1 Introduction

Internal control is the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance that an entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws
and regulations will be achieved.
The auditor is interested in internal controls relevant to the preparation of financial statements primarily,
although the entity’s system of internal control will extend more widely than this.

1.1 Internal control components

An Internal control system consists of five elements:
The control environment –the attitudes, awareness, and actions of those charged with governance and
management concerning the entity’s internal control and its importance in the entity. The control environment
sets the tone of an organisation, influencing the control consciousness of its people.
The entity’s risk assessment process relevant to the preparation of financial statements– the auditor needs
to determine whether the entity has a process for identifying and controlling the risks in the business.
The entity’s process to monitor the system of internal control– management’s monitoring of controls
includes considering whether they are operating as intended and modified as appropriate for changes. It also
includes consideration of how they adjust for discovered deficiencies. Internal audit may assist management
with this process.
The information system and communication – understanding how information flows through the
information system, including the financial reporting system and the supporting IT system and how the entity
communicates significant matters relating to its preparation of financial statements. In addition, evaluating
whether the information system and communication appropriately support the preparation of the financial
statements.
Control activities – policies and procedures that help ensure management objectives are carried out:
– Authorisation and approval - approval of transactions by a suitably responsible official
– Physical (logistical) controls - restricting access to physical assets such as cash or inventory and accounting
records
– Segregation of duties - assignment of roles and responsibilities within a process to different people, thereby
reducing the risk of fraud and error occurring
– Verification controls, for instance, in information processing - arithmetic and accounting controls such as
checking the arithmetical accuracy of accounting records
– Reconciliations - performing account reconciliations or comparing budgets with actuals.

1.1.1 Direct and indirect control activities

Some control activities relate directly to the risks of material misstatement that the auditor is concerned with.
For example, controls over an inventory count directly relate whether that inventory is complete and accurate in
the financial statements. Testing such direct controls will give good evidence about material misstatements in
the financial statements.
Indirect (other) control activities may be less directly connected to the financial statements, for example, if they
simply contribute to operational efficiency or underpin other controls. These will be less effective in preventing,
or detecting and correcting, material misstatements. For example, a sales manager may regularly review sales
reports from a variety of branches for various reasons. This is related to whether sales are complete in the
financial statements, but it does not directly contribute to ensuring they are, so this is unlikely to be a control an
external auditor would test.
1.2 Limitations of internal control
Internal control systems can only give the directors of a company reasonable assurance as to the achievement of
the entity’s financial reporting objectives. This is because, in any system, there will be inherent limitations:
The cost of the controls may outweigh the benefits so controls are not implemented
Many controls only cover routine transactions so non-routine transactions may not be subject to controls
Human error is always possible, meaning controls are not implemented properly
Staff could collude to get round the system, meaning controls could be bypassed in secret
Management override of controls may be possible, meaning controls could be bypassed

2 The use of internal control systems by auditors 

An understanding of internal control will help the auditor identify types of potential misstatements, consider
factors that affect the risks of material misstatement, and design the nature, timing, and extent of further
audit procedures.
Auditors are interested in internal controls, as a strong internal control system will provide them with greater
assurance as to the truth and fairness of the financial statements.

for example, the auditors might assess the controls associated with the valuation of debts (credit controls) and
reduce substantive testing in that area.
2.1 Explain how auditors record internal control systems
There are three methods commonly used to record a client's internal control system.

2.1.1 Narrative notes

Written, or word-processed, description of the system.

