Chapter 5

Internal Control
1. The importance of Internal Control
 1.1 The auditor’s assessment of internal controls:
 Assessment of risk at both financial statement level and assertion level.
 The responses at the assertion level involve the auditor selecting appropriate audit
procedures as per assessment.
 Inherent risk
 Control risk
 1.2 The meaning of Internal Control
 Defined as the process designed, put in place and maintained to provide assurance of a
reasonable level regarding the achievement of the objectives of an entity.
 Reliability of the financial reports
 Efficiency and effectiveness of operations
 Adherence to relevant and applicable laws and regulations.
 Internal control are a part of the internal control systems.
1. The importance of Internal Control
 1.3 How the auditor uses internal controls
 With ‘system based approach’ the auditor relies on the accounting systems and the related controls
to ensure that the transactions are properly recorded.
 If the systems and internal controls are adequate, the transactions should be processed correctly.
 The audit emphasis on the systems processing the transactions rather than the transaction themselves.
 Understanding of what these systems and controls are;
 And how to carry out an evaluation of the effectiveness of the controls.
 The degree of effectiveness of an internal control system will depend on the following two factors:
 Design of the internal control system
 Is the control system able to prevent material misstatement?
 Is it able to detect and correct material misstatement if they occur?

 The outcome will help auditor to assess control risk.

1. The importance of Internal Control

Summary of the audit approach:

tests of controls or substantive tests?
 Test the underlying internal control systems themselves, using tests of controls
 Perform some tests on the transactions and balances in the financial statements.
 Tests on transactions and balances are referred to as substantive procedures
 Where system of control is weak, auditor will have to carry out extensive substantive
procedures, this approach is called as transaction-based approach.
 When the internal controls are strong, he will carry tests on the control and needs a smaller
amount of substantive procedures, this approach is called as system based approach.
1. The importance of Internal Control
2. The elements of Internal Control
2.1 The five elements of internal control system
 The control environment
 The entity’s risk assessment process
 The information system
 Control activities (Internal Controls)
 Monitoring of Controls
 ISA 315 requires the auditor to:
 Gain of understanding of each of these elements as part of his evaluation of the control systems
 Document the relevant features of the control systems together with his evaluation of their
effectiveness
 The auditor should confirm that his understanding is correct by performing ‘walk-
through’ tests on each major transaction type.
 Walk through testing involves the auditor selecting a small sample size of transactions apply the
procedure on it in order to test whether his understanding of the process is correct.
2. The elements of Internal Control
2.2 The control environment
 The ‘control environment’ is often regarded as the general ‘attitude’ to internal control of management
and employees in the organization.
 The control environment includes the following elements:
 Communication and enforcement of integrity and ethical values
 Commitment to competence
 Participation of management
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies and practices
 A strong control environment is one where management shows a high level of commitment to establishing
and operating appropriate controls.
 Without a strong control environment, the control system as a whole is likely to be weak.
2. The elements of Internal Control

 Evaluating the Internal Environment:

 Management participation in the control process, including participation by the board of
directors;
 Management’s commitment to a control culture;
 The existence of an appropriate organization structure with clear divisions of authority and
responsibility;
 An organization culture that expects ethically- acceptable behavior from its managers and
employees; and
 Appropriate human resources policies, covering recruitment, training, development and
motivation, which reflect a commitment to quality and competence in the organization.
2. The elements of Internal Control
2.3 The entity’s risk assessment process
 Significant business risks are any events or omissions that may prevent the entity from achieving its
objectives.
 Identifying risks: recognizing the existence of risks.
 Assessing risks: deciding whether the risks are significant.
 Managing risks: developing and implementing controls and other measures to deal with those risks.

 Risk can arise or change due to circumstances such as:

 Changes in the entity’s operating environment.
 New personnel
 New or revamped information systems
 Rapid growth
 New technology
 New business models, products or activities
 Corporate restructurings
 Expended foreign operations
 New accounting pronouncements
2. The elements of Internal Control
2.4 The information system
 An information system consists of:
 Infrastructure, software, people, procedures and data.
 ISA 315 requires an auditor to gain an understanding of the business information systems
 This aspects of the auditor’s work will involve identifying and understanding the
following:
 The entity’s principal business transactions;
 How these transactions and other events relevant to the financial reporting process are ‘captured’
by the entity;
 The processing methods, both manual and computerized, applied to those transactions;
 The accounting records used, both manual and computerized, to support the figures appearing in
the financial statements;
 The processes used in the preparation of the financial statements.
2. The elements of Internal Control
2.5 Control Activities
 Policies and procedures other the control environment, used to ensure that the entity’s objectives are achieved.
 To prevent errors that may arise in processing information, or
 To detect and correct errors that may arise in processing information.
 Preventive controls: designed to stop an errors or anomalies from occurring.
 Adequate segregation of duties
 Proper authorization of transactions
 Adequate documentation and control of assets
 Detective controls: designed to find errors or irregularities after they have occurred.
 Exception reports: computerized reports to identify unexpected results or unusual conditions that require follow-
up.
 Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences,
and take corrective action, when necessary.
 Periodic audits: Both internal audit and independent external audit are done to detect error, irregularities and
non-compliance with laws and regulations.
2. The elements of Internal Control
 Corrective Controls: designed to prevent errors and irregularities from recurring once they are discovered. E.g;
 Policies and procedures for reporting errors and irregularities so they can be corrected
 Training employees on new policies and procedures.
 Positive discipline to prevent employees from making future errors.
 Continuous improvements processes to adopt the latest operational techniques.
 Categories of control activities (internal controls):
 Performance reviews: these include reviews and analyses of actual performance against budgets, forecasts and
prior period performance, most done by management as Management Control.
 Information processing: A variety of controls are used to check the accuracy, completeness and authorization of
transactions.
 Application controls
 General IT controls
 Physical Controls: these includes control over the physical security of assets and records to prevent unauthorized
use, theft or damage.
 Segregation of assets: This control involves assigning different people the responsibilities of authorizing or
recording the transactions and maintaining the custody of assets.
 Reduces carry out and concealing of errors or frauds.
2. The elements of Internal Control
2. The elements of Internal Control
2. The elements of Internal Control

