Professional Documents
Culture Documents
INTERNAL CONTROL
6
TOPICS
Nature of Internal Control
Components of Internal Control
Considerations of Internal Control
Communications of Internal Control Weaknesses
INTRODUCTION
To assist the organization towards the achievements of its goals and objectives a
careful planning, sound policies and procedures, and internal controls must be
implemented. Since transactions within an organization compose of different business
functions, internal control, aside from its being systematic, it should be set forth for the
safeguarding of assets, prevention and detection of fraud and errors, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial
statements.
A proper internal control system allows no person to be in a position to both
perform and conceal irregularities in the normal course of his duties, since work of one
employee is verified automatically by the next employee in the logical flow of work.
Thus, segmentation must properly be observed. A good internal control system provides
that different individuals perform the functions of: authorizing transactions, recording
transactions, maintaining custody of the assets that result from the transaction; and
comparing or checking the assets with the related amount entered in the entity's
accounting records.
1
CONSIDERATION OF INTERNAL CONTROL (Salosagcol, 2014)
Determine
Set Desired
Assess Assess Acceptable
Level of Audit
Risk Inherent Risk Control Risk Level of
Detection Risk
The auditor is responsible in setting the desired level of audit risk, which is the
very first process in the audit planning, the assessment of inherent risk should be
followed.
Assessing control risk is the process of evaluating the design and operating
effectiveness of an entity’s internal control as to how it prevents or detects material
misstatements in the financial statements. The conclusion reached as a result of
assessing control risk is referred to as the assessed level of control risk.
According to PSA 515, internal control is the process designed and affected by those
charged with governance, management and other personnel to provide reasonable
assurance about the achievement of the company's objectives with regard to reliability
of financial reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations.
2
Internal control is not an end in itself, instead, it is a means of achieving the entity's
objectives.
Internal control is effected by those charged with governance,
2
management and other personnel.
Management's usual requirement that the cost of an internal control should not
exceed the expected benefits to be derived.
Most internal controls tend to be directed at routine transactions rather than
non-routine transactions.
The potential tor human error due to carelessness, distraction mistakes of
judgment and the misunderstanding of instructions.
The possibility of circumvention of internal controls through the collusion among
employees.
The possibility of management overriding the internal control.
The possibility that procedures may become inadequate due to changes in
conditions, and compliance with procedures may deteriorate.
4
Internal Internal control is designed to help achieve the entity’s objectives.
Internal control is geared towards the achievements of the entity’s objectives in the
following categories:
3
Effectiveness and Compliance with
Reliability of
efficiency of laws and
financial reporting
operations. regulations
The only concerned of the auditor in the audit of the financial statements are those
policies and procedures within the accounting and internal control systems that are
relevant to the financial statement assertions. Therefore, financial reporting objective is
the most relevant objective to the audit.
Operational and compliance objectives may be relevant to the audit only it they relate
to data the auditor evaluates to determine the reliability of some financial statement
assertions. (Salosagcol, 2014)
For example, controls pertaining to non-financial data that the auditor uses in
analytical procedures, such as production statistics, or controls pertaining to
detecting non-compliance with laws and regulations that may have a direct and
material effect on the financial statements, such as controls over compliance
with income tax laws and regulations used to determine the income tax
provision, may be relevant to an audit
Control
Environment
Control
Monitoring
Activities
Components
of Internal
Control
Informaiton
Risk and
Assessment communicati
on systme
4
Control Environment
The attitudes, awareness, and actions of management and those charged with
governance concerning the entity’s internal control and its importance in the entity are
the main components of the control environment. The control environment also
includes the governance and management functions and sets the tone of an
organization, influencing the control awareness of its people. It is the foundation for
effective internal control, providing discipline and structure.
5
6. Organizational structure provides a framework for planning directing, and
controlling the entity's operations.
Business segmentation must be given priority to prevent jurisdictional ambiguities.
There must be a proper segregation of duties in the organization to minimize fraud,
errors, and other misconducts.
Risk Assessment
There are myriad number of risks an entity may be confronted. Busıness risk is
the factors that hinder the attainment of the organizational goals and objectives due to
the intervening internal and external factors.
6
Providing an understanding of individual roles and responsibilities pertaining to internal
control over financial reporting can be done through proper communication.
Communication channels must be open to help ensure that exceptions are reported and
acted on.
Electronically, orally, and through the actions of management are the forms of
communication in the organization. It can take such forms as policy manuals,
accounting and financial reporting manuals, and memoranda.
Control Activities
Control activities are the policies and procedures that help guarantee that management
commands are performed. Specific control procedures that are relevant to financial
statement audit would include: (Salosagcol, 2014)
Performance reviews
Information processing
A variety of controls are performed to check accuracy, completeness, and
authorization of transactions. When computer processing is used in significant
accounting applications, internal control procedures can be classified into two
types: general and application controls.
Physical controls
These activities encompass the physical security of assets, including adequate
safeguards such as secured facilities over access to assets and records
authorization for access to computer programs and data files; and periodic
counting and comparison with amounts shown on control records.
