UNIVERSITY OF GUYANA

ACT 3202 – PRINCIPLES OF AUDITING

LECTURE NOTES – WEEK 5

LECTURER: A Aaron

INTERNAL CONTROL EVALUATION

Internal controls supplement the accounting system, providing
management with greater assurance regarding the integrity of the
accounting environment.

Definition – Internal control

‘The whole system of controls, financial and otherwise, established
by the management in order to carry on the business of the
enterprise in an orderly and efficient manner, ensure adherence to
management policies, safeguard the assets and secure as far as
possible the completeness and accuracy of the records. The
individual components of an internal control system are known as
‘controls’ or ‘internal controls’.

Management’s responsibility if defined in the following terms.

“It is the responsibility of management to decide the extent of the
internal control system which is appropriate to the enterprise. The
nature and extent of controls will vary between enterprises and
also from one part of an enterprise to another. The controls used
will depend on the nature, size and volume of the transactions, the
degree of control which members of management are able to
exercise personally, the geographical distribution of the enterprise
and many other factors. The choice of controls may reflect a
comparison of the cost of operating individual controls against the
benefits expected to be derived from them.

Many of the internal controls, which would be relevant to the larger

enterprise, are not practical, appropriate or necessary in a small
enterprise.

1|Page
Main types of internal control
 Segregation of duties
 Organization
 Authorization and approval
 Physical
 Supervisory
 Personnel
 Arithmetical and accounting
 Management

Organization
Enterprises should have a plan of their organization, defining and
allocating responsibilities and identifying lines of reporting for all
aspects of the enterprise’s operations, including controls. The
delegation of authority and responsibility should be clearly
defined.

Segregation of duties
This reduces the risk of intentional manipulation or error and
increases the element of checking. Functions should be separate –
authorization, execution, custody, recording and in the case of a
computer-based accounting system, systems development and daily
operations.

Physical
Concerned mainly with the custody of assets and involve
procedures and security measures designed to ensure access to
assets is limited to authorized personnel. This includes both direct
and indirect access via documentation. These controls assume
importance in the case of valuable, portable, exchangeable or
desirable assets.

Authorization and approval

All transactions should require authorization or approval by an
appropriate responsible person.

2|Page
Arithmetical and accounting
These are controls within the recording function which check that
the transaction to be recorded and processed have been
authorized, that they are all included and that they are correctly
recorded and accurately processed. Such controls include checking
the arithmetical accuracy of the records, the maintenance and
checking of totals, reconciliations, control accounts and trial
balances, and accounting for documents.

Personnel
There should be procedures to ensure that personnel have
capabilities commensurate with their responsibilities. The proper
functioning of any system depends on the competence and integrity
of those operating it. The qualifications, selection and training as
well as the innate personal characteristics of the personnel involved
are important features to be considered in setting up any control
system.

Supervision
Any system of internal control should include the supervision by
responsible officials of day-to-day transactions and the recording of
them.

Management
These are the controls exercised by management outside the day-to-
day routing of the system. They may include the overall
supervisory controls exercised by management, the review of
management accounts and comparison thereof with budgets, the
internal audit function and any other special review procedures.

Limitations on the effectiveness of internal controls

The guideline warns that no internal control system is foolproof.

 No internal control system, however elaborate, can by itself

guarantee efficient administration and the completeness and
accuracy of the records, no can it be proof against fraudulent
collusion, especially on the part of those holding positions of
authority or trust.

3|Page
  Internal controls depending on segregation of duties can be
avoided by collusion.
 The person in whom the authority is vested can abuse
authorization controls.
 Whilst the competence and integrity of the personnel operating
the controls may be ensured by selection and training, these
qualities may alter due to pressure exerted both within and
without the enterprise.
 Human error due to errors of judgement or interpretation, to
misunderstanding carelessness, fatigue or distraction may
undermine the effective operation of internal controls.

The auditor needs to ascertain and record the internal control

system in order to make a preliminary evaluation of the
effectiveness of its component controls and to determine the extent
of his reliance on these controls. This recording will normally be
carried out concurrently with the recording of the accounting
system; the use of flowcharting techniques is a simple yet effective
way of achieving this dual objective.

Having documented the system, including internal controls, and

confirmed its operation by means of walk through tests, the auditor
will then commence his evaluation.

