Professional Documents
Culture Documents
M3.3 Part 1 Internal Control Concepts and Techniques
M3.3 Part 1 Internal Control Concepts and Techniques
3 Part 1
Internal Control Concepts and Techniques
Internal control system consists of policies, practice and procedures to achieve four (4) broad
objective:
The internal control system is the concrete zoom of the management to ensure
them that the 4 objective will be met
Modifying assumptions to the internal control objectives:
a. Management Responsibility- The establishment and maintenance of a internal control
system is the responsibility of the management
this point is made eminent in socs legislation.
b. Reasonable Assurance- the internal control system should provide reasonable insurance
that the 4 broad objectives of internal control are met in a cost-effective manner.
-this means that no system of internal control is perfect and the cost of achieving of
improved control should not overweigh its benefit
METHODS OF DATA PROCESSING
Internal control should achieve the 4 broad objectives regardless of the data processing
method used
The control technique used to achieve these objectives will however vary with
different types of technology.
Every system of internal control has limitation on its effectiveness which includes
a. Possibility of error- the reason why we have maintenance on a yearly basis or as needs
arise
b. Circumvention- the personnel may circumvent the system through collusion or other
means.
-pwede pumasok; for the system to detect that you enter you enter, you may use the
command line.
Tellers are limited to transact in the amount of 10,000, if there is a transaction which
is 10,001, it needs the override of the approval from a higher level of user ID (EX.
Supervisor and the manager)-they will input their ID for the transaction to be
recognized.
d. Changing condition- may change overtime so that existing control may become
ineffective and this is also the rational because auditors assist the effectiveness of the
system from time to time-incase there will be an ineffective control, that is the time to
revisit by the management and enhance and other cases- if overcontrolled, you need to
minimize.
a. Asset Destruction-
b. Theft OF THE asset
c. Corruption or Disruption of the Information System
-we know that the information system nowadays is the heart of business
Detective Control- designed identify undesirable events that elude preventive controls.
-This has passed the preventive controls (not able to be detected by the preventive
control)
Corrective Controls- actions taken to reverse the effects of errors detected. – to correct
the error the has been detected
Preventive errors and fraud is the more cost-effective than detecting and correcting
them.
-ILLUSTRATES THAT WHEN YOU HAVE GOOD INTERNAL CONTROL IT WILL PROTECT THE
ASSETS.
- when the undesirable events represent the arrow
- If they managed to enter, there are glitches with policies and procedures embedded in
the internal control
- once it managed to pass to the preventive controls, it is time to detect using the
detective control.
- After, a lot will take place (ex. Reconciliation ) which will take time and cost
Once the error was detected, it will be corrective through the corrective phase,
After the error will form part of the preventive in case same event happens again.
**reason why the auditor needs to assess the effectiveness of the preventive control
Statement on Auditing Standard (SAS) No. 109- is the current authoritative document for
specifying internal control objective and techniques.
-sufficient knowledge to assess attitudes and awareness of the management, board and owners
regarding internal controls.
-it is understanding the entity and its environment and assessing the risk of material
misstatement.
-it formalizes the linkage between the risk of material misstatement in an entity’s financial
statement and overall operating environment of the entity
-it requires the auditor to obtain an understanding of the risk associated with the entities
regulatory, legal and political environment including the environmental requirement.
-when a significant crease exists, the audit is required to evaluate the design of the entities
related to the internal control and determine whether the control are implemented and
effectively operating
PUBLIC COMPANY MANGEMENT RESPONSIBILITES ARE CODIFIED IN SECTION 302 AND 4O4
OF SOX ACT OF 2002
Section 302 requires management to certify organization’s internal controls on a quarterly
and annual basis.
There should be an existing internal control in all public listed company then
2. Risk Assessment- is the identification analysis and management of risks relevant to financial
reporting
-identification, analyzing impact and then manage how will you do about those risk
3. Information and Communication – the quality of information the AIS generates impacts
management’s ability to take actions and make decisions.
