole population by projecting the results of the sample to the population so as to obtain a
broad view of possible error or deviation rates in the entire population. This will then be
compared with the established tolerable error or deviation rate;

Assessing the risk of incorrect conclusion. In general the expected error or deviation is
rarely a precise measure of the actual error or deviation rate present in the population. Actual
error rate may be greater or smaller than projected error. The auditor must therefore consider
on the basis of his sample results and relevant evidence obtained from other audit procedures,
the possible levels which the actual error or deviation rate might take and particularly the
likelihood that the actual error or deviation rate may exceed tolerable error or deviation rate.

Analytical Procedures

Analytical procedures are a form of audit evidence. Analytical procedures are an important
type of evidence on an audit. They involve a comparison of recorded values with
expectations developed by the auditor. They consists of evaluations of financial information
made by a study of plausible relationships among both financial and nonfinancial data. For
example, the current-year accounts receivable balance can be compared to the prior-years'
balances after adjusting for any increase or decrease in sales and other economic factors.

There are three types of analytical procedures:

1. Preliminary analytical procedures

2. Substantive analytical procedures
3. Final analytical procedures

Auditing standards require that the auditor conduct analytical procedures in planning the
audit. Analytical procedures can be helpful in identifying the existence of unusual
transactions or events and amounts, ratios, and trends that might have implications for audit
planning.

Preliminary Analytical Procedures

Preliminary analytical procedures are used to assist the auditor to better understand the
business and to plan the nature, timing, and extent of audit procedures. They consist of
evaluations of both financial and nonfinancial information. This is a required phase of the
audit. The main objectives of preliminary analytical procedures are (1) to understand the
client's business and transactions and (2) to identify financial statement accounts that are
likely to contain errors.

Substantive Analytical Procedures

Analytical Procedures involve a comparison of recorded values with expectations developed

by the auditor. Substantive analytical procedures are one of three types of analytical
procedures. They are used as a substantive procedure to obtain evidence about particular
assertions related to account balances or classes of transactions.

DEFINITION OF ANALYTICAL PROCEDURES

Analytical procedures consist of evaluations of financial information through analysis of

plausible relationships among both financial and non-financial data. They also encompass
such investigation as is necessary of identified fluctuations or relationships that are
inconsistent with other relevant information or that differ from expected values by a
significant amount (ISA 520). A basic premise underlying the application of analytical
procedures is that plausible relationships among data may reasonably be expected to exist and
continue in the absence of conditions to the contrary.

PURPOSES OF ANALYTICAL PROCEDURES

Analytical procedures are used throughout the audit process and are conducted for three
primary purposes:

1. Preliminary analytical review risk assessment (required by ISA 315)

Preliminary analytical reviews are performed to obtain an understanding of the
 business and its environment (eg financial performance relative to prior years and
relevant industry and comparison groups), to help assess the risk of material
misstatement in order to determine the nature, timing and extent of audit procedures,
ie to help the auditor develop the audit strategy and programme.
2. Substantive analytical procedures
Analytical procedures are used as substantive procedures when the auditor considers
that the use of analytical procedures can be more effective or efficient than tests of
details in reducing the risk of material misstatements at the assertion level to an
acceptably low level.
3. Final analytical review (required by ISA 520)
Analytical procedures are performed as an overall review of the financial statements
at the end of the audit to assess whether they are consistent with the auditors
understanding of the entity. Final analytical procedures are not conducted to obtain
additional substantive assurance. If irregularities are found, risk assessment should be
performed again to consider any additional audit procedures are necessary.

USE OF SUBSTANTIVE ANALYTICAL PROCEDURES

One of the objectives of ISA 520 is that relevant and reliable audit evidence is obtained when
using substantive analytical procedures. The primary purpose of substantive analytical
procedures is to obtain assurance, in combination with other audit testing (such as tests of
controls and substantive tests of details), with respect to financial statement assertions for one
or more audit areas. Substantive analytical procedures are generally more applicable to large
volumes of transactions that tend to be more predictable over time.

The application of substantive analytical procedures is based on the expectation that

relationships among data exist and continue in the absence of known conditions to the
contrary. The presence of these relationships provides audit evidence as to the completeness,
accuracy and occurrence of transactions. Due to their nature, substantive analytical
procedures can often provide evidence for multiple assertions, identify audit issues that may
not be apparent from more detailed work, and direct the auditors attention to areas requiring
further investigation. Furthermore, the auditor may identify risks or deficiencies in internal
control that had not previously been identified, which may cause the auditor to re-evaluate his
planned audit approach and require the auditor to obtain more assurance from other
substantive testing than originally planned.
To derive the most benefit from substantive analytical procedures, the auditor should
perform substantive analytical procedures before other substantive tests because results of
substantive analytical procedures often impact the nature and extent of detailed testing.
Substantive analytical procedures might direct attention to areas of increased risk, and the
assurance obtained from effective substantive analytical procedures will reduce the amount of
assurance needed from other tests. There are four elements that comprise distinct steps that
are inherent in the process to using substantial analytical procedures:

STEP 1: Develop an independent expectation: The development of an appropriately

precise, objective expectation is the most important step in effectively using substantive
analytical procedures. An expectation is a prediction of a recorded amount or ratio. The
prediction can be a specific number, a percentage, a direction or an approximation, depending
on the desired precision.
The auditor should have an independent expectation whenever s/he uses substantive
analytical procedures (ISA 520). The auditor develops expectations by identifying plausible
relationships (eg between store square footage and retail sales, market trends and client
revenues) that are reasonably expected to exist based on his knowledge of the business,
industry, trends, or other accounts.

