ACCT90014 · Auditing And Assurance Services
Internal Controls and Assertions
Internal control is the set of processes management uses to give reasonable assurance over reliable financial reporting, effective operations and compliance. The auditor must understand it (ASA 315) to assess control risk, and may test it to rely on it. The COSO Integrated Framework names its five components — control environment, risk assessment, control activities, information & communication, and monitoring — and ACCT90014 expects you to place a control in the right one. Controls are then classified by purpose (preventive vs detective) and by form (manual vs automated, general IT vs application). The other half of the chapter is assertions: the explicit or implicit claims management makes about transactions, balances and disclosures (existence, completeness, accuracy, valuation, rights & obligations, occurrence, cut-off, classification, presentation). The centrepiece skill is mapping — for a given account and risk, name the assertion at stake and design a procedure to test it — and the most marks are lost on the confused pairs (completeness vs occurrence, accuracy vs valuation, existence vs rights & obligations, classification vs presentation). Learn the one-line distinction for each so you can pick the right assertion under exam pressure.
What this chapter covers
- 01Internal control and the COSO five components (ASA 315)
- 02Control types: preventive vs detective; manual vs automated; general vs application
- 03Tests of controls — when, and how to rely on a control
- 04Management assertions: the three categories and what each claims
- 05The commonly-confused pairs and the one-line tell for each
- 06Worked scenario: map controls → test of control → assertion protected
Worked example: which assertion does the procedure test?
- +2(a) Starting from the records (sales invoices) and going to the source (dispatch) tests occurrence — that recorded sales are real. This is vouching, the overstatement direction.
- +2(b) Starting from the source (dispatch) and going to the records tests completeness — that goods dispatched were actually billed. This is tracing, the understatement direction.
- +1(c) Inspecting deeds and finance agreements tests rights & obligations — whether the entity actually owns (controls) the assets it records, not merely that they exist.
- +1State the tell: the direction of testing decides the assertion — records→source = occurrence (overstatement); source→records = completeness (understatement); ownership questions are rights & obligations, distinct from existence.
Key terms
- Internal control
- The processes management designs and operates to give reasonable assurance over reliable financial reporting, effective and efficient operations, and compliance with laws. The auditor understands it (ASA 315) to assess control risk and may test it to rely on it.
- COSO five components
- The internal-control framework: control environment, risk assessment, control activities, information & communication, and monitoring. The exam expects you to assign a given control to the correct component.
- Test of controls
- A procedure to evaluate whether a control operated effectively throughout the period. If controls are reliable, the auditor can assess control risk below maximum and reduce substantive testing; if not, substantive procedures must do the work.
- Management assertion
- An explicit or implicit claim about a class of transactions, account balance or disclosure — existence, completeness, accuracy, valuation, rights & obligations, occurrence, cut-off, classification, presentation. Each relevant assertion needs sufficient appropriate evidence (ASA 315).
- Completeness vs occurrence
- The classic confused pair. Completeness asks whether everything that should be recorded is recorded (understatement risk, tested by tracing source→records); occurrence asks whether what is recorded really happened (overstatement risk, tested by vouching records→source).
Internal Controls and Assertions FAQ
What is the difference between completeness and occurrence?
They guard opposite errors. Completeness asks 'is everything that happened recorded?' — the understatement risk — and is tested by tracing from the source document forward to the records. Occurrence asks 'did everything recorded actually happen?' — the overstatement risk — and is tested by vouching from the record back to the source. Direction of testing is the tell.
How do existence and rights & obligations differ?
Existence asks whether a recorded asset is really there; rights & obligations asks whether the entity actually owns or controls it. An asset can exist but be leased, pledged or held on consignment, so confirming existence does not establish ownership. Inspect title deeds, finance agreements and contracts to test rights & obligations.
When can the auditor rely on a client's controls?
Only after understanding the control (ASA 315) and testing that it operated effectively throughout the period. If tests of controls support reliance, control risk can be assessed below maximum and substantive testing reduced; if the control is absent or ineffective, the auditor falls back on substantive procedures to gather the evidence.
Why does the exam keep asking me to map procedures to assertions?
Because that mapping is the core audit skill: a procedure only earns marks if it is the right test for the assertion at risk. The expected model answer is typically a three-column table — control, test of control, assertion protected — so the exam rewards picking the correct assertion and the procedure that addresses it, especially across the confused pairs.
Exam move
Memorise the COSO five components and practise dropping a named control into the right one. For assertions, build a flashcard for each of the confused pairs with its one-line tell, and drill the direction-of-testing rule until it is automatic: records→source = occurrence (overstatement, vouching); source→records = completeness (understatement, tracing). Practise the staple three-column move — control, test of control, assertion protected — on fresh cycle narratives, because that table is the exam's preferred answer form. Always tie the procedure to the assertion at risk; a procedure named without the matching assertion earns little.