Internal Control

Meaning
• The process designed, put in place and
maintained to provide assurance of a reasonable
level regarding the achievement of the objectives
of an entity.
• Objectives relate to:
a) the reliability of the financial reports,
b) the efficiency and effectiveness of operations
and
c) adherence to relevant and applicable laws and
regulations.
How the auditor uses internal controls
• A systems-based approach
• Emphasis, as much as possible, on the systems
processing the transactions rather than on the
transactions themselves.
• accounting systems and their related internal
controls are sufficient to record transactions
properly.
• The auditor should first test the controls, in order
to satisfy himself that this approach to the audit
is valid.
• The degree of effectiveness of an internal
control system will depend on two factors:
a) The design of the internal control system and
the individual internal controls.
b) The proper implementation of the controls.
• The outcome of this evaluation helps the
auditor to assess control risk –one of the key
elements in the audit risk model
Summary of the audit approach: tests
of controls or substantive tests?
• All internal control systems have inherent
limitations, and controls can never be ‘perfect’
and 100% certain to be effective.
• Never possible for the auditor to rely on them
completely.
• The auditor must therefore:
a) test the underlying internal control systems
themselves, using tests of controls, and
b) perform some tests on the transactions and
balances in the financial statements.
• Where the system of controls is weak, the
auditor will have to carry out extensive
substantive procedures (transactions-based
approach).
• If the auditor judges that the internal controls
are strong, he will carry out tests on the
controls to verify his opinion
• Will need a smaller amount of substantive
testing (a systems-based approach).
 Planning and risk assessment

Assessment of internal controls as weak Assessment of internal controls as strong