STEP 2: Define a significant difference (or threshold): While designing and performing
substantive analytical procedures the auditor should consider the amount of difference from
the expectation that can be accepted without further investigation (ISA 520). The maximum
acceptable difference is commonly called the threshold.
Thresholds may be defined either as numerical values or as percentages of the items
being tested. Establishing an appropriate threshold is particularly critical to the effective use
of substantive analytical procedures. To prevent bias in judgment, the auditor should
determine the threshold while planning the substantive analytical procedures, ie before Step
3, in which the difference between the expectation and the recorded amount are computed.

The threshold is the acceptable amount of potential misstatement and therefore should not
exceed planning materiality and must be sufficiently small to enable the auditor to identify
misstatements that could be material either individually or when aggregated with
misstatements in other disaggregated portions of the account balance or in other account
balances.

STEP 3: Compute difference: The third step is the comparison of the expected value with
the recorded amounts and the identification of significant differences, if any. This should be
simply a mechanical calculation. It is important to note that the computation of differences
should be done after the consideration of an expectation and threshold. In applying
substantive analytical procedures, it is not appropriate to first compute differences from prior-
period balances and then let the results influence the expected difference and the acceptable
threshold.
STEP 4: Investigate significant differences and draw conclusions: The fourth step is the
investigation of significant differences and formation of conclusions (ISA 520). Differences
indicate an increased likelihood of misstatements; the greater the degree of precision, the
greater the likelihood that the difference is a misstatement.
Explanations should be sought for the full amount of the difference, not just the part
that exceeds the threshold. There is a chance that the unexplained difference may indicate an
increased risk of material misstatement. The auditor should consider whether the differences
were caused by factors previously overlooked when developing the expectation in Step 1,
such as unexpected changes in the business or changes in accounting treatments.
If the difference is caused by factors previously overlooked, it is important to verify
the new data, to show what impact this would have on the original expectations as if this data
had been considered in the first place, and to understand any accounting or auditing
ramifications of the new data.

KEY FACTORS AFFECTING THE PRECISION OF ANALYTICAL PROCEDURES

There are four key factors that affect the precision of analytical procedures:

1. Disaggregation: The more detailed the level at which analytical procedures are
performed, the greater the potential precision of the procedures. Analytical procedures
performed at a high level may mask significant, but offsetting, differences that are
more likely to come to the auditors attention when procedures are performed on
disaggregated data.
The objective of the audit procedure will determine whether data for an
analytical procedure should be disaggregated and to what degree it should be
 disaggregated. Disaggregated analytical procedures can be best thought of as looking
at the composition of a balance(s) based on time (eg by month or by week) and the
source(s) (eg by geographic region or by product) of the underlying data elements.
The reliability of the data is also influenced by the comparability of the information
available and the relevance of the information available.
2. Data reliability: The more reliable the data is, the more precise the expectation. The
data used to form an expectation in an analytical procedure may consist of external
industry and economic data gathered through independent research. The source of the
information available is particularly important. Internal data produced from systems
and records that are covered by the audit, or that are not subject to manipulation by
persons in a position to influence accounting activities, are generally considered more
reliable.
3. Predictability: There is a direct correlation between the predictability of the data and
the quality of the expectation derived from the data. Generally, the more precise an
expectation is for an analytical procedure, the greater will be the potential reliability
of that procedure. The use of non-financial data (eg number of employees, occupancy
rates, units produced) in developing an expectation may increase the auditors ability
to predict account relationships. However, the information is subject to data reliability
considerations mentioned above.
4. Type of analytical procedures: There are several types of analytical procedures
commonly used as substantive procedures and will influence the precision of the
expectation. The auditor chooses among these procedures based on his objectives for
the procedures (ie purpose of the test, desired level of assurance).

Trend analysis the analysis of changes in an account over time.

Ratio analysis the comparison, across time or to a benchmark, of
relationships between financial statement accounts and between an account
and non-financial data.
Reasonableness testing the analysis of accounts, or changes in accounts
between accounting periods, that involves the development of a model to form
an expectation based on financial data, non - financial data, or both.

Each of the types uses a different method to form an expectation. They are ranked from
lowest to highest in order of their inherent precision. Scanning analytics are different from
the other types of analytical procedures in that scanning analytics search within accounts or
other entity data to identify anomalous individual items, while the other types use aggregated
financial information.
If the auditor needs a high level of assurance from a substantive analytical procedure,
s/he should develop a relatively precise expectation by selecting an appropriate analytical
procedure (eg a reasonableness test instead of a simple trend or flux analysis). Thus,
determining which type of substantive analytical procedure to use is a matter of professional
judgment.
In summary, there is a direct correlation between the type of analytical procedure
selected and the precision it can provide. Generally, the more precision inherent in an
analytical procedure used, the greater the potential reliability of that procedure.