Professional Documents
Culture Documents
SYSTEM OF
INTERNAL
CONTROLS
AUDITING
FUNDAMENTALS
CHAPTER 4
OVERVIEW OF THE SYSTEM OF
INTERNAL CONTROLS
(INTRODUCTION)
LEARNING OUTCOMES:
• Define internal control over financial reporting.
• Explain the inherent limitations of internal control.
• Identify and discuss the components of internal control.
• Explain the management's responsibilities for internal control.
• Explain the management's risk assessment process.
• Discuss the differences and relations between general controls and application
controls.
• Understand the role of a computerised system within an internal control environment.
LU2: Study Guide, Page 7 Copy Right Reserved © University of the Free State 2023
W H AT I S A S Y S T E M O F I N T E R N A L
CONTROLS?
• What is the purpose of a system of internal controls?
• Mitigate RISKS identified in the risk management process
• (Risk Response)
• Example:
Auditing Fundamentals, Page 119 Copy Right Reserved © University of the Free State 2023
W H AT I S T H E P U R P O S E O F A SY S T E M
OF INTERNAL CONTROLS?
• System of internal controls: System involving combination of processes,
controls, and policies and procedures.
• Designed, implemented and maintained to achieve an entity’s
objectives.
• Based on the specific risks that the entity faces in achieving its
objectives (specifically designed).
• Internal controls are executed by people and/or computers.
• Assurance over the effectiveness of internal controls (risk monitoring).
Auditing Fundamentals, Page 119 Copy Right Reserved © University of the Free State 2023
DEFINING SYSTEM OF INTERNAL
CONTROLS
• Processes designed, implemented and maintained by those charged
with governance and others to provide reasonable assurance about the
achievement of the entity's objectives:
Reliability of the Financial Performance (IFRS)
Effective and Efficient Operations
Compliance to Laws & Regulation (Companies Act)
Auditing Fundamentals, Page 119 Copy Right Reserved © University of the Free State 2023
RESPONSIBILITY FOR INTERNAL
CONTROLS:
Those charged with governance
• Overall responsibility and accountability for internal controls.
Responsible to identify risks that the business needs to address.
Employees
• Responsible for executing the internal control procedures. For
example, signing a document after preparing or review.
Auditing Fundamentals, Page 119 Copy Right Reserved © University of the Free State 2023
L I M I TAT I O N S O F I N T E R N A L
CONTROL:
• Internal controls DO NOT provide absolute assurance that the risks
identified have been sufficiently dealt with (provides reasonable
assurance).
Directed at
Potential for Incorrect human
Cost vs Benefit routine
human error judgement
transactions
Collusion
Management
between Inadequate
over right of
employees or controls
controls
others
Auditing Fundamentals, Page 127 Copy Right Reserved © University of the Free State 2023
L I M I TAT I O N S O F I N T E R N A L
CONTROL:
• To ensure an effective system of internal controls, the following five (5) components
must be present:
Risk Information
Control Control
Assessment System and Monitoring
Environment Activities
Process communication
Auditing Fundamentals, Page 120 Copy Right Reserved © University of the Free State 2023
CONTROL ENVIRONMENT
• Forms the overall foundation of internal controls.
• Attitude of management towards internal controls.
• Create and foster a good attitude towards internal controls by:
Clear structure
Committed to Effective Risk and
competence Management responsibility
Auditing Fundamentals, Page 120 Copy Right Reserved © University of the Free State 2023
RISK ASSESSMENT PROCESS
• The risk assessment process deals with the governance of risk.
• Clear objectives need to be set before a risk assessment can be
done.
• The risk assessment process includes the following steps:
• Identifying the risks
• Assessing the likelihood and frequency of the risks identified
(how often), and the potential impact of the risk if it was to occur
• Deciding how to respond to the risk
• Risk assessment and monitor is a continuous process
Auditing Fundamentals, Page 121 Copy Right Reserved © University of the Free State 2023
RISK ASSESSMENT PROCESS
Response to risk = Control activities
More controls
Less controls
Auditing Fundamentals, Page 121 Copy Right Reserved © University of the Free State 2023
RISK ASSESSMENT PROCESS
Specific consideration should be given to the assessment of
information technology (IT) risks.
Auditing Fundamentals, Page 121 Copy Right Reserved © University of the Free State 2023
I N F O R M AT I O N SY S T E M S A N D
C O M M U N I C AT I O N
Information Systems Accounting System Business Cycles
Auditing Fundamentals, Page 121 - 123 Copy Right Reserved © University of the Free State 2023
CONTROL ACTIVITIES
• These are the control activities that management implements to address
the risks identified.