This evaluation is assisted by the use of documentation designed

to help identify the internal controls on which the auditor may
which to place reliance. Two documents used to do so are:
1. Internal Control Questionnaire (ICQ)
2. Internal Control Evaluation Questionnaire (ICEQ)

Internal Control Questionnaires

The major question which internal control questionnaires are
designed to ask is ‘How good is the system of controls? Where
strengths are identified, the auditor will perform work in the
relevant areas. If, however, weaknesses are discovered he should
then ask:
(a) What errors or irregularities could be made possible by these
weaknesses;

4|Page
 (b) Could such errors or irregularities be material to the accounts,
and hence
(c) What substantive audit tests will enable such errors or
irregularities to be discovered and quantified?

Functions of internal control questionnaires

(a) A method of ascertainment of the system.
(b) Enabling the auditor to review and assess the adequacy of the
system.
(c) Enabling the auditor to identify areas of weakness.
(d)Enabling the auditor to design a series of tests. In effect
this means enabling the auditor to draw up his audit
programme.
(e) Enabling audit staff to familiarize themselves with the
system quickly and comprehensively.

Advantages of using internal control questionnaires

(a) The use of standardized ICQ ensures that all the important
questions are asked and the important characteristics of a
system are brought out.
(b) The ICQ is a comprehensive, all in, inclusive method of
ascertaining, recording and evaluating a system of internal
control.
ICQs confirm to the following principles:
 They comprise a list of questions designed to determine
whether desirable controls are present and
 They are formulated so that there is one to cover each of
the major transaction cycles.
One of the most effective ways of designing the questionnaire is to
phrase questions so that all the answers can be given as ‘YES’ or
‘NO’ and a ‘NO’ answer indicates a weakness in the system. For
example:

Are purchase invoices checked to goods received notes before being

passed for payment?
YES/NO/COMMENTS

A ‘NO’ answer to that question clearly indicates a weakness in the

company’s payment procedures.
5|Page
ICQs normally have columns for:
 Questions
 Answers – if possible Yes/No.
 Assessment of Internal Control strength.
 Disposal of weaknesses.
 Cross reference to Audit Programme.

Questions of this sort can also be formulated for other transaction

cycles, such as:
 Bank reconciliation
 Unclaimed wages etc.

Weakness of ICQs
A weakness of ICQs is that they can promote a somewhat
standardized approach to evaluation. The answering of questions
becomes an end in itself, rather than the means to an end. The
auditor is concerned with whether the controls do or do not prevent
the possibility of material errors occurring. This is not always easy
to determine with an ICQ where the questions are notionally of
equal weight. In many systems a particular ‘No’ answer (say,
referring to a lack of segregation of duties) may cancel the apparent
value of a string of ‘Yes’ answers. Each situation must be judged on
its own merits and hence, although the ICQs are a standard pre-
printed pack, they should be used with imagination. As using ICQs
is a skilled and responsible task, the evaluation should be done by
a senior member of the audit team.

INTERNAL CONTROL EVALUATION QUESTIONNAIRES

This is an evaluation technique more concerned with assessing
whether specific errors (or frauds) are possible rather than
establishing whether certain desirable controls are present. This is
achieved by reducing the control criteria for each transaction
stream down to a handful of key questions (or control questions)
whose characteristic is that they concentrate on the significant
errors or omissions that could occur at each phase of the
appropriate cycle if controls are weak.

6|Page
Some audit firms use ICQs exclusively; others prefer to ascertain
the system by questioning staff and recording the system by means
of flowcharts or by written notes. If flowcharts and written notes
methods of recording the system is adopted, it is necessary to
evaluate the system’s strengths and weaknesses. An ideal method
of doing this is by means of an Internal Control Evaluation
Questionnaire.

An internal control evaluation questionnaire can be defined as a

standard set of questions, which have the advantage, like the ICQ,
of ensuring all the right questions are asked, and the strengths and
weaknesses of a system are brought out.

The basic questions in an ICEQ are called control questions. An

example from the sales area is ‘can sales be invoiced but not
recorded in the books?’ Each control question requires an answer
yeas or no. To determine the answer, a series of detailed questions
are then asked. To answer the control question referred to, the
backup questions would be:

 Are invoices pre-numbered?

 Is there an independent sequence check of the ledger posting
copy of the invoice with acknowledgement of performance?
 Are there procedures for spoilt and cancelled invoices?
 Is there control over ‘sale or return’ goods?
 Is there control over ‘pro forma’ invoices?

ICEQ questions can be formulated for areas such as:

 Purchases
 Sales
 Wages and Salaries
 Stock
 Fixed Assets
 Investments
 Management information and general controls

7|Page