CHAPTER SIX
Internal Control
� Internal Control Concepts
Internal control system comprises policies, practices, and
procedures employed by the organization to achieve four
Control objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting
records and information.
3. To promote efficiency in the firm’s operations.
4. To measure maintain compliance with management’s
prescribed policies and procedures.
� Internal Control Concepts
• Internal control is the client’s responsibility and
should be designed to help the client attain goals
• Internal control should provide reasonable but not
absolute assurance; cost/benefit must be considered.
• Internal control has inherent limitations (e.g.,
misunderstandings, mistakes, fatigue, carelessness,
collusion, management override, cost considerations
etc)
• Internal control is a process. It is a means to an end,
not an end in itself
• Internal control is affected by people. It's not merely
policy manuals and forms, but people's actions at
every level of the organization.
3
� Internal Control Concepts
Why is an understanding of Internal Controls
important?
• To plan the Audit: sufficient understanding of internal
control should be obtained to plan the audit.
• Assess control risk: Internal control affects audit risk. The
extent of substantive testing to be carried out will depend
on the results of the tests of controls which will affect the
auditor's assessment of control risk.
– If control risk is high, the auditor increases the number and
level of substantive procedures, obtain more evidence
from external sources, increase the samples…
– If control risk is low, the auditor can rely on the internal
controls and reduce the quantity of substantive
procedures to be performed.
4
� Types of Internal Controls
• Internal controls perform three important functions:
– Preventive, detective & corrective
1. Preventive controls: Deter problems before they
arise.
– are designed to keep errors or irregularities from
occurring in the first place. Examples of preventive
controls are:
• Hiring qualified personnel,
• segregating employee duties,
• adequate documentation
• controlling physical access to assets and information
� Types of Internal Controls
2. Detective controls: Discover problems quickly when they
do arise.
✓ are designed to detect errors or irregularities that may have
occurred.
Examples:
– Regular supervisory review of account activity, reports,
reconciliations
– Routine spot-checking of transactions, records and
reconciliations (do things make sense and look
reasonable)
– Variance analysis, including budget to actual
comparisons
– Physical inventories
– reconciliation
– Internal audit review of business unit’s controls
– monthly trial balances.
6
� Types of Internal Controls
3. Corrective controls: identify and correct
problems as well as correct and recover from
the resulting errors.
– Designed to reduce the impact of a problem that
has occurred and detected and help to restore the
business to normal operations
Examples
• maintaining backup copies of files,
• correcting data entry errors, and
• resubmitting transactions for subsequent
processing
7
� Elements of Internal Controls
• ISA 315 requires the auditor to
understand the client’s internal
controls. Internal control model has
five crucial components:
1 . Control environment
2 . Control activities
3 . Risk assessment
4 . Information and communication
5 . Monitoring
� 1. The Control Environment
• The control environment includes the governance
and management function of an organization.
• It focuses largely on the attitude, awareness
and actions of those responsible for
designing, implementing and monitoring
internal controls
• It is the foundation for the other four control
components.
• It sets the tone for the organization and influences
the control awareness of its management and
employees.
� Factors relating to the control environment
1. Management’s philosophy and operating
style
– their approach to taking and monitoring
business risk
– their attitude and actions toward financial
reporting
– their emphasis on meeting financial and
operating goals
10
� Factors relating to the control
Environment
• Manifestations of management philosophy:
a. Risk takers
– Extremely aggressive in financial reporting
– Place great emphasis on meeting or
exceeding earnings projections
– Willing to undertake activities of high risk
with the prospect of high return
11
� Factors relating to the control
Environment
b. Risk averters
– Extremely conservative
Management philosophy can also be
manifested in whether the organization is
formal or informal.
Informal: controls implemented by face to
face contact between employees &
management
Formal: controls implemented by establishing
written policies, performance reports, &
exception reports
12
� Factors relating to the control
Environment
2. Organizational structure
• The auditor should consider lines of
responsibility and authority.
• Consider tall or flat structure
Flat Structure
Tall structure
13
� Factors relating to the control
Environment
2. Organizational structure
• How does the organization structure affect the control
environment?
– A well-designed structure provides a basis for planning,
directing, & controlling operations
– It divides authority, responsibility, and duties among
members of the organization
• Separation of responsibilities for:
– Authorization of transactions
– Execution of transactions
– Recordkeeping
– Custody of assets
� Factors relating to the control
Environment
3. Assignment of authority and responsibility
• Clear understanding of responsibilities by
employees and rules & regulations governing
their actions
• Common methods of communicating internal
controls to employees:
– Job description
– Memos
– Company policies
– Employee handbook 15
� Factors relating to the control Environment
4. Human resource policies and practices.
• Management should ensure that competent,
trustworthy, & motivated personnel are employed to
meet client goals and objectives.
• Employees are the critical component of effective
internal control.
• With competent, trustworthy, & motivated
personnel, even a poorly designed system of internal
control may function adequately.
• Management's policies and practices for hiring,
orientation, training, evaluating, counseling,
promoting, and compensating employees have a
significant influence on the effectiveness of the
control environment.
• Without such personnel, even a well- designed
system will probably fail.
16
� Factors relating to the control
Environment
5. Management’s reaction to external influences
– Is management aware of external influences
such as changes in the economy and
technology?