Tests of controls

Extensive substantive testing Reduced substantive testing

Overall review of financial statements

Issue audit report

 THE ELEMENTS OF INTERNAL
CONTROL
• Internal controls are a part of the internal control
system, but the internal control system is more
than just the internal controls.
• The following five elements together make up the
internal control system:
(1) The control environment
(2) The entity’s risk assessment process
(3) The information system
(4) Control activities (internal controls)
(5) Monitoring of controls
• Gain an understanding of each of these elements as part of
his evaluation of the control systems operating
• Document the relevant features of the control systems
together with his evaluation of their effectiveness.
• Confirm the correctness of understanding by performing
‘walk-through’ tests on each major transaction type (for
example, revenue, purchases and payroll).
• Walk-through testing involves the auditor selecting a small
sample of transactions and following them through the
various stages in their processing in order to establish
whether his understanding of the process is correct.
 1. The control environment
• The general ‘attitude’ to internal control of
management and employees in the
organisation.
• Views, awareness and actions of management
regarding an entity’s internal control and the
governance and functions of management.
• Asserts the premise of an organisation.
• The basis for good internal control, providing
guidance and structure.
• A strong control environment---management
shows a high level of commitment to establishing
and operating appropriate controls.
• The existence of a strong control environment is
not a guarantee of effectiveness of controls a
positive factor in the auditor’s risk assessment
process.
• Without a strong control environment, the
control system as a whole is likely to be weak.
 Evaluating the control environment
• The auditor should consider such factors as:
1) management participation in the control process,
including participation by the board of directors;
2) management’s commitment to a control culture;
3) the existence of an appropriate organisation structure
with clear divisions of authority and responsibility;
4) an organisation culture that expects ethically-acceptable
behaviour from its managers and employees; and
5) appropriate human resources policies, covering
recruitment, training, development and motivation, which
reflect a commitment to quality and competence in the
organisation.
 2. The entity’s risk assessment
process
• Management’s responsibility to identify, assess and
manage business risks, on a continual basis.
• Identifying risks---recognising the existence of risks or
potential risks.
• Assessing the risks---deciding whether the risks are
significant, and possibly ranking risks in order of
significance.
• Managing risks---developing and implementing
controls and other measures to deal with those risks.
• The auditor is required to gain an understanding of
these to the extent that those risk assessment
processes may affect the financial reporting process.
Risks can arise or change due to circumstances such as:
• changes in the entity’s operating environment
• new personnel
• new or revamped information systems
• rapid growth
• new technology
• new business models, products or activities
• corporate restructurings
• expanded foreign operations
• new accounting pronouncements
• The quality of the risk assessment and
management process within the client
company can be used by the auditor to assess
the overall level of audit risk.
• If management has no such process in place,
the auditor will need to do more work on this
aspect of the audit planning.
 3. The information system
• An information system consists of:
1) infrastructure (physical and hardware
components)
2) software
3) people
4) procedures, and
5) data.
• Infrastructure and software will be absent, or have less
significance, in systems that are exclusively or primarily
manual systems
• Important for auditor to recognise and ensure that
appropriate audit tests or controls are suggested
• For example, if orders are placed via a website there is
no point in suggesting that staff are observed writing
out order documents. The appropriate approach would
be to place a “test” order via the website and ensure
the order has been recorded in the system by viewing
it on screen.
Requirement for auditor
• Gain an understanding of the business information systems
(including the accounting systems) to the extent that they may
affect the financial reporting process.
• This will involve identifying and understanding the following:
1) the entity’s principal business transactions;
2) how these transactions and other events relevant to the financial
reporting process are ‘captured’ (identified and recorded) by the
entity;
3) the processing methods, both manual and computerised, applied
to those transactions;
4) the accounting records used, both manual and computerised, to
support the figures appearing in the financial statements; and
5) the processes used in the preparation of the financial statements.
 4. Control activities
• The policies and procedures, other than the
control environment, used to ensure that the
entity’s objectives are achieved.
• The application of internal controls.
• Designed to prevent errors that may arise in
processing information, or
• To detect and correct errors that may arise in
processing information.
Categories of control activities (internal controls)
1) Performance reviews
• Reviews and analyses of actual performance against
budgets, forecasts and prior period performance.
• Performed by management and are often referred to
as management controls.
• Include supervision by management of the work of
subordinates, management review of performance and
control reporting (including management accounting
techniques such as variance analysis).
2) Information processing
• A variety of controls are used to check the accuracy,
completeness and authorisation of transactions.
• Split into two broad groupings:
• i) General IT controls
• Policies and procedures that relate to many different
applications (such as revenue, purchases and payroll).
• E.g., controls over the development of new computer
information systems and applications, documentation
and testing of changes to programs, the prevention or
detection of unauthorised changes to programs
prevent the use of incorrect data files or programs etc
ii) Application controls
• Apply to the processing of individual applications
(such as revenue, purchases or payroll).
• Help to ensure that transactions occurred, are
authorised and are completely and accurately
recorded and processed.
• Manual or computerised
• E.g., accuracy controls, existence checks, range
checks, screen warnings etc
3) Physical controls
• Controls over the physical security of assets and records to
prevent unauthorised use, theft or damage.
• Examples: limiting access to inventory areas to a restricted
number of authorised personnel, requiring authorisation
for access to computer programs and data files etc.
4) Segregation of duties
• Assigning different people the responsibilities of
authorising and recording transactions and maintaining the
custody of assets.
• Reduces the likelihood of an employee being able to both
carry out and conceal errors or fraud.
 Example: Control activities
One part of the sales system at Dolary operates as set out below:
• Orders are received by telephone. On receipt of an order a clerk enters the
details into the system.
• The system checks that the goods are available and, if so, a dispatch note
is produced and e-mailed to the distribution centre.
• Distribution centre staff pack the goods and dispatch them with two
copies of the dispatch note.
• On receipt of the goods the customer signs the dispatch notes and one
copy is returned to the accounts department at Dolary.
• The accounts department flag up the dispatch note on the system to
indicate that the goods have been delivered and the system automatically
produces an invoice and e-mails it to the customer.
• An exception report of un-invoiced dispatch notes is produced weekly.
Required:
Set out an example of each of the above five types of control activities as they
might operate in Dolary’s system.
 Answer
• Performance reviews: Management should compare budgeted sales to
actual sales on a monthly basis (provided that the budgets are reliable,
this would detect where significant sales had not been recorded).
• Information processing – application: Manual follow up of the exception
report of un-invoiced despatch notes.
• Information processing – general IT: Controls over the development and
testing of the sales system to ensure it will lead to accurate processing
(such as documentation and testing of any changes to programs).
• Physical controls: Access controls over the sales price master files such as
access only being possible via a high-level password, known only to senior
employees (such as the sales director) (as invoices are produced
automatically by the system it is important that the integrity of this file is
maintained).
• Segregation of duties: Different employees should be responsible for
taking and inputting orders, despatching goods and flagging up the
despatch note.
 5. Monitoring of controls
• Important within an internal control system
that management should review and monitor
the operation of the controls, on a systematic
basis
• To satisfy themselves that the controls remain
adequate and that they are being applied
properly.
• The auditor needs to obtain an understanding
of this monitoring process.
Recording Internal control
systems
 The need to record internal control
systems
• Understanding of internal control system must
for the auditor
• Decision regarding the systems-based or
transactions-based approach to be used.
• Proper documentation in the audit working
papers – probably in the permanent audit file.
Recording methods
1) narrative notes
2) questionnaires
3) systems flowcharts
 Narrative notes
• A written description of the control system and
the controls in place.
• Used mainly to make a record of the control
activities involved in processing transactions.
• Simple to prepare, but can become lengthy.
• May be time-consuming to prepare initially.
• If long, may also be time-consuming to update
them when the system or the controls change.
• Ideally, should be written clearly, not longer than
necessary.
 Questionnaires
• Widely used to document systems.
• Can be prepared in advance as standard documents.
• Also ideally suited for use in an electronic form
(standard questionnaires available and ready for use).
• A questionnaire is a list of questions about controls in a
particular aspect of operations or accounting.
• Two main types, each having a different objective:
1) the internal control questionnaire (ICQ)
2) the internal control evaluation questionnaire (ICEQ).
 Internal control questionnaire (ICQ)
• Designed to establish whether appropriate
controls exist, that meet specific control
objectives.
• A ‘Yes’ or a ‘No’ answer
• Deals with a particular type of control.
• Usually drawn up in such a way that:
a) a ‘Yes’ answer indicates a control strength, and
b) a ‘No’ answer indicates a control weakness.
For example, the following ICQ questions might
be included in a questionnaire dealing with
procedures for assessing the credit-worthiness
of potential new customers:
Are credit references taken on all potential new
customers? YES/NO
Are credit limits set for customers? YES/NO
 Example
As part of his evaluation of internal controls, the
auditor wishes to establish each of the following:
(a) That the correct product prices are charged on
sales invoices to customers.
(b) That raw materials delivered are of the correct
specification and in the correct quantity.
Required
Draft ICQ questions that could be used to establish
the existence of appropriate controls.
 Answer
(a) Is a check carried out to match the price on a
sales invoice to the official price list?
YES/NO

