M3.

3 Part 1
Internal Control Concepts and Techniques

Internal control system consists of policies, practice and procedures to achieve four (4) broad
objective:

1. Safeguard of Assets of the Firm

2. Ensure accuracy and reliability of accounting records and information
3. Promote efficiency of the firm’s operations
4. Measure compliance with management’s prescribed policies and procedures

 The internal control system is the concrete zoom of the management to ensure
them that the 4 objective will be met

Modifying assumptions to the internal control objectives:
a. Management Responsibility- The establishment and maintenance of a internal control
system is the responsibility of the management
 this point is made eminent in socs legislation.
b. Reasonable Assurance- the internal control system should provide reasonable insurance
that the 4 broad objectives of internal control are met in a cost-effective manner.

-this means that no system of internal control is perfect and the cost of achieving of
improved control should not overweigh its benefit
METHODS OF DATA PROCESSING
Internal control should achieve the 4 broad objectives regardless of the data processing
method used

 The control technique used to achieve these objectives will however vary with
different types of technology.

Every system of internal control has limitation on its effectiveness which includes
a. Possibility of error- the reason why we have maintenance on a yearly basis or as needs
arise
b. Circumvention- the personnel may circumvent the system through collusion or other
means.
 -pwede pumasok; for the system to detect that you enter you enter, you may use the
command line.

c. Management override- the management in is the position to override, control

procedure through the personnel, distorting transaction or by directing a subordinate to
do so
Ex, user id have parameters, so you can only access those who have parameters you can only
access those screen or files that is relative to your task

 Tellers are limited to transact in the amount of 10,000, if there is a transaction which
is 10,001, it needs the override of the approval from a higher level of user ID (EX.
Supervisor and the manager)-they will input their ID for the transaction to be
recognized.
d. Changing condition- may change overtime so that existing control may become
ineffective and this is also the rational because auditors assist the effectiveness of the
system from time to time-incase there will be an ineffective control, that is the time to
revisit by the management and enhance and other cases- if overcontrolled, you need to
minimize.

THE ABSENCE AND WEAKNESS OF CONTRIL IN AN EXPOSURE

a. Asset Destruction-
b. Theft OF THE asset
c. Corruption or Disruption of the Information System
-we know that the information system nowadays is the heart of business

THE PREVENTIVE-DETECTIVE-CORRECTIVE INTERNAL CONTROL MODEL

Preventive Controls- passive techniques designed to reduce undesirable events by

forcing compliance with prescribed or desired actions.
-these are designed to keep errors and irregularity from occurring in the first place.

Detective Control- designed identify undesirable events that elude preventive controls.
-This has passed the preventive controls (not able to be detected by the preventive
control)

Corrective Controls- actions taken to reverse the effects of errors detected. – to correct
the error the has been detected
Preventive errors and fraud is the more cost-effective than detecting and correcting
them.

INTERNAL CONTROL SHIELD

-ILLUSTRATES THAT WHEN YOU HAVE GOOD INTERNAL CONTROL IT WILL PROTECT THE
ASSETS.
 - when the undesirable events represent the arrow
- If they managed to enter, there are glitches with policies and procedures embedded in
the internal control
- once it managed to pass to the preventive controls, it is time to detect using the
detective control.
- After, a lot will take place (ex. Reconciliation ) which will take time and cost

**Therefore preventive is the most cost effective.

 Once the error was detected, it will be corrective through the corrective phase,
 After the error will form part of the preventive in case same event happens again.
 **reason why the auditor needs to assess the effectiveness of the preventive control

Statement on Auditing Standard (SAS) No. 109- is the current authoritative document for
specifying internal control objective and techniques.

-sufficient knowledge to assess attitudes and awareness of the management, board and owners
regarding internal controls.

-it is understanding the entity and its environment and assessing the risk of material
misstatement.
-it formalizes the linkage between the risk of material misstatement in an entity’s financial
statement and overall operating environment of the entity
-it requires the auditor to obtain an understanding of the risk associated with the entities
regulatory, legal and political environment including the environmental requirement.
-when a significant crease exists, the audit is required to evaluate the design of the entities
related to the internal control and determine whether the control are implemented and
effectively operating

- it is based on the COSO FRAMWORK

SARBANES-OXLEY AND INTERNAL CONTROL
Committee of sponsoring Organization of the Treadway Commission- (COSO)- is a joint initiative
of five private sector organizations and is dedicated to providing though leadership through the
development of frameworks, and guidance on enterprise risk management, internal control,
fraud deterrence.

