LESSON

INTERNAL CONTROL
6

TOPICS
 Nature of Internal Control
 Components of Internal Control
 Considerations of Internal Control
 Communications of Internal Control Weaknesses

LEARNING After studying this chapter, you should:

OUTCOMES

 Understand the nature of internal control and its structure

 Be familiar with the concepts of internal control
 Enumerate the components of internal control
 Have a basic understanding of the considerations related to internal control

INTRODUCTION

To assist the organization towards the achievements of its goals and objectives a
careful planning, sound policies and procedures, and internal controls must be
implemented. Since transactions within an organization compose of different business
functions, internal control, aside from its being systematic, it should be set forth for the
safeguarding of assets, prevention and detection of fraud and errors, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial
statements.
A proper internal control system allows no person to be in a position to both
perform and conceal irregularities in the normal course of his duties, since work of one
employee is verified automatically by the next employee in the logical flow of work.
Thus, segmentation must properly be observed. A good internal control system provides
that different individuals perform the functions of: authorizing transactions, recording
transactions, maintaining custody of the assets that result from the transaction; and
comparing or checking the assets with the related amount entered in the entity's
accounting records.

1
CONSIDERATION OF INTERNAL CONTROL (Salosagcol, 2014)

Determine
Set Desired
Assess Assess Acceptable
Level of Audit
Risk Inherent Risk Control Risk Level of
Detection Risk

Audit Planning Consideration of Performing

internal control Substantive Tests

The auditor is responsible in setting the desired level of audit risk, which is the
very first process in the audit planning, the assessment of inherent risk should be
followed.
Assessing control risk is the process of evaluating the design and operating
effectiveness of an entity’s internal control as to how it prevents or detects material
misstatements in the financial statements. The conclusion reached as a result of
assessing control risk is referred to as the assessed level of control risk.

NATURE OF INTERNAL CONTROL

The conduct of internal control also depends on the size of the entity. If an organization
is small, the owner can personally perform, or directly take charge of all the
responsibilities. However, as the entity grows larger, it becomes necessary to delegate
functional responsibilities to employees. Which should also reflect in the organizational
structure. Once this occurs, mechanisms need to be introduced which enable the
performance of the employees to be checked, to ensure that they are fulfilling their
responsibilities as intended.

According to PSA 515, internal control is the process designed and affected by those
charged with governance, management and other personnel to provide reasonable
assurance about the achievement of the company's objectives with regard to reliability
of financial reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations.

This definition embodies four essential concepts. (Salosagcol, 2014)

1 Internal control is a process.

2
Internal control is not an end in itself, instead, it is a means of achieving the entity's
objectives.
Internal control is effected by those charged with governance,
2
management and other personnel.

Internal control is accomplished by people at every level of organization, including the

management, those charged with governance, and entity’s staff personnel. It is the
responsibility of the management to establish a control environment and maintain
Policies and procedures to assist in achieving the entity’s objectives. Those charged with
governance, on the other hand ensure the integrity of accounting and financial
reporting systems through Oversight of management. Staff personnel should also
perform their respective functions in order to accomplısh the objectives of the entity.

Internal control can be expected to provide reasonable assurance of

3 achieving
the entity's abjectives
Internal control can only provide reasonable assurance (no absolute assurance) that the
entity’s objectives will be achieved. This is because there are inherent limitations that
may affect the internal control's effectiveness. These imitations include:

 Management's usual requirement that the cost of an internal control should not
exceed the expected benefits to be derived.
 Most internal controls tend to be directed at routine transactions rather than
non-routine transactions.
 The potential tor human error due to carelessness, distraction mistakes of
judgment and the misunderstanding of instructions.
 The possibility of circumvention of internal controls through the collusion among
employees.
 The possibility of management overriding the internal control.
 The possibility that procedures may become inadequate due to changes in
conditions, and compliance with procedures may deteriorate.

4
Internal Internal control is designed to help achieve the entity’s objectives.

Internal control is geared towards the achievements of the entity’s objectives in the
following categories:

3
 Effectiveness and Compliance with
Reliability of
efficiency of laws and
financial reporting
operations. regulations

The only concerned of the auditor in the audit of the financial statements are those
policies and procedures within the accounting and internal control systems that are
relevant to the financial statement assertions. Therefore, financial reporting objective is
the most relevant objective to the audit.