6. Internal audit
– Does an internal audit department exist?
– Does internal audit assist the external
auditors and reduce audit fees?
17
� Factors relating to the control
Environment
7. Commitment to competence
• Do management care about competence? Do
they hire employees based on competence or
favoritism?
• Do they reward employees for their
achievement?
• Is there any training to upskill employees?
8. Integrity & Ethical values
• For the internal control to be effective, those who
create, administer, and monitor controls should
have integrity & ethical values
18
� 2. Risk Assessment
• Organizations must perform a risk assessment to
identify, analyze, and manage risks relevant to financial
reporting.
• Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs
• Four ways to respond to risk:
– Reduce it: Implement effective internal control
– Accept it: Do nothing, accept likelihood and impact of risk
– Share it: Buy insurance, outsource, or hedge
– Avoid it: Do not engage in the activity
� 2. Risk Assessment
• Companies should make risk assessment following
these steps:
1. Identify the events or threats that confront the
company
2. Estimate the likelihood or probability of each event
occurring
3. Estimate the impact of potential loss from each
threat
4. Identify set of controls to guard against the threat
5. Estimate costs and benefits from instituting
controls
6. Implementing set of controls to guard against
threat
� Key Factors in Risk Assessment
• Changes in the Operating Environment
• New Personnel
• New or revamped (restored) information
systems
• Rapid Growth
• New Technology
• New Lines, Products or Activities
• Corporate Restructuring
• Foreign Operations
• Accounting Pronouncements
21
� 3. Control Activities
• Control activities are the policies and procedures used
to ensure that appropriate actions are taken to deal
with the organization’s identified risks.
• Generally, control procedures fall into one of five
categories:
1 Proper authorization of transactions and activities
2 Segregation of duties
3 Design and use of adequate documents and records
4 Adequate safeguards of assets and records
5 Independent checks on performance
�1. Proper Authorization of Transactions and Activities
• Authorization is the empowerment management gives
employees to perform activities and make decisions.
• Typically at least two levels of authorization:
– General authorization
• Management authorizes employees to handle routine
transactions without special approval.
– Special authorization
• For activities or transactions that are of significant
consequences, management review and approval is
required.
• Might apply to sales, capital expenditures, or write-offs
over a particular dollar limit.
• Management should have written policies for both
types of authorization and for all types of transactions.
� 2. Segregation of duties
• Good internal control requires that no single employee be given
too much responsibility over business transactions or processes.
• An employee should not be in a position to commit and conceal
fraud or unintentional errors.
• Effective segregation of accounting duties is achieved
when the following functions are separated:
– Authorization—Approving transactions and decisions.
– Recording—Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations;
and preparing performance reports.
– Custody—Handling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organization’s bank account.
• If any two of the preceding functions are the responsibility
of one person, then problems can arise.
�3. Design and use of adequate documents and records
• Proper design and use of documents and records
helps ensure accurate and complete recording of
all relevant transaction data.
• Form and content should be kept as simple as
possible to:
– Promote efficient record keeping
– Minimize recording errors
– Facilitate review and verification
• Documents that initiate a transaction should
contain a space for authorization.
• Those used to transfer assets should have a space
for the receiving party’s signature.
• Documents should be sequentially pre-numbered
� 4. Safeguard assets, records, and data
• The following procedures can be taken to safeguard
both information and physical assets from theft,
unauthorized use, and vandalism.
– Maintain accurate records of all assets
– Periodically reconcile recorded amounts to physical counts
– Restrict access to assets
– Protect records and documents
– cash registers
– safes, lockboxes
– safety deposit boxes
– restricted and fireproof storage areas
– controlling the environment
– restricted access to computer rooms, computer files, and
information
� 5. Independent Checks on Performance
Independent checks ensure that transactions are
processed accurately are another important
control element.
• those reviewing performance should be
independent of those performing a task
• What are various types of independent
checks?
– reconciliation of two independently maintained sets of records
– comparison of actual quantities with recorded amounts
– double-entry accounting
– batch totals
– Independent review
� 4. Information and communication
• It refers to all of the business processes relevant to
financial reporting and communication.
• Information processing activities include:
– How transactions are initiated, recorded, processed,
corrected as necessary, incorporated in the general ledger
and reported in the financial statements
– How information about events and conditions, other than
transactions, is captured, processed and disclosed in the
financial statements
� 5. Monitoring
• Monitoring is the process by which the quality
of internal control design and operation can
be assessed.
• What are the key methods of monitoring
performance?
– effective supervision
– responsibility accounting (budgets)
– internal auditing (internal control evaluation)
– Employ computer security officer
�• Following are descriptions of ten internal controls.
30
�31
�Solution
• 1. Information and communication
• 2. Control environment
• 3. Risk assessment
• 4. Monitoring
• 5. Control activities
• 6. Information and communication
• 7. Control activities
• 8. Control environment
• 9. Risk assessment
• 10. Control activities
32
� Limitations of Internal Control
• The auditor can never eliminate the need for
substantive procedures entirely because there
are inherent limitations to the reliance that
can be placed on internal controls due to:
– Human error
– Collusion of staff: if they cooperate to evade the
internal control
– Management override
– Non-routine transactions
�THANK YOU FOR YOUR
ATTENTION!!!!!