Advantages Disadvantages
Simple and quick to record Can be cumbersome, especially if the system
is complex
Easy to understand for all of the audit team Can make it more difficult to identify missing
(including juniors) internal controls as the notes record the
detail but
do not identify control exceptions clearly
2.1.2 Flowcharts
Diagrammatic representations of the system, usually broken down into separate activities.
Advantages Disadvantages
Easier to identify missing internal controls Can be time-consuming to prepare
This visual aid can make it easier to record Needs a little training to prepare and
complex systems understand

2.1.3 Questionnaires
Internal control questionnaires are used to assess whether controls exist which meet specific objectives to
prevent or detect errors.
The audit firm will have a standard list of control questions.
Advantages Disadvantages
Quick to prepare, which means they are a cost Company could easily overstate the level of
effective way of recording the system controls present
All controls in the system are considered and Needs to be tailored for each client otherwise
recorded; hence missing controls are clearly unusual controls may be missed
highlighted
Simple to complete – any member of the
team can complete them

2.2 Walkthrough tests

Once the auditor has documented the client’s internal control system, he will perform a walkthrough test. The
auditor performs this test by following one transaction through each stage of the accounting process to ensure
that the systems and controls operate as documented.
Note this is NOT a test of control (ie that controls are operating properly), it is a test to confirm that system
matches what the auditor has been told (ie that controls which have been described appear to

3 Transaction cycles
The following transaction cycles and account balances as being relevant to this section:
Sales
Purchases
Inventory
Non-current assets
Payroll
Bank and cash
Essentially, what this means is that you are likely to be given a scenario in a question based upon a company and
how it controls that particular part of the business. Your task will often be to identify the deficiencies in that
process and to make recommendations on improvements.

Sales
A company’s sales system is designed to record all of a company’s sales and ensure that all sales lead to an
eventual receipt of cash. Typical stages in such a system are as follows.

Risk Objective of control Control procedure

Stage 1: Receipt of customer order
There is a risk that customer To ensure that sales are 1. All orders taken should be
orders are not received or properly accounted for. recorded on a pre-numbered
properly recorded. multi-part document
Therefore, sales are generated by the computer.
understated. One part could form the
invoice and one could go to
the despatch department.
2. Regular checks should be
performed on the
completeness of the
sequence of pre-numbered
documents. Any documents
unaccounted for should be
traced and investigated.
There is a risk that customers To ensure that goods are sold Credit limits should be
are unable to pay. on credit only to customers checked. Any orders that
who can pay. exceed customer credit limits
should be rejected and the
customer advised. Any
increase or override of credit
limits should be authorised
by the credit controller.
There is a risk that orders are To ensure that inventory is The availability of inventory
accepted from customers and available for despatch. should be checked so that
no inventory is available for orders cannot be taken for
despatch. goods with nil/low inventory.
Stage 2: Despatch of customer order
There is a risk that goods To ensure that the goods 1. All goods despatched
despatched are not the despatched are those that should be accompanied by a
“correct” goods ordered by are ordered. Goods Despatch Note (GDN).
the customer. 2. The GDN should be
matched to the original
customer order.
There is a risk that the goods To ensure that the goods 1. A quality control check
despatched are of a poor despatched are of a should be performed on a
quality. satisfactory quality. random sample of
Risk Objective of control Control procedure
despatches, checking for
correct quality and
quantities.
2. The customer should sign
and return the GDN as
acceptance of the goods.
Stage 3: Invoicing of customer order
There is a risk that customers To ensure that invoices are The sales invoice should be
are not invoiced or invoiced raised correctly. raised from/matched to the
incorrectly. GDN.
There is a risk that sales To ensure that all invoices 1. All sales invoices should be
invoices are not recorded in are properly included. prenumbered.
the ledgers at all. 2. All invoices should be
posted to the sales day book,
the accounts receivable
ledger and the accounts
receivable control account.
3. Regular checks should be
performed on the
completeness of the
sequence of pre-numbered
invoices. Any documents
unaccounted for should be
traced and investigated.
There is a risk that some To ensure that all items are The receivables ledger and
items are not posted, or are correctly and accurately the receivables control
posted incorrectly to the recorded. account should be reconciled
ledgers. each month. This
reconciliation should be
reviewed and any differences
should be investigated and
resolved.
Stage 4: Collection of cash
There is a risk that customers To ensure that customers A credit control department
do not pay or pay late. pay on a timely basis. should ensure that all debts
are paid promptly by sending
out regular statements and
chasing overdue debts.
There is a risk that funds To ensure that funds When bank transfers are
received from customers are received from customers are received from customers,
incorrectly allocated. correctly allocated. they should be matched with
individual transactions.
There is a risk that To ensure that cheques and 1. There should be
cash/cheques sent through cash do not go missing. segregation of duties in the
the post go missing. post room so that cheques
received cannot be stolen.
Risk Objective of control Control procedure
2. All cheques should be
recorded and banked
promptly.
3. A bank reconciliation
should be performed on a
monthly basis in order to
ensure that the company’s
cash records are complete,
accurate and up to date.