Operational and compliance objectives may be relevant to the audit only it they relate
to data the auditor evaluates to determine the reliability of some financial statement
assertions. (Salosagcol, 2014)

For example, controls pertaining to non-financial data that the auditor uses in
analytical procedures, such as production statistics, or controls pertaining to
detecting non-compliance with laws and regulations that may have a direct and
material effect on the financial statements, such as controls over compliance
with income tax laws and regulations used to determine the income tax
provision, may be relevant to an audit

COMPONENTS OF INTERNAL CONTROL

Although internal control policies and procedures vary significantly from one entity to
another, there are essential components of internal control that must be established to
provide reasonable assurance that the entity’s objectives will be achieved. There are five
interrelated components of the entity's internal control, namely: (Salosagcol, 2014)

Control
Environment

Control
Monitoring
Activities
Components
of Internal
Control

Informaiton
Risk and
Assessment communicati
on systme

4
Control Environment

The attitudes, awareness, and actions of management and those charged with
governance concerning the entity’s internal control and its importance in the entity are
the main components of the control environment. The control environment also
includes the governance and management functions and sets the tone of an
organization, influencing the control awareness of its people. It is the foundation for
effective internal control, providing discipline and structure.

Integrity and ethical values Commitment to competence

Management philosophy and Personnel policies and

operating style procedures

Active participating of those Assignment of responsibility

charged with governance and authority

1. Integrity and ethical values

Organization should impose ethical standards that prevent employees from

engaging in dishonest, unethical, or illegal acts that could essentially affect the
financial statements.
2. Management philosophy and operating style
The auditor should assess the management attitude towards financial reporting and
their emphasis on meeting projected profit goals because these will significantly
influence the risk of material misstatements in the financial statements.
3. Active participation of those charged with governance
An audit committee must be established in an organization which will be responsible
for overseeing the financial reporting policies and practices of the entity.
4. Commitment to competence
The entity should consider the level of competence required for each task and
translate it to requisite knowledge and skills.
5. Personnel policies and procedures
Policies tor hiring training, evaluating promoting, and compensating entity's
personnel must be properly implemented because the competence of the entity's
employees will bear directly on the effectiveness of the entity s internal control.

5
 6. Organizational structure provides a framework for planning directing, and
controlling the entity's operations.
Business segmentation must be given priority to prevent jurisdictional ambiguities.
There must be a proper segregation of duties in the organization to minimize fraud,
errors, and other misconducts.

Risk Assessment

There are myriad number of risks an entity may be confronted. Busıness risk is
the factors that hinder the attainment of the organizational goals and objectives due to
the intervening internal and external factors.

Business risk is a threat in an organization. However, growth could not be

attained without short falls. To prevent such risk, entity must developed adopt policies
and procedures that are designed to identity and analyze the risks affecting the entity s
business and to take the appropriate action to manage these risks. For audit purposes,
the auditor is concerned only with those risks that are relevant to the preparation of
reliable financial statements.

Information and Communication Systems

Information and communication play a vital role

in an effective internal control. The information
system applicable to financial reporting
objectives, which contains the financial reporting
system, consists of the procedures and records
established to initiate, record, process, and
report entity transactions and to maintain
accountability for the related assets, liabilities,
and equity.

An information system encompasses methods and records

that: (Salosagcol, 2014)
 ldentify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
 Present properly the transactions and related disclosures in the financial
statements.

6
Providing an understanding of individual roles and responsibilities pertaining to internal
control over financial reporting can be done through proper communication.
Communication channels must be open to help ensure that exceptions are reported and
acted on.

Electronically, orally, and through the actions of management are the forms of
communication in the organization. It can take such forms as policy manuals,
accounting and financial reporting manuals, and memoranda.

Control Activities

Control activities are the policies and procedures that help guarantee that management
commands are performed. Specific control procedures that are relevant to financial
statement audit would include: (Salosagcol, 2014)

Performance Information Physical Segregation of

Reviews Processing Controls duties

Performance reviews

These control activities include reviews and analyses of actual performance

versus budgets, forecasts, and prior period performance; relating different sets of
data to one another together with analyses of the relationships and investigative
and corrective actions.

Information processing
A variety of controls are performed to check accuracy, completeness, and
authorization of transactions. When computer processing is used in significant
accounting applications, internal control procedures can be classified into two
types: general and application controls.
 

Physical controls
These activities encompass the physical security of assets, including adequate
safeguards such as secured facilities over access to assets and records
authorization for access to computer programs and data files; and periodic
counting and comparison with amounts shown on control records.

7
Segregation of duties
Assigning different people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets 1s intended to reduce
the opportunities to allow person to be in a position to both perpetrate and
conceal errors or fraud in the normal course of the person's duties

Examples of segregation of duties include reporting, reviewing and approving

reconciliations, and approval control of documents.

