Internal Control-Concepts & Standards
-Obtaining and Understanding of Internal Control
The auditor should obtain an initial understanding of internal controls and document that
The auditor obtains an
understanding of internal control
and the flow of documents related to
the entity's transactions primarily through:
Inquiry of appropriate personnel
Observation of client activities
Review of documentation
The auditor reviews relevant documentation, including the
client's accounting manuals, prior-year's audit documentation (working papers), etc.
The auditor's internal control analysis tends to focus on the entity's major transaction cycles.
Defined to be a group of essentially homogeneous transactions, that is,
transactions of the same type.
A specific transaction cycle is the highest level of aggregation about which
meaningful generalizations of control risk can be made, since control risk is constant within that
transaction cycle. Each transaction within a specific transaction cycle is captured, processed, and
recorded subject to the same set of internal control policies and procedures.
Examples of Typical Transaction Cycles
Typical examples, include the following:
Inventory, especially if inventory is manufactured, rather than purchased
Document the Auditor's Understanding
The auditor should document that understanding of
internal control. The extensiveness of the review and documentation varies with the
circumstances (e.g., the emphasis on understanding internal controls increases if reliance on
internal control is planned):
Flow charts of transaction cycles
A graphical depiction of the client's accounting
systems for major categories of transactions with emphasis on the origination, processing,
and distribution of important underlying accounting documents.
A fairly systematic approach that is unlikely to overlook important
considerations; tailored to client-specific circumstances; fairly easy for others to
review and understand; and fairly easy to update from year to year.
Can be rather tedious and time consuming to prepare initially
although available commercial software today may eliminate much of that
difficulty; the auditor might fail to recognize relevant internal control
deficiencies by getting too absorbed in the details of documenting the client's