7
Segregation of duties
Assigning different people the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of assets 1s intended to reduce
the opportunities to allow person to be in a position to both perpetrate and
conceal errors or fraud in the normal course of the person's duties
Monitoring
Monitoring is a process of assessing the quality of internal control performance
over time. It involves assessing the design and operation of controls on a timely
basis and taking necessary corrective actions. Monitoring is done to ensure that
controls continue to operate effectively.
8
Consideration of the entity’s internal control systems involves the following steps:
(Salosagcol, 2014)
Document the
assessed level of
Perform tests of control risks
Document the Assess the level of controls
understanding of control risk
Obtain accounting and
understanding of internal control
the internal systems
control
9
Internal
Narrative
Flowchart control
description
questionnaire
ldentify specific internal control policies or procedures that are likely to prevent
or detect and correct material misstatement relevant to financial statement
assertion, and
Preform tests of control to determine the effectiveness of such policies or
procedures.
Performing tests of controls
Regardless of how successful inner control methods may show up to be in anticipating
material misstatements from occurring in the financial statements, before the auditor
can rely on them to reduce substantive tests, the reviewer must test these controls to
get prove that they are working successfully as the preparatory evaluation suggests.
Tests of controls are performed to obtain evidence about the effectiveness of the design
of the accounting and internal control systems or operation of the internal controls
throughout the period.
10
It is vital to note that the auditor will only tests the working adequacy of controls that
are likely to identify or avoid material misstatements. That it is the auditor will only test
those controls that he or she plans to depend upon.
According to PSA, the auditor should obtain audit evidence through tests of control to
support any assessment of control risk at less than high level. The lower the assessment
of control risk, the more support the auditor should obtain that the internal control is
suitably designed and operating effectively. Thus, the greater the reliance the auditor
plans to place on internal control the more extensive the tests of those controls that
need to be performed.
Inquiry
Observation
Reperformance
Inspection
Inquiry comprises of looking for the suitable data about the effectiveness of internal
control from knowledgeable people inside or outside the entity.
Observation refers to looking at the method being performed by others.
Inspection includes the examination of records and document to supply the entity of
reliability of the entity over the processing.
Repertormance involves restating the activity performed by the client to control how
proper results were obtained
For example, the auditor may re-perform the procedure by tracing the sales
prices to the authorized price list in effect at the date of the transaction. If no
errors are found, the auditor can conclude that the procedure is operating as
intended.
11
For certain controls such as segregation of duties documentary evidence audit trail) may
not exist. In this case, the auditor will have to test the effectiveness of the control
procedure by making inquiry of appropriate client personnel and observing the
application of the control procedures.
After evaluating the results of tests of control and assessing the control risk, the auditor
should document his assessment of control risk.
If the control risk is assessed at a high level, the auditor should document his conclusion
that control risk is at a high level.
If control risk is assessed at less than high level, the auditor should document his
conclusion that control risk is less than high and the basis for that assessment. This basis
12
is actually the results of tests of control. Hence, the auditor cannot assess control risk at
less than high level without performing tests of control.
The tests conducted will give the auditor an adequate assessment on how weak the
system is. Through this, the auditor is obliged to prepare to the appropriate level of
management material weaknesses in the model and internal control systems. The
report may be in writing and should be accomplished at the earliest opportunity so that
appropriate corrective actions may be taken the soonest. Oral communications could
also be made provided these are adequately documented in the audit workıng papers.
It is to be emphasized that reviewers are not required to hunt for and/or recognize
inside control shortcomings. The auditor must, in any case, communicate internal
control shortcomings to the client when they come to their consideration during the
course of the audit internal control weaknesses alongside with other concerns are
reported in a formal letter desired by the management.
13
ACTIVITIES
Required:
Analyze the previous situation and assess any potential internal control issues
and exposures.
Discuss some preventive measures this firm may wish to implement.
Activity 2
A purchasing agent for a home improvement center is also part owner in a wholesale
lumber company. The agent has sole discretion in selecting vendors for the lumber sold
through the center. The agent directs a proportionate number of purchase orders to his
company, which charges above-market prices for its product. The agent’s financial
interest in the supplier is unknown to his employer.
Required:
What type of fraud is this and what controls can be implemented to predict or
detect the fraud?
14
Discussion Questions:
1. When a company has a strong internal control structure, stockholders can expect
the elimination of fraud. Comment on the soundness of this statement.
2. Most accounting firms allow their employees to marry within the accounting
firms; however, they do not allow an employee to remain working for them if he
or she marries an employee of one of their auditing clients. Why do you think
this policy exist?
Activity 3
Explain why each of the following combinations of task should, or should not, be
separated to achieve adequate internal control:
a. Approval of bad debt write-offs and the reconciliation of the accounts
receivable subsidiary ledger and the general ledger control account.
b. Distribution of payroll checks to employees and approval of employee time
cards.
c. Posting of amounts from both the cash receipts and the cash disbursements
journals to the general ledger.
d. Writing checks to vendors and posting to the cash account.
e. Recording cash receipts in the journal and preparing the bank reconciliation.
15