Monitoring
Monitoring is a process of assessing the quality of internal control performance
over time. It involves assessing the design and operation of controls on a timely
basis and taking necessary corrective actions. Monitoring is done to ensure that
controls continue to operate effectively.

Monitoring of controls is accomplished through ongoing monitoring activities,

separate evaluations, or a combination of the two. Ongoing monitoring activities
are built into the normal recurring activities of an entity and include regular
management and supervisory activities such as preparation of monthly bank
reconciliation. Separate evaluations are monitoring activities that are performed
on a non-routine basis, such as functions performed by internal auditors.

Consideration of Internal Control

The key responsibility of the entity’s management is to establish and maintain an

entity's accounting and internal controls systems. However, an auditor should also
monitor the system that will be implemented because it can greatly affect the audit.

8
 Consideration of the entity’s internal control systems involves the following steps:
(Salosagcol, 2014)

Document the
assessed level of
Perform tests of control risks
Document the Assess the level of controls
understanding of control risk
Obtain accounting and
understanding of internal control
the internal systems
control

Understanding Internal Control

A sufficient understanding of the components of the entity’s internal control relevant to
the audit must be obtained by the auditor. This involves:
 evaluating the design of a control; and
 determining whether it has been implemented.
The auditor uses the understanding of internal control to:

 Recognize types of potential misstatements that can occur.

 Study factors that affect the risk of material misstatements.
 Design the nature, timing, and extent audit procedures to be performed.
Documenting the auditor's understanding of internal control
The next step after obtaining sufficient knowledge about the design of internal
control system and verifying that the policies and procedures are implemented, the next
would be the documentation process of the knowledge and understanding gained
throughout the performance of the previous steps. The level of documentation may
vary depending on the size and complexity of the entity and nature of the entity's
internal control systems. Some commonly used forms of documentation include:
(Salosagcol, 2014)

9
 Internal
Narrative
Flowchart control
description
questionnaire

Assessment of Control Risk

After getting and recording the auditor's understanding of the accounting and inside
control frameworks, the inspector ought to make a preparatory evaluation of control
hazard, at the attestation level, for each fabric account adjust or lesson exchanges. The
reviewer s preparatory evaluation of control hazard may be at a tall level (100%) or less
than tall level.
When the auditor's information of the entity’s inner control shows that inside controls
related to a specific attestation are not successful, the evaluator may essentially survey
control chance at a high level. Subsequently, no tests of controls ought to be performed
and the evaluator will depend basically on substantive tests.
On the other hand, it the inspector accepts that controls show up to be dependable, the
evaluator ought to decide whether it is effective to get the prove to legitimize an
evaluation of control hazard at a lower level
On the off chance that the reviewer concludes that it is more productive to depend on
the entities internal control frameworks, the inspector would plan to evaluate control
hazard at less than tall level for this reason, the evaluator ought to:

 ldentify specific internal control policies or procedures that are likely to prevent
or detect and correct material misstatement relevant to financial statement
assertion, and
 Preform tests of control to determine the effectiveness of such policies or
procedures.
Performing tests of controls
Regardless of how successful inner control methods may show up to be in anticipating
material misstatements from occurring in the financial statements, before the auditor
can rely on them to reduce substantive tests, the reviewer must test these controls to
get prove that they are working successfully as the preparatory evaluation suggests.

Tests of controls are performed to obtain evidence about the effectiveness of the design
of the accounting and internal control systems or operation of the internal controls
throughout the period.

10
It is vital to note that the auditor will only tests the working adequacy of controls that
are likely to identify or avoid material misstatements. That it is the auditor will only test
those controls that he or she plans to depend upon.

According to PSA, the auditor should obtain audit evidence through tests of control to
support any assessment of control risk at less than high level. The lower the assessment
of control risk, the more support the auditor should obtain that the internal control is
suitably designed and operating effectively. Thus, the greater the reliance the auditor
plans to place on internal control the more extensive the tests of those controls that
need to be performed.

Nature of tests of control

Inquiry

Observation
Reperformance

Inspection

Inquiry comprises of looking for the suitable data about the effectiveness of internal
control from knowledgeable people inside or outside the entity.
Observation refers to looking at the method being performed by others.

Inspection includes the examination of records and document to supply the entity of
reliability of the entity over the processing.

Repertormance involves restating the activity performed by the client to control how
proper results were obtained
For example, the auditor may re-perform the procedure by tracing the sales
prices to the authorized price list in effect at the date of the transaction. If no
errors are found, the auditor can conclude that the procedure is operating as
intended.

