Audit Principles and Practices – DFA 3103

UNIT 7 INTERNAL CONTROL SYSTEMS

Unit Structure

7.0 Overview
7.1 Learning Outcomes
7.2 Internal Control
7.2.1 Components of the Internal Control System
7.2.2 Types of Internal Control
7.3 Internal Control and Auditors
7.4 Assessing Internal Control Systems
7.5 Recording the System
7.6 Tests of Control: Sales and Receivables System
7.6.1 Control Objectives
7.6.2 Control Procedures
7.6.3 Tests of Control
7.7 Tests of Control: Purchases and Payables System
7.7.1 Control Objectives
7.7.2 Control Procedures
7.7.3 Tests of control
7.8 Tests of Control: Wages System
7.8.1 Control Objectives
7.8.2 Control Procedures
7.8.3 Tests of Control
7.9 Tests of Control: Cash System
7.9.1 Control Objectives
7.9.2 Control Procedures
7.9.3 Tests of Control
7.10 Tests of Control: Inventories
7.10.1 Control Objectives
7.10.2 Control Procedures

Unit 7 1
 Audit Principles and Practices – DFA 3103

7.10.3 Tests of Control

7.11 Summary
7.12 Activity

7.0 OVERVIEW

When adopting the system-based audit, the auditor will rely on systems which prevent or
detect any variations from correct processing of documents into entries in the financial
records, and hence their inclusion in the financial statements. The auditor needs to
understand the systems and verify that controls are effective throughout the period under
review. So, in this unit, the various aspects of internal controls will be considered.

7.1 LEARNING OUTCOMES

By the end of this Unit, you should be able to do the following:

1. Define internal controls.

2. Describe the objectives of internal control systems.
3. Explain the importance of internal control to auditors.
4. Describe the assessment of the internal control system.
5. Explain the different methods used to record a system.
6. State the control objectives, control procedures and tests of control for different
system cycles.

7.2 INTERNAL CONTROL

According to ISA 315 Understanding the Entity and its Environment and Assessing the
Risks of Material Misstatement defines the internal control system as the process

Unit 7 2
 Audit Principles and Practices – DFA 3103

designed and effected by those charged with governance, management, and other
personnel to provide reasonable assurance about the achievement of the entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations. In other words, internal
control is designed and implemented to address identified business risk that threatens the
achievement of organisation objectives.

7.2.1 Components of the Internal Control System

 The control environment that includes the overall attitude, awareness and
actions of directors and management regarding internal controls and their
importance in the entity. In other words, it provides the framework within which
controls operate. The control environment alone does not guarantee the
effectiveness of the overall control systems. Management attitude towards control
is a major factor in determining how controls operate.

 The entity’s risk assessment process is carried out to identify and act in response
to business risks and the results thereof. Risk assessment is vital as risks, both
internal and external, may adversely affect an entity’s ability to initiate, record,
process, and report financial data consistent with the assertions of management in
the financial statements.

 The information system consists of the procedures and records established to

initiate, record, process, and report entity transactions and maintain accountability
for the related assets, liabilities and equity.

To be effective the information system should:

o identify and record all valid transactions.

o describe transactions in sufficient detail to enable proper classification for
financial reporting.

Unit 7 3
 Audit Principles and Practices – DFA 3103

o correctly measure and record the value transactions in the financial

statements.
o determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period.
o properly disclose and present the transactions in the financial statements.

 Control activities describe the policies and procedures that help management to
put into practice their directives. Control activities may vary in forms, for
example, segregation of duties, physical controls, performance reviews or
information processing.

 Monitoring of controls is a process to assess the quality of internal control

performance over time. It is concerned with assessing the design and operation of
controls on a timely basis and take appropriate corrective actions. Management
should ensure that existing control procedures fit within the organisation or need
to be revised. For example, a system of control may become insufficient due to
the rapid growth of an entity.

7.2.2 Types of Internal Control

 Detective controls consist of procedures that detect if any problems have

occurred. For example, monthly bank reconciliation and review of exception
reports.

 Corrective controls include procedures to address problems that have occurred.

For example, management actions to remedy a particular weakness in the
monitoring the company’s debtors.