2.6 Internal controls in IT systems:

general controls and application controls
 General IT controls: policies and procedures that relate to many different applications.
 Support the effective functioning of Application Controls.
 If General IT controls are weak, it is unlikely that the processing undertaken by the system
will be complete and accurate.
 The auditor will therefore firstly review and test the general IT controls, in order to reach a
conclusion on their effectiveness.
 If control risk is assessed as low he will then move on and test application controls, to
decide if he can rely on specific systems and reduce it substantive testing.
2. The elements of Internal Control

 The auditor would expect computer-based information system are:

 Controls over the development of new computer information systems and applications.
 Controls over the documentation and testing of changes to programs
 The prevention or detection of unauthorized changes to programs
 Controls to prevent the use of incorrect data files or programs
 Controls to prevent unauthorized amendments to data files
 Controls to ensure that there will be continuity in computer operations.
2. The elements of Internal Control
 Application Controls: apply to the processing of individual transactions.
 Authorization control: All significant transactions being authorized at an appropriate level.
 Arithmetic control: checking the arithmetic accuracy of records.
 E.g; checking invoices from suppliers, to make sure that the amount payable has been calculated
properly.
 Accounting controls: maintaining and reviewing accounts and trial balances. These are provided within
accounting procedures to ensure the accuracy or completeness of records.
 Use of control account reconciliations to check the accuracy of trade receivables or trade payables.
 IT controls such as edit checks of input data.
 Numerical sequence checks
 Manual follow-up of exception reports.
 e.g; specific inventory controls are different from internal controls over payroll.
2. The elements of Internal Control

Segregation of duties: dividing the work to be done between two or more individuals.
Purpose: Work done by one individual acts as a check on the work of other, reduces the risk of
error or fraud.
It is more difficult for a person to commit fraud , because a colleague may identify suspicious
transactions by a colleague who is trying to commit a fraud.
2. The elements of Internal Control
2. The elements of Internal Control
2. The elements of Internal Control
2. The elements of Internal Control

2.7 Logical access control

 Tools and procedures used for identification, authentication, authorization and
accountability in computer information systems.
 Local access control can be embedded with operating systems, applications, add-on
security packages or database or telecommunication management systems.
 Logical access controls depends on the in-built security facilities.
 Additional access control can be gained through the appropriate use of proprietary security
programs.
 Unique login identifiers and authenticated password.
2. The elements of Internal Control
2.8 Controls over data transmission
 Help to ensure data is transmitted both intact and also securely without fear of
breach of confidentiality. It includes:
 Program controls that ensure data is transmitted in the correct format.
 Firewalls to prevent intrusion
 Restricting access to source data
 Only using secured Wi-Fi with password protection
 Using check sums and check digits
 Data encryption
 Data encryption: use of an algorithm for information transfer.
 Data can be incorporate in one of two ways:
 At rest – for example in a database or on a flash memory stick
 In transit – when data flows across a network
2. The elements of Internal Control
2.9 System Logs
 A log file is a file that records even taking place in the execution of a system.
 For generation of an audit trial to understand the activity and to diagnose problems.
 For understanding the activities of complex systems
 For analyzing a system’s performance
 Where there is a little user interaction.
2.10 Control Weaknesses and the exam
 Control environment: if management show a little concern for risks and controls, it is
probable that the entire system of internal controls will be weak and ineffective.
 A lack of checks and controls: suitable controls simply do not exist.
 Segregation of duties: discussed previously
 Physical controls: to protect the physical security of assets and records.
 Personnel: weaknesses in the personnel who perform particular tasks.
2. The elements of Internal Control
 Management and Organization Structure: A lack of supervision may be a control weakness, lines
of responsibility and reporting may not clear.
 IT controls: Weakness in both general and specific application controls.
 Computational work and risk of computational error: weakness in procedures and for making
and checking calculations, e.g; service charges to customers.
 Lack of internal audit: weakness in internal audit department.
2.11 Monitoring of Controls
 Monitoring and reviews of operations on a timely basis my management.
2.12 Recording internal control system:
 The need to record internal control system:
 The auditor should carry out an evaluation of the systems and to conduct an audit risk
assessment. Helps in identifying audit approach.
 Systems based approach
 Transactions based approach
2. The elements of Internal Control
 Recording Methods: Narrative notes, questionnaire and systems flowchart.
2.13 Narrative Notes
 Written description of the control system and the controls that are in place.
 Simple to prepare
 Time consuming
 2.14 Systems flowcharts
 Representation of the accounting system in the form of a diagram.
 For each type of transaction, they show the documents generated, the process applied to the
documents and the flow of the documents between the departments.
 Present an immediate visual impact of the system.
 Help to identify weaknesses in control more easily.
 Accounting and Control System flowcharts.
 Flowcharts show the flow of work by showing how documents are transferred within a system
2. The elements of Internal Control

