LU1 - Components of Internal Controls

LU1:
SYSTEM OF
INTERNAL
CONTROLS
AUDITING
FUNDAMENTALS
CHAPTER 4
OVERVIEW OF THE SYSTEM OF
INTERNAL CONTROLS
(INTRODUCTION)
LEARNING OUTCOMES:
• Define internal control over financial reporting.
• Explain the inherent limitations of internal control.
• Identify and discuss the components of internal control.
• Explain the management's responsibilities for internal control.
• Explain the management's risk assessment process.
• Discuss the differences and relations between general controls and application
controls.
• Understand the role of a computerised system within an internal control environment.
LU2: Study Guide, Page 7 Copy Right Reserved © University of the Free State 2023
W H AT I S A S Y S T E M O F I N T E R N A L
CONTROLS?
• What is the purpose of a system of internal controls?
• Mitigate RISKS identified in the risk management process
• (Risk Response)
• Example:
Auditing Fundamentals, Page 119 Copy Right Reserved © University of the Free State 2023
W H AT I S T H E P U R P O S E O F A SY S T E M
OF INTERNAL CONTROLS?
• System of internal controls: System involving combination of processes,
controls, and policies and procedures.
• Designed, implemented and maintained to achieve an entity’s
objectives.
• Based on the specific risks that the entity faces in achieving its
objectives (specifically designed).
• Internal controls are executed by people and/or computers.
• Assurance over the effectiveness of internal controls (risk monitoring).
DEFINING SYSTEM OF INTERNAL
CONTROLS
• Processes designed, implemented and maintained by those charged
with governance and others to provide reasonable assurance about the
achievement of the entity's objectives:
Reliability of the Financial Performance (IFRS)
Effective and Efficient Operations
Compliance to Laws & Regulation (Companies Act)
Prevent Detect Correct
RESPONSIBILITY FOR INTERNAL
CONTROLS:
Those charged with governance
• Overall responsibility and accountability for internal controls.
Responsible to identify risks that the business needs to address.
Management at different levels

• Primarily responsible for designing and implementing the policies and
procedures to address the risks.
• Responsible for maintaining the internal control process.
Employees
• Responsible for executing the internal control procedures. For
example, signing a document after preparing or review.
L I M I TAT I O N S O F I N T E R N A L
CONTROL:
• Internal controls DO NOT provide absolute assurance that the risks
identified have been sufficiently dealt with (provides reasonable
assurance).
Directed at
Potential for Incorrect human
Cost vs Benefit routine
human error judgement
transactions
Collusion
Management
between Inadequate
over right of
employees or controls
controls
others
L I M I TAT I O N S O F I N T E R N A L
CONTROL:
• To ensure an effective system of internal controls, the following five (5) components
must be present:
Risk Information
Control Control
Assessment System and Monitoring
Environment Activities
Process communication
CONTROL ENVIRONMENT
• Forms the overall foundation of internal controls.
• Attitude of management towards internal controls.
• Create and foster a good attitude towards internal controls by:
Communicate Participation by Good

ethical values management leadership and
judgement
Clear structure
Committed to Effective Risk and
competence Management responsibility
RISK ASSESSMENT PROCESS
• The risk assessment process deals with the governance of risk.
• Clear objectives need to be set before a risk assessment can be
done.
• The risk assessment process includes the following steps:
• Identifying the risks
• Assessing the likelihood and frequency of the risks identified
(how often), and the potential impact of the risk if it was to occur
• Deciding how to respond to the risk
• Risk assessment and monitor is a continuous process
Response to risk = Control activities
More controls
Less controls
Specific consideration should be given to the assessment of
information technology (IT) risks.
I N F O R M AT I O N SY S T E M S A N D
C O M M U N I C AT I O N
Information Systems Accounting System Business Cycles
• Processes and • Path that transaction • Transactions can be

activities in flow (documents) grouped in cycles:
preparing the FS • Stages: • Acquisitions and
• Accounting System • Initiate and payment cycle
• Business Processes executes • Inventory cycle
• Communicating to • Recording (Input) • Revenue and
relevant • Processing receipts cycle
stakeholders (Processing) • Human Resource
internally and • Reporting cycle
externally (Output) • Investment and
• Reliable financial • Various people and financing cycle
reporting processes involved
Auditing Fundamentals, Page 121 - 123 Copy Right Reserved © University of the Free State 2023
CONTROL ACTIVITIES
• These are the control activities that management implements to address
the risks identified.
• Control activities do not materialise, or should they materialize, they
timeously detected and appropriately addressed.
• Control activities can also be classified as preventative, detective or
corrective.
• We also distiguise between General IT Controls and Information
processing controls.
• Different types of control activities (see next slide).
TYPES OF CONTROL ACTIVITIES
• Document design: Easy to use and minimize errors
Documentation • Stationery controls: Sequentially pre-numbered and
muti-copy
and records • Standard chart of accounts
• Assign responsibility for different levels of approval

Authorisation • Approver: review supporting documents and sign
• Use of logical access controls
and approval
• Incompatible duties should be separated (not done