The five institution:

1. Institute of Management Accountants (IMA)
2. American Accounting Association (AAA)
3. American Institute of Certified Public Accountants (AICPA)-counterpart of picpa
4.Institute of Internal Auditor (IIA)
5.Financial Executives International (FEI)

PUBLIC COMPANY MANGEMENT RESPONSIBILITES ARE CODIFIED IN SECTION 302 AND 4O4
OF SOX ACT OF 2002
Section 302 requires management to certify organization’s internal controls on a quarterly
and annual basis.
There should be an existing internal control in all public listed company then

Section 404- requires management to assess internal control effectiveness.

requires that management certify that they have assisted said internal control and effectively
running.
-As minimum requirement should adopt the provisions of SOX

COSO INTERNAL CONTROL FRAMEWORK

5 components.
1. Control environment -sets tome for the organization and influences control awareness.
-foundation of the internal control
-hierarchy is from the top (make it drop)

2. Risk Assessment- is the identification analysis and management of risks relevant to financial
reporting
-identification, analyzing impact and then manage how will you do about those risk

3. Information and Communication – the quality of information the AIS generates impacts
management’s ability to take actions and make decisions.
-information the reporting and the communication will assess the management to render a
timely decision
- an effective system records all valid transaction transactions and provides timely and accurate
information

4. Monitoring- process by which the quality of internal control design and operations can
be assessed.
-overseeing of the operation as a whole
5. Controlling Activities-existing policies to ensure appropriate actions are taken to deal with
identifiable risks.
C-R-I-M-E

CONTROL OBJECTIVE FOR INFORMATIO AND RELATED TECHNOLOGY

(CObIT)

 It was framework created by ISACA 9(Information System Audit and Control

Association)
IT CONTROLS RELATED TO THE COMPUTER ENVIRONMENT
 A. General Controls- are controls that pertain to entity-wide concerns such as controls
over the data center, organization databases, systems development, and program
maintenance.
 Controls design security and use of computer programs and security of data files in
general throughout the organization.

 As a whole, a general control applies to all computerized computer application and

consists of a combination of system software and manual procedure that create and
overall control and environment.
B. Application controls- are controls that ensure the integrity of specific systems.
-are specific controls unique to its computerized application (payroll, ar and order
processing)- they consist control applied from the user functional area of a particular
system and a program procedure.

C. Physical Controls- relate to human activities.

1. Transaction Authorization- is a procedure to ensure that employees process only
valid within the scope of their authority.
- approval before a transaction can be processed
-bank tellers who are authorized to transaction only 100k if exceeds, it needs approval
or authorization from higher position.

2. Segregation of duties- is designed to minimize incompatible functions including

separating:
-separation of
-in a process there should be no one person who will process from beginning to end
-the one who approves is not the one who Is processing
-ex. Asset custody and record keep should not assigned to one person
 Transaction authorization and processing
 Asset custody and record-keeping
**SUCCESSFUL FRAUD REQUIRES COLLUSION
-that is why there is an need to internal control.

SEGREGATION OF DUTIES OBJECTIVE

 OBJECTIVE NUMBER 1
 The one who process should not be the one who authorizes
 Authorization (first step) ---Processing of transaction
OBJECTIVE NUMBER 2

 The one who will authorize must not be the one who is in custody of the asset
 The one who is in custody of the asset cannot record
OBJECTIVE NUMBER 3

 The one who’s in charge of journals, subsidiary ledgers and general ledgers must be
different persons.
**incase making an audit trail, you have to go to the subsidiary ledger to the journal which is
the book of original entry.
**as we know the general ledger are highly summarize so its details can be viewed in the
Subsidiary Ledger and the Journal
M3.3 PART 2

INTERNAL CONTROL AND CONCEPTS AND TECHNIQUES PART 2

PHYSICAL
SUPERVISION ACCOUNTING ACCESS INDEPENDENT
RECORDS CONTROL VERIFICATION
PROCEDURES
Is a compensating -form of control Ensure that only Independent
control in small -consists of authorize checks of the
organizations for source personnel have accounting system
sufficient documents, access to the to identify errors
segregation of journals and firm’s assets. and
duties. ledgers which -access to misrepresentations.
capture economic information is
-control activity essence and depending on -
involving the provide an audit task
critical oversight trail.
of employees.