• Control activities do not materialise, or should they materialize, they
timeously detected and appropriately addressed.
• Control activities can also be classified as preventative, detective or
corrective.
• We also distiguise between General IT Controls and Information
processing controls.
• Different types of control activities (see next slide).
Auditing Fundamentals, Page 124 - 126 Copy Right Reserved © University of the Free State 2023
TYPES OF CONTROL ACTIVITIES
• Document design: Easy to use and minimize errors
Documentation • Stationery controls: Sequentially pre-numbered and
muti-copy
and records • Standard chart of accounts
Auditing Fundamentals, Page 124 - 126 Copy Right Reserved © University of the Free State 2023
TYPES OF CONTROL ACTIVITIES
• Employees should take responsibility for their tasks
Isolation of and acknowledge that they have completed a task
by signing.
responsibility
Auditing Fundamentals, Page 124 - 126 Copy Right Reserved © University of the Free State 2023
S E G R E G AT I O N O F D U T I E S E X A M P L E :
The ordering process:
What could go wrong (risks) if one person is responsible for more than
one of these functions?
Copy Right Reserved © University of the Free State 2023
MONITOR THE SYSTEM OF INTERNAL
CONTROL
• This involves the ongoing assessment over the design, and
implementation of internal.
• The monitoring process “tells” management how well the controls
are doing in reducing the risks that the entity’s objectives will not be
met. (How effective are the internal controls).
• Monitoring is done by management with the help of the internal
audit function.
Auditing Fundamentals, Page 126 Copy Right Reserved © University of the Free State 2023
HOW TO DESIGN A SYSTEM OF
INTERNAL CONTROLS
• Identify the risk of a particular transaction
STEP 1 • From initiation to recording
Auditing Fundamentals, Page 128 - 136 Copy Right Reserved © University of the Free State 2023
HOW TO DESIGN A SYSTEM OF
INTERNAL CONTROLS
STEP 2: Formulate a STEP 3: Design the
STEP 1: Identify the risk
control objective internal controls
There is a risk that an order is To ensure that the order is Order should be reviewed by
placed for the wrong goods accurate and complete a senior against a requisition
There is a risk that the wrong To ensure that the goods Goods delivered should be
goods are delivered received are valid, accurate compared against the PO
and complete and DN
There is a risk we pay for To ensure that the invoice is Recalculate Invoice and
goods not delivered valid, and accurate compare to GRN and DN
Auditing Fundamentals, Page 128 - 136 Copy Right Reserved © University of the Free State 2023
HOMEWORK:
• Homework Question 1.1 (Available on Blackboard)
Auditing Fundamentals, Page 146 Copy Right Reserved © University of the Free State 2023
ACCOUNTING SOFTWARE
Examples of accounting software
Capture data on
Initiate/Execute Transaction manual source
document
Flow of transaction
[Source Input source
Record document into
documents]
system
Accounting records:
Process
changes and
Process Journals, ledgers, trial
Masterfile
transaction
storage
balance
Financial
Report Output
Statements
Auditing Fundamentals, Page 149 Copy Right Reserved © University of the Free State 2023
INTERNAL CONTROLS WITHIN A
COMPUTERISED ENVIRONMENT
• Internal controls can be both manual and computerised.
• Computerised controls are divided into two categories:
• General Information Technology (IT) Controls (General Controls)
• Information Processing controls
• Controls can also be classified according to their purpose:
• Preventative controls
• Detective controls and corrective controls
Auditing Fundamentals, Page 150 - 152 Copy Right Reserved © University of the Free State 2023
GENERAL IT CONTROLS
• Previously known as general controls
• Controls over IT processes (as a whole)
• Support continued functioning of the information processing controls
• If the general IT controls are weak, then the information processing
controls will not function effectively
• Policies and procedures relating to many applications
• Support their effective functioning
Auditing Fundamentals, Page 150 - 151 Copy Right Reserved © University of the Free State 2023
I N F O R M AT I O N P R O C E S S I N G
CONTROLS
• Controls relating to the processing of information
• Initiate, record, process, and report of information
• Changes to standing data on the Masterfile
• Controls over specific IT applications or manual processes used for
processing information
• Protect the integrity of the information (valid, accurate and complete)
• Ensure information is free from fraud or error
Auditing Fundamentals, Page 151 - 152 Copy Right Reserved © University of the Free State 2023
EXAMPLE:
• General IT Controls: Those controls implemented over the entire phone (all
applications) to ensure they are working (E.g., antivirus protection, auto-updates or
screen lock).
• Information processing controls: Those controls implemented over a specific task (E.g.,
spell checker in your messaging apps or low battery warning).