Segregation of by 1 person)
• To prevent fraud / error from being
duties committed/undetected
• Initiation, authorization, executing, recording, assets
TYPES OF CONTROL ACTIVITIES
• Employees should take responsibility for their tasks
Isolation of and acknowledge that they have completed a task
by signing.
responsibility
• Controlling access to the assets (physical, data, and

documents)
Access control • Physical access controls and logical access controls
• Document register to control movement of
documents
Verification, • Confirm the accuracy, completeness, and validity of

information
reconciliation and • Identify and investigate difference
• E.g., bank reconciliation or physical assets to asset
independent checks register
S E G R E G AT I O N O F D U T I E S E X A M P L E :
The ordering process:
Approval or Receiving delivery

goods to order of the goods
Determining the Placing an Invoice and
need to order goods order payment
What could go wrong (risks) if one person is responsible for more than
one of these functions?
Copy Right Reserved © University of the Free State 2023
MONITOR THE SYSTEM OF INTERNAL
CONTROL
• This involves the ongoing assessment over the design, and
implementation of internal.
• The monitoring process “tells” management how well the controls
are doing in reducing the risks that the entity’s objectives will not be
met. (How effective are the internal controls).
• Monitoring is done by management with the help of the internal
audit function.
HOW TO DESIGN A SYSTEM OF
INTERNAL CONTROLS
• Identify the risk of a particular transaction
STEP 1 • From initiation to recording
• Formulate a control objective

STEP 2 • What should the system ensure
• Use the five (5) components to design the controls

STEP 3 • Thereafter, implement, maintain, and monitor
HOW TO DESIGN A SYSTEM OF
INTERNAL CONTROLS
STEP 2: Formulate a STEP 3: Design the
STEP 1: Identify the risk
control objective internal controls
There is a risk of theft of To ensure that inventory is Implement physical access

goods kept in the warehouse complete (secure) control to the warehouse
There is a risk that an order is To ensure that the order is Order should be reviewed by
placed for the wrong goods accurate and complete a senior against a requisition
There is a risk that the wrong To ensure that the goods Goods delivered should be
goods are delivered received are valid, accurate compared against the PO
and complete and DN
There is a risk we pay for To ensure that the invoice is Recalculate Invoice and
goods not delivered valid, and accurate compare to GRN and DN
HOMEWORK:
• Homework Question 1.1 (Available on Blackboard)

I N F O R M AT I O N I N A
COMPUTERISED ENVIRONMENT
• Computers are a daily part of your life.
• Every business has some level of IT-integration.
• The IT-needs and the IT-risks may also differ depending on the level of IT-
integration in the company.
• Objective: Reliable financial reporting
ACCOUNTING SOFTWARE
Examples of accounting software

W H AT P R O C E S S I S F O L LO W E D :
• Process that data follows through the accounting software:
Accounting System Stages of a transaction
Capture data on
Initiate/Execute Transaction manual source
document
Flow of transaction
[Source Input source
Record document into
documents]
system
Accounting records:
Process
changes and
Process Journals, ledgers, trial
Masterfile
transaction
storage
balance
Financial
Report Output
Statements
INTERNAL CONTROLS WITHIN A
COMPUTERISED ENVIRONMENT
• Internal controls can be both manual and computerised.
• Computerised controls are divided into two categories:
• General Information Technology (IT) Controls (General Controls)
• Information Processing controls
• Controls can also be classified according to their purpose:
• Preventative controls
• Detective controls and corrective controls
GENERAL IT CONTROLS
• Previously known as general controls
• Controls over IT processes (as a whole)
• Support continued functioning of the information processing controls
• If the general IT controls are weak, then the information processing
controls will not function effectively
• Policies and procedures relating to many applications
• Support their effective functioning
I N F O R M AT I O N P R O C E S S I N G
CONTROLS
• Controls relating to the processing of information
• Initiate, record, process, and report of information
• Changes to standing data on the Masterfile
• Controls over specific IT applications or manual processes used for
processing information
• Protect the integrity of the information (valid, accurate and complete)
• Ensure information is free from fraud or error
EXAMPLE:
Makes use of Apps to function – work

together to achieve a common goal
Operating System Applications
• General IT Controls: Those controls implemented over the entire phone (all
applications) to ensure they are working (E.g., antivirus protection, auto-updates or
screen lock).
• Information processing controls: Those controls implemented over a specific task (E.g.,
spell checker in your messaging apps or low battery warning).

HOMEWORK:
• Revise notes on the following General IT Controls:
• Control environment (5.8.1) [Page 154 – 157]
• System development and implementation controls (5.8.2) [Page 157-
161]
• Access controls (5.8.3) [Page 162 – 166]
• Business continuity controls (5.8.4) [Page 167 – 169]

LU1 - Components of Internal Controls

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LU1 - Components of Internal Controls

Uploaded by

Copyright:

Available Formats

LU1:

Prevent Detect Correct

Management at different levels

Communicate Participation by Good

• Processes and • Path that transaction • Transactions can be

• Assign responsibility for different levels of approval

• Incompatible duties should be separated (not done

• Controlling access to the assets (physical, data, and

Verification, • Confirm the accuracy, completeness, and validity of

Approval or Receiving delivery

• Formulate a control objective

• Use the five (5) components to design the controls

There is a risk of theft of To ensure that inventory is Implement physical access

Copy Right Reserved © University of the Free State 2023

Copy Right Reserved © University of the Free State 2023

Makes use of Apps to function – work

Copy Right Reserved © University of the Free State 2023

Copy Right Reserved © University of the Free State 2023

You might also like