Sub-information:
SUPERVISION
IS A COMPENSATION CONTROL ..

-in the absence or lack of segregation of duties, management may choose to

compensate it through supervision.
- a manager may be asked to oversee to role of various subordinate across
different function, thus compensating control in lieau of segregation and
supervision takes place
INDEPEPENDENT CHECKS OF THE ACCOUNTING SYSTEM TO IDENTIFY ERRORS
AND MISREPRESENTATIONS

-accounting statement of large organizations can contain unintentional error and

misrepresentation

-to avoid, internal and external experts periodically audit the books of larger
corporation
-THIS INDEPENDED VERIFICATION REASSURE BOTH THE INVESTOR AND THE
MANAHEMENT THAT ACCOUTING SYSTEM ARE ACCURATE.
-ALLOW STAKEHOLDER TO MAKE BETTER DECISION

 Management can assess individual performance

 Ensure system integrity
 Data correctness which includes:
 Reconcilling batch totals during transaction processing
 Comparing physical assets with accounting records
 Reconciling Subsidiary accounts with control accounts
 Reviewing management report that summarizes business
activities.

IT APPLICATION CONTROLS
 INPUT- programmed procedures, often called edits, that perform tests on
transaction data to ensure that they are free form errors.
 CHECK DIGIT- method for detecting data conding erroring which a
control digit is added to the code which it is originally designed to
 allow the integrity of the code to be established during subsequent
processing and helps prevent two common errors:
(The check digit is the last number.
For example: account number has check digits in the last part of the
number. (0-9 the range of digit))

 Transcription Errors- occurs

-maybe extra digits added to the code
- occurs when (1) extra digits are added to the code(excess), (2) a digit is
omitted from a code (kulang) and (3) a digit is recorded incorrectly.

Ex. Student number has 12 digits, incase the number of digits input is 13
the system will recognize this error.

 Transposition Errors- occurs when digits are reversed.

 Missing Data Check- Identifies blank or incomplete input

fields.

 Numerical-alphabetic- check/identifies data in the

wrong form.

 Passwords require to include numeric and alphabet codes other require

strictly numbers.

 Range Check or the limit check - verify that all amounts fall
within an acceptable range. Like number hrs of work must
be up to the authorized limit. Limit tests cause the
computer to object to the figure that are outside the range.
 Reasonable checks- verify that the amounts that have
based limit and range checks are reasonable
  Validity check - ensure that valid information and
transactions are entered in the system.
-a code field is compared against acceptable values
-ex. Specific codes that can be used for A/R transactions-only
transaction with certain code (ex. Accounts Receivable and
cash) to update the account of a debtor’s master file.
-they are also used when there are limited number of valid
entries for an item (ex. Customer number post code) the user
may be forced to pick an items from a list

c. PROCESSING- are programmed procedures to ensure an application’s logic

is functioning properly
-IS A fundamental requirement
 Batch Controls- manage the flow of high volume transaction and
reconcile system output with original input.
- when processing ,you have to fit in documents and before the
system processes those, you have to do listing of the documents
-Batch process PROCESS ONLY SIMILAR TRANSACTION (EX. A/R )
to manage voluminous transaction.
(ex. Bank tellers upon receipt of deposit slips are kept for the
mean time until it is accumulated process called batching)

-After processing, the information will be validated based on

source document-transaction slips

 Run-to-run controls- are controls that use batch figures to

monitor the batch as it moves from one programmed procedure
to another

-Ex. end of day processing, it will be processed at the end of the

business hours, upon processing by the system, there’s another
systems that monitors the processes mentioned-along the side
 This system monitor the time of processing-It should not pass the
standard processing time.

 Hash Total- is the summation nonfinancial data field to keep track

of the records in a batch.