 Preventative controls include procedures that prevent risks to occur. For example,
authorisation control and segregation of duties. This type of control is the most

Unit 7 4
 Audit Principles and Practices – DFA 3103

appropriate control for any organisation as it is better to stop problems instead of

having to detect or correct them once they have occurred.

7.3 INTERNAL CONTROL AND AUDITORS

Under the system approach the auditor will have to decide the extent to which they can
place reliance on the internal controls of an entity. This is important to the external
auditors because reliance on internal control will reduce the amount of substantive testing
of transactions. Moreover, efficient operation of the internal control system will ensure
the completeness and accuracy of the accounting records. However, if the internal control
system is very weak, the auditors may decline an audit of an entity. The reason is that the
auditor would be apprehensive of the high level of control risk that may exist.

Internal auditors are also concerned with internal controls as they have a major
responsibility to review an organisation’s system of internal control and to provide
assurance that the corporate governance requirements are complied with. The corporate
governance guidance in respect of internal audit states that ‘an objective and adequately
resourced internal audit function should be in a position to provide the Board with much
if the assurance it requires regarding the effectiveness of the system of internal control.’
In other words, the internal auditors should ensure that controls in place are adequate to
detect and prevent risks and the controls are operating effectively.

7.4 ASSESSING THE INTERNAL CONTROL SYSTEMS

According to ISA 315, the auditors should obtain an understanding of the accounting and
internal control environment sufficient to determine their audit approach. The auditors
would start by assessing the adequacy of the accounting systems as a basis for preparing
the financial statements and identify the potential misstatements that could have occurred

Unit 7 5
 Audit Principles and Practices – DFA 3103

in the accounts. The outcome of the assessment will help the auditors to design
appropriate audit procedures.

The procedures used to understand the entity should take into consideration the
materiality level, the size and complexity of the entity, types of internal controls but more
importantly the risk considerations (inherent and control). Indeed, the auditors will
perform a preliminary assessment of control risk at the planning stage of the audit. It is a
process to evaluate the effectiveness of an entity’s accounting and internal control in
preventing or detecting and correcting material misstatements. It is important to know
that some control risks will always exist because of the inherent limitations of the
accounting and internal control system.

Auditors usually used the following methods to understand the accounting and internal
control system:

 Examine previous audit work that contains records of the system as it operated at
the last audit date.
 Review client own documentation of the system such as the accounting system
manual, which would provide essential information to the auditors.
 Interviews with client’s staff to gather information on how they carry out their
functions.
 Walk through checks to trace particular transactions from source to destination.
 Observation of client’s procedures, especially, in activities which involve high
risk such as wages payout.

Unit 7 6
 Audit Principles and Practices – DFA 3103

7.5 RECORDING THE SYSTEM

There are several techniques for recording the accounting and internal control system.

 Narrative notes

This is a simple way to describe and explain the system and at the same time making
comments to show a better understanding of the system. However, this method is not
convenient for large businesses as it may be difficult or time consuming to describe the
system clearly. Narratives notes can be used to support flowcharts.

 Flowcharts

A flowchart is a diagrammatical representation of a system. There are mainly two types

of flowchart, namely, document flowchart and information flowchart. Document
flowchart is commonly used where all documents used in the system are followed from
source to destination. It also shows all operations and controls that exist within the
system. The information flowchart concentrates on the information flow and key
controls. For example, it will take specific entry in the general ledger and work back to
the actual transactions.

 Questionnaires

Generally, there are two types of questionnaire, namely,

o Internal Control Questionnaires (ICQs) are used to ask whether controls

exist to ensure that a particular control objective is achieved. The major
objective of ICQs is to assess ‘how good is the system of controls?’.
Therefore, the ICQs will include questions that will enable the auditor to
ascertain the client’s system of accounting and internal control, identify
controls (or absence of controls) and evaluate the system.

Unit 7 7
 Audit Principles and Practices – DFA 3103

o Internal Control Evaluation Questionnaires (ICEQs) are designed to

determine whether there are controls that prevent or detect specified errors or
omissions. They are often referred to as key or control questions and require
the exercise of the auditor’s judgement. Typical questions could be ‘is there
reasonable assurance that sales are properly authorized?’ or ‘can goods be
dispatched without being invoiced?’