 Benefits and limitations of flowchart: Advantages are:

 Enhance auditor’s evaluation.
 Annual updating of a chart with easy additions or deletions of symbols and lines.
 Easily evaluated and informative description of the system.
 Graphic evidence of any conflicting responsibilities.
 Logical sense facilitates easy understanding of the system.
 System is recorded entirely as all documents have to be traced from the beginning to end.
 Permanent record of system with minor changes year.
 Highlights the strength and weaknesses of a system, easier to spot any missing controls.
 Can be prepared easily by an inexperienced staff.
2. The elements of Internal Control

 Benefits and limitations of flowchart: Limitations are:

 Only suitable for describing standard systems rather than recording systems with unusual
transactions.
 Not appropriate for recording systems with further classifications of subsystems or
subroutines.
 Time consuming process as an auditor must learn about the operating personnel involved
in the system and gather samples of relevant documents.
 Possibility of recording and checking areas that are of no audit significance.
 Flowcharts are difficult to amend.
2. The elements of Internal Control
2.15 Questionnaires
 A standard questionnaire is a list of questions about controls in a particular aspect of operations or
accounting.
 Internal Control Questionnaire (ICQ): designed to establish whether appropriate controls exist, that
meet specific control objectives.
 A ‘yes’ answer to a question indicates a control strength.
 A ‘no’ answer to a question indicates a control weakness.
 ICQs help in providing means in recording systems, assist in the evaluation process and gain an
overall picture of the reliability of the system under review.
 Relatively simple, can be completed by relatively junior members, though time-consuming.
 For example, for credit worthiness of potential new customers.
 Are credit references taken on all potential new customers? Y/N
 Are credit limit sets for customers? Y/N
2. The elements of Internal Control
3. LIMITATIONS OF INTERNAL CONTROL
SYSTEMS
3.1 Reasons why internal controls may be ineffective
 Human errors may not be detected by control systems.
 Not cost effective for certain types of control
 Ignored or overridden by employees or management
 Existence of collusion.
3.2 Problems of small entities
 For example segregation of duties
 Features of control system in small entities:
 High level of involvement by the directors
 Owner-manager personally authorizing many transactions
 Mitigate risk arising from a lack of segregation of duties.

 Fewer chances of lower code of conduct so a culture of integrity and ethical behavior will be a key to auditor’s
risk assessment.
 Auditor will often see management involvement as only a partial substitute for ‘normal’ control system.
3. LIMITATIONS OF INTERNAL CONTROL
SYSTEMS
 The following problems may arise when control system rely excessively on the involvement
of the senior management:
 Lack of evidence as to how systems are supposed to operate.
 Rely more on enquiry than on review of documentation.
 Lack of evidence of controls
 Existence and application of controls
 Management may override other controls that are in place.
 Management may lack the expertise necessary to control the entity effectively.
 Lower chances to have an independent person within the management team.
 Lower tests of control and higher substantive testing.
4. EVALUATION OF CONTROLS AND
AUDIT RISK ASSESSMENT
4.1 The purpose of evaluating controls
 2 stage process
 Whether controls are effective ‘on paper’.
 Obtain a general picture of the effectiveness of control established by management.
 Whether the controls are applied properly, and so whether they are actually working and operating
effectively.
4.2 The evaluation process
 If ‘paper’ review shows major weaknesses, the audit approach will have to focus on tests of transactions
(substantive tests) rather than on tests of control (a system-based approach)
 Good for high level of control risk
 If the controls appear to be acceptable on paper, the auditor has to perform tests of control.
 If tests indicate that the controls are operating effectively, audit can be system based with lower
substantive testing.
 ISA 330 requires that the substantive procedures are carried out for each material class of transactions,
account balances and disclosures.
4. EVALUATION OF CONTROLS AND AUDIT
RISK ASSESSMENT
 4.3 Management Letter
 A report typically presented in columnar fashion detailing weaknesses observed in the
client’s system of internal controls.
 Control weaknesses is a by-product of external audit not an objective.