University of Melbourne · S1 2026 · FACULTY OF BUSINESS & ECONOMICS

ACCT90014 · Auditing And Assurance Services

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters5-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 3 of 7 · ACCT90014

Internal Controls and Assertions

Internal control is the set of processes management uses to give reasonable assurance over reliable financial reporting, effective operations and compliance. The auditor must understand it (ASA 315) to assess control risk, and may test it to rely on it. The COSO Integrated Framework names its five components — control environment, risk assessment, control activities, information & communication, and monitoring — and ACCT90014 expects you to place a control in the right one. Controls are then classified by purpose (preventive vs detective) and by form (manual vs automated, general IT vs application). The other half of the chapter is assertions: the explicit or implicit claims management makes about transactions, balances and disclosures (existence, completeness, accuracy, valuation, rights & obligations, occurrence, cut-off, classification, presentation). The centrepiece skill is mapping — for a given account and risk, name the assertion at stake and design a procedure to test it — and the most marks are lost on the confused pairs (completeness vs occurrence, accuracy vs valuation, existence vs rights & obligations, classification vs presentation). Learn the one-line distinction for each so you can pick the right assertion under exam pressure.

In this chapter

What this chapter covers

  • 01Internal control and the COSO five components (ASA 315)
  • 02Control types: preventive vs detective; manual vs automated; general vs application
  • 03Tests of controls — when, and how to rely on a control
  • 04Management assertions: the three categories and what each claims
  • 05The commonly-confused pairs and the one-line tell for each
  • 06Worked scenario: map controls → test of control → assertion protected
Worked example · free

Worked example: which assertion does the procedure test?

Q [6 marks]. For each procedure, name the management assertion it primarily tests and explain why. (a) Selecting recorded sales invoices and tracing them to dispatch records and customer orders. (b) Selecting dispatch records and tracing them forward to recorded sales invoices. (c) Inspecting the title deeds and finance agreements for items of plant recorded as owned.
  • +2(a) Starting from the records (sales invoices) and going to the source (dispatch) tests occurrence — that recorded sales are real. This is vouching, the overstatement direction.
  • +2(b) Starting from the source (dispatch) and going to the records tests completeness — that goods dispatched were actually billed. This is tracing, the understatement direction.
  • +1(c) Inspecting deeds and finance agreements tests rights & obligations — whether the entity actually owns (controls) the assets it records, not merely that they exist.
  • +1State the tell: the direction of testing decides the assertion — records→source = occurrence (overstatement); source→records = completeness (understatement); ownership questions are rights & obligations, distinct from existence.
(a) occurrence (vouching, overstatement direction); (b) completeness (tracing, understatement direction); (c) rights & obligations (ownership, distinct from existence). The discriminating idea is direction of testing for the first two, and the existence-vs-ownership split for the third — precisely the confused pairs the exam targets.
Glossary

Key terms

Internal control
The processes management designs and operates to give reasonable assurance over reliable financial reporting, effective and efficient operations, and compliance with laws. The auditor understands it (ASA 315) to assess control risk and may test it to rely on it.
COSO five components
The internal-control framework: control environment, risk assessment, control activities, information & communication, and monitoring. The exam expects you to assign a given control to the correct component.
Test of controls
A procedure to evaluate whether a control operated effectively throughout the period. If controls are reliable, the auditor can assess control risk below maximum and reduce substantive testing; if not, substantive procedures must do the work.
Management assertion
An explicit or implicit claim about a class of transactions, account balance or disclosure — existence, completeness, accuracy, valuation, rights & obligations, occurrence, cut-off, classification, presentation. Each relevant assertion needs sufficient appropriate evidence (ASA 315).
Completeness vs occurrence
The classic confused pair. Completeness asks whether everything that should be recorded is recorded (understatement risk, tested by tracing source→records); occurrence asks whether what is recorded really happened (overstatement risk, tested by vouching records→source).
FAQ

Internal Controls and Assertions FAQ

What is the difference between completeness and occurrence?

They guard opposite errors. Completeness asks 'is everything that happened recorded?' — the understatement risk — and is tested by tracing from the source document forward to the records. Occurrence asks 'did everything recorded actually happen?' — the overstatement risk — and is tested by vouching from the record back to the source. Direction of testing is the tell.

How do existence and rights & obligations differ?

Existence asks whether a recorded asset is really there; rights & obligations asks whether the entity actually owns or controls it. An asset can exist but be leased, pledged or held on consignment, so confirming existence does not establish ownership. Inspect title deeds, finance agreements and contracts to test rights & obligations.

When can the auditor rely on a client's controls?

Only after understanding the control (ASA 315) and testing that it operated effectively throughout the period. If tests of controls support reliance, control risk can be assessed below maximum and substantive testing reduced; if the control is absent or ineffective, the auditor falls back on substantive procedures to gather the evidence.

Why does the exam keep asking me to map procedures to assertions?

Because that mapping is the core audit skill: a procedure only earns marks if it is the right test for the assertion at risk. The expected model answer is typically a three-column table — control, test of control, assertion protected — so the exam rewards picking the correct assertion and the procedure that addresses it, especially across the confused pairs.

Study strategy

Exam move

Memorise the COSO five components and practise dropping a named control into the right one. For assertions, build a flashcard for each of the confused pairs with its one-line tell, and drill the direction-of-testing rule until it is automatic: records→source = occurrence (overstatement, vouching); source→records = completeness (understatement, tracing). Practise the staple three-column move — control, test of control, assertion protected — on fresh cycle narratives, because that table is the exam's preferred answer form. Always tie the procedure to the assertion at risk; a procedure named without the matching assertion earns little.

A+Everything unlocked
Unlocks this Bible + all 118 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your ACCT90014 tutor, unlimited, worked the way the exam marks it
The full 5-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full ACCT90014 Bible + 118 University of Melbourne subjects解锁完整 ACCT90014 Bible + University of Melbourne 118 门科目
$25/mo