7.6 TESTS OF CONTROL: SALES AND RECEIVABLES SYSTEM

7.6.1 Control Objectives

(a) Customers’ orders should be authorised, controlled and recorded.

(b) Goods delivered and work completed should be controlled to ensure that
invoices are issued and revenue recorded for all sales.
(c) Goods returned and claims by customers should be controlled in order to
ensure that proper adjustments are made in the accounting records.
(d) Invoices and credits should be appropriately checked as being accurate and
authorised before being entered in the accounting records.
(e) Only validated receivables transactions should be entered in the accounting
records.
(f) Procedures exist to ensure that sales invoices are subsequently paid and that
suspicious amounts are identified for proper allowances.

Unit 7 8
 Audit Principles and Practices – DFA 3103

7.6.2 Control Procedures

These include:

(a) Orders
(i) Orders received from existing customers should be checked against the
customers’ accounts and this should be evidenced by initialling. It
should be ascertained that new orders do not exceed the credit limit
allocated to existing customers before being accepted.
(ii) Orders received from new customers should be sent to the credit
control department for credit worthiness before being accepted. A
credit limit should then be allocated to the new customers.
(iii) All orders received should be recorded on pre-numbered sales order
documents.
(iv) All orders should be authorised before any goods are despatched.
(v) The sales should be used to produce a delivery note for goods moving
out of the department. No goods should be delivered without a
delivery note.

(b) Goods delivery

(i) Delivery notes should be pre-numbered and a register kept for follow-up
actions.
(ii) Goods delivery notes should be authorised prior to delivery.

(c) Invoicing and credit notes

(i) Sales invoices should be authorised by responsible officials and matched
to the original authorised order and delivery note.
(ii) All invoices and credit notes should be recorded in the sales day book,
the accounts receivable ledger and the accounts receivable ledger control
account.

Unit 7 9
 Audit Principles and Practices – DFA 3103

(iii) Sales invoices and credit notes should be checked for prices and
accuracy by a person other than the one preparing the invoice.
(iv) All invoices and credit notes should be serially pre-numbered.
(v) Credit notes should be authorised by a responsible officer not involved
in delivery or accounts receivable functions.
(vi) Cancelled invoices should be authorised by a responsible, and retained
and matched to the appropriate delivery notes.

(d) Returns and credit notes

(i) Returned goods by customers should be checked for obvious damages
and if accepted, appropriate credit notes should be raised.

(e) Receivables
(i) A receivable ledger control account should be prepared regularly and
checked to individual sales ledger balances by an independent officer.
(ii) There should be different staff to record receivables, despatch goods and
collect cash.
(iii) Statement of accounts should be sent regularly to customers.
(iv) Procedures should exist to follow-up overdue balances by customers.
(v) Procedures should exist to ensure receipt of overdue balances.

(f) Bad debts

(i) Procedures should exist to write off bad debts.
(ii) Written authority should be given to write-off a bad debt.

Unit 7 10
 Audit Principles and Practices – DFA 3103

7.6.3 Tests of Control

These include:

(a) Sequence test checks are carried out on invoices, credit notes, delivery notes
and orders to ensure that all items are accounted for and there are no
omissions or duplications.

(b) Authorisation for order acceptance, delivery of goods, raising of invoices or

credit notes, pricing and bad debts written-off are checked.

(c) Arithmetical accuracy of invoices, credit notes, discounts and tax is checked.

(d) Delivery notes are checked to ensure that they are matched to appropriate
invoices and credit notes.

(e) Batch total controls are checked to ensure that they have been applied
properly and to trace batches from input to output.

7.7 TEST OF CONTROL: PURCHASES AND PAYABLES

SYSTEM

7.7.1 Control Objectives

These include:

(a) Procedures to ensure that goods or services are purchased under proper
authorities.

Unit 7 11
 Audit Principles and Practices – DFA 3103

(b) Procedures to ensure that only goods or services necessary for the proper
conduct of business operations.

(c) Purchases of goods or services are ordered from authorised suppliers.

(d) Goods and services received are properly inspected for quality, quantity and
conditions.

(e) Invoices and related documentations are properly checked and approved
before posting to the payables ledger.

