[AUD] Internal Control (Planning stage, TOC)

by manii 2024. 3. 19.


0. General




establish and maintain the effective and efficient internal control


plan audit and assess control risk

ensure the audit committee is aware of SD and MW which come to the auditor's attention

> no obligation to search for SD of IC



reasonable assurance

- cost constraints

- mgt override

- human judgment in decision-making

- human failure

- control circumvented by collusion



independent private sector initiative

1992 IC -integrated framework

2013 Fundamental Concept Framework update




O: effectiveness and efficiency of operations

R: reliability of financial reporting (most relevant objective for audit)

C: Compliance with applicable laws and regulations


Components by COSO

- each of the five components of IC may affect any of the three overall entity objectives

- five components of IC are applicable to all audits

- auditor is required to have an understanding of each component

- five components > useful framework for identifying and evaluating controls

C   Control environment   integrity
  E commitment to ethics and integrity sets the tone of the organization competence
  b board independence and oversight   participation of those charged w govenance
  o organization structure   mgt philosophy
  c commitment to competence   organizational structure
  a accountability   assignment of responsibility
        human resource policies
R   Risk assessment identiification by management of
the risk relevant to the preparation of the FS
  S specifiy objectives  
  A assess changes  
  F fraud NEW Risks are generally related to changes
  R risk analysis    
I   Information and communication Methods used to classify and report transactions, and to communicate roles and responsibilities initiating, authorizing, recording, processing, and reporting entity transactions, conditions and events
  O obtain and use information
  I internal communication   communicating roles and reponsibilities
  E external communication    
M   Monitoring Procedures established 
to assess the QC performance over time
internal audit function
  SO ongoing and separate evaluation regular mgt and supervisory activities
  D communication of deficiencies Ensure that IC continues to operate effectively mailing customer statements(assess info from external parties)
E   Existing Control activity policies and procedures established to ensure that
mgt objectives are carried out
  CA select and develop control activity authorization segregation of duties
  T select and develop technology controls operating performance review safeguarding of assets
  P deploy through policies and procedures   asset accountability

Prenumbering of Documents

Authorization and approval of transactions

Independent checks to maintain asset accountability


Timely and appropriate financial performance reviews

Information processing controls

Physical or logical controls for safeguarding assets and information

Segregation of duties



1. Understanding of internal control


understand the design of IC components and ascertain whether IC has been implemented (not operating effectiveness)

Procedure( risk assessment procedures : CR)

 - inquiries, inspection, observation, tracing > walk-through


- Size, complexity, nature


Auditors' understanding of control activities

audit does not require an understanding of all control activities

auditor's primary consideration should be whether, and how a control prevents, or detects and corrects, MM

Automated environment
- automated controls not always more efficient + cost-effective
- unauthorized access to data, system, programs > add IC risk
- info used in monitoring IC provided by IT, accuarcy of the IT system is crucial
- effectiveness of manual user controls my depend on accuracy of info provided by IT systems
2. Assess risk of material misstatement


understanding and assessing control risk can be done concurrently


3. Test of Controls


effectiveness of the design or operation of a control

procedure( inquires, inspection, observation, reperformance )

* inquiry alone is not enough

* ST가 TOC보다 효과적인 경우, TOC안하고 ST만 할수도 있음


use evidence obtained in PY  > see changes have occurred


4. Reassess control risk


sufficient evidential matter > further reduce the assessed level of control risk

conditions to reassess control risk

- Additional test of control is efficient

- sufficient data is available

- cost of additional test of control is below the benefit


Documentation (must)
Procedure CR at Max CR below Max
understanding IC Yes Yes
Test of control 
* scope of IC testing performed
No Yes
assessment of CR-conclusion Yes Yes
Basis for conclusion No Yes



Establishing budgets and forecasts to identify variances from expectations

> mgt control, improve mgt's ability to supervise company activities