**transaction must be of same nature when processing by batch

INTERPRETATION OF THE SLIDE:

-it can process 50 records (MAX)

-RECORD COUNT-number of transactions entered in the system
-Hash total (non financial)= addition of batch number, transaction code,
date and record count
-CONTROL TOTAL- amount of the processed transaction- running balance
(no. of transaction run)
-Batch of sales order transaction- record 1 to 50

 Audit Trail Controls- it ensures every transaction can be traced

through each stage to processing from it economic source to its
presentation in the financial statements.
 -ensure every transaction can be traced through such to
processing from its economic source to its presentation to FS
-begin with the fs and validate it to the totals in the control
accounts (general ledger). for further proof use subsidiary ledger
and general journal

-in every transaction the system processes including automatic

ones should recorded in a transactions log.
-lahat ng pinoprocess ni system lagging nasa transaction log
-Transaction log is a form of an audit trail (ex. time of entry of
transactions)

EXPLANATION:

 Transactions (from an order) then will be validated then will be

transferred in “Valid transaction data base”
Valid transactions goes to the data base
Application process-updating -- Updates in the transaction log
( journal or the error)
 If the processes are valid we will have an OUTPUT REPORT
 Master File Back up controls-ensures every transaction can be traced
through each stage to processing from its economic source to its
presentation in the financial statements.
-may be viewed as general and application controls either depending on
the activity
- the systems designer determines the number of backup master files
needed for each application. Two Factor Influence this decision
(decision: on the number of backup) :
o Financial Significance of the system
o Degree of File activity

 Grandfather-father-son (GFS)- a back up technique employed by

systems that use sequential master files (whether tape or disk-
integral part of master file update process )

Transactions today -> consulting the master file transaction (the father)
The balances in the father will go the to update program-the transaction
file today will be merged in the update program. Then it will create a
 then creation of new master file. For the next day, transaction made
today will become father (past records) which will further be moved in
to following generation. Transactions to be incurred on the next
day(future records) shall be the new son.

- Backup are brought into under other bank (must not keep in same
bldg and same city)

 Backup process in a batch system using direct access file

-each record in a direct access file is assigned a unique disk location
or address that is determined by its primary key value

Master file --> backup program which will create a duplicate master
file(this also original file)will processed in the update program
The update program will also get balances from the transaction file (new)
 On the other side master file can be recovery programs from the disk
backup which can be used to update the individual account.

 Destructive Update Approach- leaves no backup copy and

requires a special recovery program if data is destroyed or
corrupted
-very risky

-Sale of $50 update program gets from a/r master file balances (incase of
payment or addition)-> Upadate 50 + 100 (balance of yesterday)  current
balance (100 will authomatically change to 150)

 Back up of Masterfile in a real time system- real-time system

pose a more difficult problem because transactions are being
processed continuously
 -backup procedures are schedules at pre-specific intervals
throughout the day

Ex. Of business using these: fast food chains

- Backup of master file in a real time system to manage the stocks

- Transaction----was entered using a terminal update programs
master file updating
- At the same time, it logs the transactions
- From the master file where will the update program will get
information whether if it will deduct to transaction
- If none can be seen, it will create another transaction backup
program -> backup master file
- From transaction log there can be recovery program
d. OUTPUT
-are procedures to ensure output is not lost, misdirected or corrupted and
that privacy is not violated
-it can track
-must know the recipient
-incase securing a copy must state the reason in the log
-proper access and backup procedures must be in place to protect these
files
-output controls include the hardcopy output

 Output Spooling- spooling is directing an application’s out to a

magnetic disk file rather than to the printer directly.
-standby, can be printed anytime
-instead going to print, it can be kept first

 Print Programs- sensitive computer waste should be shredded

for protection.
-report distribution must be controlled
**the only valid recipient is the president and the operation
-all paper coming from the system must be shredded

**Should the internal audit feel the need for a copy of a

document, it can be given as long as reason was stated in the
log + signature

Print program control-should be designed to prevent

unauthorized copies and employee browsing of sensitive data.
-it has to have user id and password and categorized.

 End-user control- should examine reports for correctness,

report errors and maintain report security
-electronically done
Output run -> output file -> print run-> output report (from the system)

Aborted output->waste

Output report ->Output report->distribution of report -> end user-> other output
will be maintained through a file.