-information the reporting and the communication will assess the management to render a
timely decision
- an effective system records all valid transaction transactions and provides timely and accurate
information
4. Monitoring- process by which the quality of internal control design and operations can
be assessed.
-overseeing of the operation as a whole
5. Controlling Activities-existing policies to ensure appropriate actions are taken to deal with
identifiable risks.
C-R-I-M-E
The one who will authorize must not be the one who is in custody of the asset
The one who is in custody of the asset cannot record
OBJECTIVE NUMBER 3
The one who’s in charge of journals, subsidiary ledgers and general ledgers must be
different persons.
**incase making an audit trail, you have to go to the subsidiary ledger to the journal which is
the book of original entry.
**as we know the general ledger are highly summarize so its details can be viewed in the
Subsidiary Ledger and the Journal
M3.3 PART 2
PHYSICAL
SUPERVISION ACCOUNTING ACCESS INDEPENDENT
RECORDS CONTROL VERIFICATION
PROCEDURES
Is a compensating -form of control Ensure that only Independent
control in small -consists of authorize checks of the
organizations for source personnel have accounting system
sufficient documents, access to the to identify errors
segregation of journals and firm’s assets. and
duties. ledgers which -access to misrepresentations.
capture economic information is
-control activity essence and depending on -
involving the provide an audit task
critical oversight trail.
of employees.
Sub-information:
SUPERVISION
IS A COMPENSATION CONTROL ..
-to avoid, internal and external experts periodically audit the books of larger
corporation
-THIS INDEPENDED VERIFICATION REASSURE BOTH THE INVESTOR AND THE
MANAHEMENT THAT ACCOUTING SYSTEM ARE ACCURATE.
-ALLOW STAKEHOLDER TO MAKE BETTER DECISION
IT APPLICATION CONTROLS
INPUT- programmed procedures, often called edits, that perform tests on
transaction data to ensure that they are free form errors.
CHECK DIGIT- method for detecting data conding erroring which a
control digit is added to the code which it is originally designed to
allow the integrity of the code to be established during subsequent
processing and helps prevent two common errors:
(The check digit is the last number.
For example: account number has check digits in the last part of the
number. (0-9 the range of digit))
Ex. Student number has 12 digits, incase the number of digits input is 13
the system will recognize this error.
Range Check or the limit check - verify that all amounts fall
within an acceptable range. Like number hrs of work must
be up to the authorized limit. Limit tests cause the
computer to object to the figure that are outside the range.
Reasonable checks- verify that the amounts that have
based limit and range checks are reasonable
Validity check - ensure that valid information and
transactions are entered in the system.
-a code field is compared against acceptable values
-ex. Specific codes that can be used for A/R transactions-only
transaction with certain code (ex. Accounts Receivable and
cash) to update the account of a debtor’s master file.
-they are also used when there are limited number of valid
entries for an item (ex. Customer number post code) the user
may be forced to pick an items from a list
EXPLANATION:
Transactions today -> consulting the master file transaction (the father)
The balances in the father will go the to update program-the transaction
file today will be merged in the update program. Then it will create a
then creation of new master file. For the next day, transaction made
today will become father (past records) which will further be moved in
to following generation. Transactions to be incurred on the next
day(future records) shall be the new son.
- Backup are brought into under other bank (must not keep in same
bldg and same city)
Master file --> backup program which will create a duplicate master
file(this also original file)will processed in the update program
The update program will also get balances from the transaction file (new)
On the other side master file can be recovery programs from the disk
backup which can be used to update the individual account.
-Sale of $50 update program gets from a/r master file balances (incase of
payment or addition)-> Upadate 50 + 100 (balance of yesterday) current
balance (100 will authomatically change to 150)
Aborted output->waste
Output report ->Output report->distribution of report -> end user-> other output
will be maintained through a file.