7.7.2 Control Procedures

(a) Orders
(i) There should be a duly approved purchased requisition for every order.
(ii) All orders should be authorised by a responsible officer whose
authority limits are predetermined. Any order beyond this limit should
be authorised by the board.
(iii) Capital expenditure or major items should be approved by the board.
(iv) All orders should be recorded on appropriate documentations e.g. a
purchase order form where the supplier’s name, quantity ordered and
price are shown.
(v) Copies of orders should be retained for follow-up action.

(b) Receipt of goods

(i) Good receiving department should check all goods for quality and
quantity.
(ii) Good received notes should be raised for all goods accepted. The
GRN should be signed by a responsible officer.
(iii) GRN should be checked against purchase orders. The GRN should be
sequentially numbered.

Unit 7 12
 Audit Principles and Practices – DFA 3103

(c) Invoicing and returns

(i) Purchase invoices received should be given a unique serial number to
ensure purchase order not being discarded.
(ii) Purchase invoices should be referenced with goods received notes.
(iii) The invoice should be matched against the purchase order and the
good received note and check for arithmetical accuracy.
(iv) Invoices should be signed as approved for payment by a responsible
officer independent of the ordering and receipt of goods functions.
(v) Invoices should be properly allocated to the general ledger account.
(vi) Batch controls should be maintained over the posting of invoices to the
purchases day book, general ledger and accounts payable ledger.
(vii) Goods returned should be recorded and checked with credit notes
received from suppliers.

(d) Accounts payable ledger

(i) An accounts payable control ledger should be maintained and
regularly checked against individual balances in the ledger by an
independent officer.
(ii) Statement of accounts from suppliers should be checked against the
purchase ledger account.

7.7.3 Tests of Control

These include:

(a) Sequence check test are carried out on purchase orders, goods received notes
and goods returned notes to ensure that all items are included and there are no
omissions or duplications.

Unit 7 13
 Audit Principles and Practices – DFA 3103

(b) Authorisation for purchase orders and payments of invoices and adjustment to
payable ledger are checked.

(c) Arithmetical accuracy of purchase invoices, debit notes, discounts and tax are
checked.

(d) Goods received notes and goods returned notes are checked to ensure that they
are referenced to purchase orders and debit notes.

7.8 TESTS OF CONTROL: WAGES SYSTEM

7.8.1 Control Objectives

(a) Wages and salaries should be computed in respect of client’s approved list of
employees.
(b) Wages and salaries should be computed at the approved rates of pay for each
employee or category of employees.
(c) Payrolls should be calculated accurately.
(d) Payment should be made to the correct employees.
(e) Liabilities to different institutions (tax authority, insurance and banks) should be
properly recorded.

7.8.2 Control Procedures

(a) Authorisation

(i ) Appointment and dismissal of any employee should be authorised in

accordance to the company’s terms and conditions.
(ii ) Changes in rates of pay should be authorised in writing by a responsible
officer.

Unit 7 14
 Audit Principles and Practices – DFA 3103

(iii ) Overtime worked should be authorised by the employee’s manager and

it should be in be line with the company’s policies.
(iv ) An independent officer should check the payroll and sign it.
(v ) The wages cheques should be signed by two signatories and evidenced
against the signed payroll.
(vi ) Any adjustment (absences, leave without pay) to wages and salaries
should be check and supported by appropriate authority.
(vii ) Direct bank transfer should be signed and check regularly against details
on personal files.
(viii ) Personnel records should be kept for each employee together with a
specimen signature of the employee.

(b) Recording

(i ) Payroll should be prepared from clock cards.

(ii ) Payroll should be calculated against current rates of pay.
(iii ) Payroll deductions such as pensions, standing orders and other approved
deductions should be checked periodically.

(c) Access and records

(i ) Employees should sign for their wages.

(ii ) No employees should be allowed to take the wages of another employee.
(iii ) Wages claimed late should be kept in safe custody under the responsibility
of a responsible officer and their release should be authorised.
(iv ) Procedures should exist to allow the employees to check their wages
before leaving the wages office.
(v ) Staff in the wages department should be rotated at regular interval.
(vi ) There should be proper segregation of duties among the wages staff.
(vii ) A surprise spot check at the pay out should be made periodically by an
independent officer.