11
For certain controls such as segregation of duties documentary evidence audit trail) may
not exist. In this case, the auditor will have to test the effectiveness of the control
procedure by making inquiry of appropriate client personnel and observing the
application of the control procedures.

Timing of tests of controls

Auditors usually perform tests of controls during an interim visit in advance of period
end. However, auditors cannot rely on the results of such tests without considering the
need. To obtain further evidence relating to the remainder of period. This evidence may
be obtained by performing tests control for the remaining period or by reviewing
whether there are changes affecting the entity s internal control system. In determining
whether or not to test the remaining period the following factors must be considered:
(Salosagcol, 2014)

The result of the

interim tests. The length of the
remaining period. Whether changes
have occured in the
accounting and
internal control
systems during the
remaining period.

Using the results of tests of control

The evaluation of the internal control whether it is operating according to what is
intended must be based on the results of the tests of control. The result of this
evaluation concluded by the auditor is called the assessed level of control risk. In
identifying the desired level of detection risk the auditor may use the assessed level of
control risk.
There is an opposite relationship between detection risks and the combined level of
inherent and control risks.
Documenting the assessed level of control risk

After evaluating the results of tests of control and assessing the control risk, the auditor
should document his assessment of control risk.
If the control risk is assessed at a high level, the auditor should document his conclusion
that control risk is at a high level.
If control risk is assessed at less than high level, the auditor should document his
conclusion that control risk is less than high and the basis for that assessment. This basis

12
is actually the results of tests of control. Hence, the auditor cannot assess control risk at
less than high level without performing tests of control.

COMMUNICATION OF INTERNAL CONTROL WEAKNESSES

The tests conducted will give the auditor an adequate assessment on how weak the
system is. Through this, the auditor is obliged to prepare to the appropriate level of
management material weaknesses in the model and internal control systems. The
report may be in writing and should be accomplished at the earliest opportunity so that
appropriate corrective actions may be taken the soonest. Oral communications could
also be made provided these are adequately documented in the audit workıng papers.

It is to be emphasized that reviewers are not required to hunt for and/or recognize
inside control shortcomings. The auditor must, in any case, communicate internal
control shortcomings to the client when they come to their consideration during the
course of the audit internal control weaknesses alongside with other concerns are
reported in a formal letter desired by the management.

13
 ACTIVITIES

Activity 1 (This case was prepared by James Hall)

Bern Fly Rod Company

Bern Fly Rod Company is a small manufacturer of high-quality graphite
fly-fishing rods. It sells its products to fly-fishing shops throughout the United
States and Canada. Bern began as a small company with four salespeople, all
family members of the owner. Due to high popularity and recent growth in fly-
fishing, Bern now employs a sales force of 16, and for the first time employs
nonfamily members. The sales people travel around the country giving fly-
casting demos of their new models. Once the sales orders are generated,
inventory availability is determined and, if necessary, the sales person sends the
order directly to the manufacturing department for immediate production. Sales
staff compensation is tied to directly to their sales figures. Bern’s financial
statements for the December year-end reflect unprecedented sales, 35 percent
higher than last year. Further, sales for December account for 40 percent of all
sales. Last December sales accounted for only 20 percent of all sales.

Required:
 Analyze the previous situation and assess any potential internal control issues
and exposures.
 Discuss some preventive measures this firm may wish to implement.

Activity 2

A purchasing agent for a home improvement center is also part owner in a wholesale
lumber company. The agent has sole discretion in selecting vendors for the lumber sold
through the center. The agent directs a proportionate number of purchase orders to his
company, which charges above-market prices for its product. The agent’s financial
interest in the supplier is unknown to his employer.
Required:
 What type of fraud is this and what controls can be implemented to predict or
detect the fraud?

14
Discussion Questions:
1. When a company has a strong internal control structure, stockholders can expect
the elimination of fraud. Comment on the soundness of this statement.

2. Most accounting firms allow their employees to marry within the accounting
firms; however, they do not allow an employee to remain working for them if he
or she marries an employee of one of their auditing clients. Why do you think
this policy exist?

Activity 3
Explain why each of the following combinations of task should, or should not, be
separated to achieve adequate internal control:
a. Approval of bad debt write-offs and the reconciliation of the accounts
receivable subsidiary ledger and the general ledger control account.
b. Distribution of payroll checks to employees and approval of employee time
cards.
c. Posting of amounts from both the cash receipts and the cash disbursements
journals to the general ledger.
d. Writing checks to vendors and posting to the cash account.
e. Recording cash receipts in the journal and preparing the bank reconciliation.

15