(b) Are raw materials counted and checked

against the purchase order when the materials
are delivered?
YES/NO
• ICQ, not only a means of recording but also the
evaluation process.
• The Yes/No answer can be reviewed to gain an
overall picture of the reliability of the system.
• A relatively simple document to complete.
• Can become lengthy (with a large number of
questions) and so time-consuming to complete.
• Often more practical and sensible to take the
ICQs from the previous year’s audit, check their
accuracy and where appropriate bring them up to
date.
 Internal control evaluation
questionnaire (ICEQ)
• A small number of key control questions designed to
establish whether major weaknesses may exist in a
control system
• Using an ICQ, the auditor is looking for ‘good news’ and
expects to find particular controls in place.
• Using an ICEQ, the auditor is on the look-out for ‘bad
news’ and the possibility that controls may be weak.
• Like an ICQ, an ICEQ contains a (shorter) list of
questions.
• A Yes answer indicates good controls and a No answer
indicates weak controls.
• An earlier example relating to controls over the
creditworthiness of customers. An ICEQ approach might
consider just one key control question:
Is there reasonable assurance that goods can only be
despatched to authorised customers whose account
balance is within their credit limit?
YES/NO
• Disadvantage--- the questions are less precise and may
need more knowledge and experience to answer.
• Choosing which type of questionnaire to use---a matter of
preference for the auditor.
• ICEQ also serves a dual purpose like ICQ – recording and
evaluation.
 Systems flowcharts
• Provide a representation of accounting systems in the form
of a diagram.
• Show the flow of work by showing how documents are
transferred within a system (and filed) and how they are
used.
• Present an immediate visual impact of the system.
• Depicts clarity in stating all relevant information about
separation of duties, authorization and accounting and
control activities.
• Can help to identify weaknesses in controls more easily
than by reading narrative notes.
• Some expertise needed to draw a good flowchart and use it
effectively.
 Different types of flowcharts
Linear
• Displays the sequence of work steps that make up a
process.
• Invaluable in identifying redundant or unnecessary steps
within a process.
Deployment
• Shows the actual process flow and identifies the people or
groups involved in each step.
• Shows where the people or groups fit into the process
sequence and how they relate to one another throughout
the process.
• Horizontal lines are used to define the customer-supplier
relationships.
Opportunity
• A variation on the linear flowchart.
• Differentiates between:
• Process activities that add value – these are
essential for producing the required product or
service.
• Process activities that add cost only – these are
not essential for producing the required product
or service, for example waiting for an approval or
for some equipment to become available.
 Drawing flowcharts
Symbols
• Six symbols commonly used
• Have specific meanings and
• Are connected by arrows indicating the flow from one step to
another.
Symbol Description
1) Oval Ovals are used to indicate the starting and ending points of
the process
2) Box A box represents an individual activity or step in the process
3) Diamond Diamonds are used to show decision points. These
might be yes/no or go/no go. Each path emerging from the
diamond must be labeled with one of the potential answers
4) Circle A circle indicates that a particular step is
connected within the page. A numerical value
shown within a circle indicates the sequence
continuation
5) Pentagon A pentagon is used to link a particular
step of the process to another page or part of the
flowchart. Letters are placed in the circle to clarify
continuation
6) Flow line A flow line indicates the direction flow
of the process
Example: Order processing – mini level
flowchart

Receive
order

Check
credit
limit

Within
credit yes Process order
card?
No
Decline
order Finish