Purchases
Risk Objective of control Control procedure
Stage 1: Purchase order raised
There is a risk that goods are To ensure that goods 1 Purchase orders (PO’s)
ordered without proper ordered are properly should be sequentially
authorisation. authorised. numbered and the sequence
checked regularly.
2 All PO’s must be authorised
by a responsible official.
There is a risk that goods are To ensure that goods are 1 Only authorised suppliers
ordered from an ordered from authorised are used from a preferred
unauthorised source. suppliers. supplier list.
2 If there is no authorised
supplier, a tender should be
invited and the best value
supplier selected.
Stage 2 : Receipt of goods
There is a risk that the To ensure that the goods 1 All goods received should
supplier sends goods that are received are as ordered in be checked for quality and
incorrect or substandard. terms of quantity and quality. quantity.
2 A prenumbered Goods
Received Note (GRN) should
be raised and matched to PO.
There is a risk that goods To ensure that goods 1. The inventory system
received are not added to received are added to should be updated if the
inventory. inventory. goods are for resale. If the
items are for business use,
the correct entry should be
made to non-current assets
etc.
2. GRN should be initialled to
show inventory updated.
Stage 3 : Receipt of purchase invoice
There is a risk that suppliers To ensure that the correct 1. All invoices received should
invoice for the incorrect product, quantities and prices be checked back to PO and
product, quantity or price. are invoiced. GRN.
There is a risk that invoices To ensure that invoices are 1. Invoices should be added
are not included in the included in the accounts. to the purchase day book.
accounts. 2. Purchase day book should
be posted to the nominal
ledger/ purchase ledger.
3. Supplier statements should
be reconciled back to the
purchase ledger.
Stage 4 : Payment of purchase invoice
There is a risk that payments To ensure that payments are 1. All payments, whether
are made to the incorrect made to the correct suppliers cheque or bank transfer,
supplier, for the incorrect and for the correct amounts. should be authorised by a
amount. responsible official and
counter signed over a certain
amount.
2. All paid invoices should be
stamped “Paid”.
3. The purchase ledger
should be updated
promptly/automatically.
4. Purchase ledger should be
reconciled to the nominal
ledger monthly.

Inventory
Of course, there is a direct link between the controls surrounding inventory and purchases, given the accounting
entries for a purchase.
As well as those controls outlined in the purchases section above, the following controls are also relevant.

Risk Objective of control Control procedure

There is a risk that inventory To ensure that inventory is 1. There should be
could be stolen. stored securely. appropriate physical security.
[Link]/cameras.
2. There should be regular
manual physical checks to
make sure that actual
numbers agree to stock
records.
There is a risk that inventory To ensure that inventory is 1. There should be a regular
could be obsolete or slow current and saleable. review of stock listing to
moving. monitor slow moving items.
 2. There should be regular
reviews of the physical stock
to check for damage.
There is a risk that inventory To ensure that inventory There should be a regular
may run out. does not run out. review of re-order levels.

In addition, controls over the inventory count discussed in Chapter 4 of these notes should be followed.