Unit 7 15
 Audit Principles and Practices – DFA 3103

(viii ) Unclaimed wages should be recorded in a register and held by someone

outside the wages department until claimed. An officer should investigate
the reason for unclaimed wages as soon as possible.

7.8.3 Tests of Control

These include:

(i ) Test sample of time sheets, clock cards or other documents for approval
by responsible official including overtime.
(ii ) Check sample of payments for authority, particularly, if in cash.
(iii ) Observe wages distribution to confirm adherence to procedures.
(iv ) Test authorities for payroll amendments and deductions.
(v ) Examine evidence of approval calculations.
(vi ) Examine evidence of approval of payrolls by a responsible officer.
(vii ) Examine payroll reconciliations.
(viii ) Test controls procedures over unclaimed wages.

7.9 TESTS OF CONTROL: CASH SYSTEM

7.9.1 Control Objectives

These include:

(i ) All cash are received and subsequently accounted for.

(ii ) No payments are made which should not be made.
(iii ) All receipts and payments are promptly and accurately recorded.

Unit 7 16
 Audit Principles and Practices – DFA 3103

7.9.2 Control Procedures

 Cash sales

(i ) Cash sales should be recorded promptly and accurately, e.g., cash sale
invoices.
(ii ) The document used to record cash sales should be pre-numbered and a
copy should be retained for reconciliation purposes.
(iii ) Cash received should be reconciled on a daily basis with the invoice totals.
(iv ) The reconciliation should be done by an officer independent of the cash
receipts and recording functions.

 Cash receipts by post

(i) The opening of the post should be supervised by a responsible officer.
(ii) All cheques and postal orders should be restrictively crossed “Account
payee only” as soon as the mail is opened.
(iii) All cheques and posting orders received should be recorded in a register
immediately.
(iv) The cashier should not have access to the receipt before this record is
made.
(v) The post should be date stamped to provide evidence of when remittances
are received.

 Banking of cash receipts

(i) All cash and cheques received should be banked intact on a daily basis.
(ii) All daily receipts should be recorded promptly in the cash book.
(iii) Sales ledger personnel should not have access to the cash or cheques
received.
(iv) Bank reconciliation should be prepared on a monthly basis but a daily
reconciliation would be more appropriate if huge amounts of money are
received everyday.

Unit 7 17
 Audit Principles and Practices – DFA 3103

(v) The reconciliation statement should be prepared by a responsible officer

independent of the receipt and payment functions.
(vi) Bank statements should be filed away properly in order to prepare the
reconciliation statement.

 Petty cash
(i) Written authorisation should exist for the level and location of cash
floats.
(ii) Access to the petty cash floats should be restricted to authorised
officers.
(iii) Petty cash should be kept in safe custody under the responsibility of a
reliable officer.
(iv) Withdrawal from the petty cash should be authorised by a responsible
officer, not the petty cashier.
(v) The ‘imprest’ system should be used to reimburse the float.
(vi) Vouchers should be produced before the cheque is signed for
reimbursement.
(vii) A maximum amount should be placed on a petty cash payment to
discourage normal purchase procedures being by-passed.
(viii) Petty cash reconciliation should be made at regular intervals.

7.9.3 Tests of control

(a) Observe mail opening to ensure procedures are adhered to.

(b) Independent cheque of cash receipt to bank lodgements.
(c) Sequence test to check pre-numbered receipts for cash.
(d) Test authorisation of cash receipts.
(e) Check the arithmetical accuracy on cash received records.
(f) Inspect current cheque books to check sequential use of cheques and any
signatures on blank cheques.

Unit 7 18
 Audit Principles and Practices – DFA 3103

(g) Test to ensure that paid invoices are marked ‘paid’.

(h) Check the arithmetical accuracy on cash payment recorded.
(i) Inspect current standing orders and direct debits for authority.
(j) Examine evidence of regular bank reconciliation.
(k) Examine evidence of independent cheque of bank reconciliation e.g. signature
of a responsible officer.
(l) Examine evidence of follow-up outstanding cheques on bank reconciliations.
(m) Test petty cash vouchers for approval.
(n) Examine evidence of arithmetical check on petty cash records.
(o) Test for evidence of check on petty cash balance.