Payroll
Risk Objective of control Control procedure
There is a risk that non bona To ensure that only bona fide All new employees entered
fide employees are paid. employees are paid. onto or leavers removed
from the payroll system
should be authorised by a
responsible official. There
should be segregation of
duties between the human
resources and payroll
functions.
There is a risk that To ensure that employees 1. Time sheets should be
employees are paid incorrect are paid the correct amount. reviewed for all employees.
amounts. 2. Over time / bonuses
should be properly
authorised by an appropriate
manager.
3. Changes in pay rates
should be properly
documented.
4. The monthly payroll should
be reviewed for
reasonableness by an
appropriate manager.
5. Exception reports should
be generated and reviewed
for pay over a certain
threshold.
There is a risk that tax and NI To ensure that tax and NI are 1. Tax and NI should be
are incorrectly calculated. correctly calculated. calculated by a trained
official.
2. Software used should be
updated regularly to account
for changes in legislation.
There is a risk that wages To ensure that wages paid in 1. There should be adequate
paid in cash may be stolen. cash are properly secure. security available.
2. Staff must sign to confirm
receipt of cash wages.
 3. Only pay staff directly into
their bank accounts

Bank and cash

Many of the controls surrounding receipt and payment of cash have already been listed above. Additional risks
and controls include the following.
Risk Objective of control Control procedure
There is a risk that cash kept To ensure that petty cash is 1. There should be
on the premises could go kept securely. appropriate security for petty
missing. cash. E.g. locked drawer/safe.
2. There should be an imprest
system that is regularly
checked.
There is a risk that petty cash To ensure there is proper Expenditure should be
is spent inappropriately. control of petty cash. appropriately authorised.
There is a risk that cheques To ensure that payments are There should be at least two
are paid to unauthorised only made to authorised persons that sign cheques.
persons. persons. Cheques should be kept in a
secure location.
There is a risk that receipts To ensure that all receipts are A bank reconciliation should
go missing or payments are banked and all payments are be performed at least once
made to unauthorised made to bona fide persons. per month. This reconciliation
persons. should be reviewed and
authorised.

IT controls
4.1 Information processing controls
These are manual or automated procedures that operate “within” a computer system. They can be preventative
or detective in nature and aim to ensure that the transactions that are input, processed or output recorded are
complete, accurate and valid.
Examples include:
Mandatory input fields for websites e.g. postcode required
Checking the arithmetical accuracy of records
Range/limit checks e.g. a check on whether a customer has exceeded their credit limit
Edit checks of input data e.g. checking whether a customer code is input in the correct format
Numerical sequence checks

4.2 General IT controls

These include controls such as virus protection, regular backups and operating logs. They also include the
acquisition and maintenance of new hardware and software, as well as password controls.

5 Tests of control versus substantive procedures

5.1 Tests of control
Tests of control evaluate the operating effectiveness of controls in preventing, or detecting and correcting
material misstatements.
For example, the auditor may be told that all purchase orders are authorised by a responsible official. The
auditor would then test this control by selecting a sample of purchase orders and inspecting them for evidence
of appropriate authorisation.
If the internal controls are strong, the auditor can perform reduced substantive testing and more tests of control
(because control risk is lower, so there is a reduced chance that errors exist in the financial statements).
By testing the client’s controls, the auditor can also “add value” to the client, by making recommendations of
ways to improve their controls.

5.2 Substantive tests

The aim of a substantive procedure is to ensure that there are no material misstatements at the assertion level
in the client’s financial statements

5.3 Deficiencies in internal control systems

(a) A deficiency exists when:
(i) A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and
correct, misstatements in the financial statements on a timely basis; or
(ii) A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely
basis is missing.
(b) A significant deficiency is one that, in the auditor’s opinion, is of sufficient importance to merit the attention
of those charged with governance. This is a good way of “adding value” to the client.
In order to determine whether a deficiency is “significant” or not, the auditor should consider:
The likelihood of the deficiency leading to a material misstatement in the financial statements
The susceptibility of the related asset to loss or fraud
The cause and frequency of the exceptions detected as a result of the deficiencies in the controls
The volume of activity that has occurred or could occur in the account balance exposed to the deficiency The
auditor shall communicate in writing significant deficiencies in internal control identified during the audit to
those charged with governance on a timely basis.

5.4 Reports to management

The communication of significant deficiencies in internal control is performed by the auditor writing a “report to
management” to the client. This document highlights any deficiencies identified in the client’s internal control
system, explains their potential effect and makes recommendations on what the client should do to overcome
those deficiencies.