7.10 TESTS OF CONTROL: INVENTORIES

7.10.1 Control Objectives

(a) Authorisation and purchase procedures.

(b) Control over goods inwards.
(c) Inventory records substantiated by physical counts.
(d) Control over despatches and goods outwards.
(e) Adequate steps should be taken to identify all inventories for which
write-downs may be required.
(f) Inventory levels should be controlled so that materials are available
when required but it should be unnecessarily large.

7.10.2 Control Procedures

(a) Issues from inventories should be made only on properly authorized

requisitions.
(b) Damages, obsolete and slow moving inventories should be carried out and any
write-offs should be authorized.

Unit 7 19
 Audit Principles and Practices – DFA 3103

(c) All receipts and issues should be recorded and cross-checked with the
appropriate GRN or requisition.
(d) Total inventory records should be maintained and reconciled with detailed
inventory records and discrepancies investigated.
(e) Inventory should be periodically checked against the records by an officer
independent of the stores and significant differences investigated.
(f) Maximum and minimum inventory level should be pre-determined and
regularly reviewed for adequacy.
(g) Re-order quantities should be pre-determined and regularly reviewed for
adequacy.
(h) Deliveries of goods should pass through stores and hence be checked and
recorded as received.
(i) Inventories should be in safe locations to prevent damages and theft.
(j) Access to stores should be restricted.

7.10.3 Tests of Control

(a) Observe physical security of inventories and environment in which they are
held.
(b) Test procedures for recording of inventory movements in and out of
inventory.
(c) Test authorisation for adjustments to inventory records.
(d) Test authorisation for write-off or scrapping of inventories.
(e) Test controls over recording of inventory movements belonging to third
parties.
(f) Test procedures for authorisation for inventory movements, i.e., the use of
authorised goods received and despatch notes.
(g) Inspect reconciliations of inventory counts to inventory records (this gives
overall comfort on the adequacy of controls over the recording of inventory).
(h) Check sequences of despatch and goods received notes for completeness.

Unit 7 20
 Audit Principles and Practices – DFA 3103

(i) Assess adequacy of inventory counting procedure and attend count to ensure
they are carried out.

7.11 SUMMARY

It is important to remember the following:

1. Internal control system as the process designed and effected by those charged
with governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations and
compliance with applicable laws and regulations.
2. The control environment that includes the overall attitude, awareness and actions
of directors and management regarding internal controls and their importance in
the entity.
3. The entity’s risk assessment process is carried out to identify and act in response
to business risks and the results thereof.
4. The information system consists of the procedures and records established to
initiate, record, process, and report entity transactions and maintain accountability
for the related assets, liabilities and equity.
5. Control activities describe the policies and procedures that help management to
put into practice their directives. Control activities may vary in forms, for
example, segregation of duties, physical controls, performance reviews or
information processing.
6. Internal Control Questionnaires are used to ask whether controls exist to ensure
that a particular control objective is achieved.
7. Internal Control Evaluation Questionnaires are designed to determine whether
there are controls that prevent or detect specified errors or omissions.

Unit 7 21
 Audit Principles and Practices – DFA 3103

8. Control objectives for all systems are that only authorised transactions are
promptly recorded at the correct amount in the appropriate accounts in the proper
accounting period.
9. Control procedures include procedures to ensure completeness, accuracy,
authorisation and proper documentation.
10. Tests of control involve ensuring that the control procedures have been applied
effectively throughout the accounting period.

7.12 ACTIVITY

Activity 1

During the course of their five year period as auditors of S.E Ltd, Paul and Joe have been
particularly concerned that the company, as it grew, should develop internal control
systems appropriate to its size and complexity.

Required:

(a) State what you understand by internal control.

(b) State and explain any four types of internal control giving an illustration of
each type of control as it might be found in S.E Ltd’s system for the
purchasing of materials and the control of stocks. Your answer should
suggest possible consequences if your illustrated control was not in operation.

(c) Discuss the difficulties which S.E Ltd might have faced in establishing
efficient and effective internal control as it grew over the first five years of
existence.

Unit 7 22