Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

INTERNAL CONTROLS

Internal Controls in Everyday Life

We all apply internal control in our everyday life. We lock our rooms and bags. We keep
sharp knives and some medicines out of reach of children. Examination questions are kept out
of reach of candidates until the examination day. All paid fees are recorded in a leger for
future reference. Each of these actions is an example of internal controls. There are four main
types of internal controls. Locking our room and bags is an example of a preventative control.
Preventative controls are designed to prevent loss or risk from happening

When thinking of preventative controls, the balance between the inefficiency and
inconvenience of the procedure must be balanced against the possible risk. The benefit of
control should be higher than its costs. For example, it would be inefficient for the
government to use TZS 150,000,000 to collect TZS 130,000,000 as taxes. In addition, too
much controls increase the motivations to bypass or override the control procedure.

Reviewing your bank statement is an example of a detective control. Detective controls are
designed to identify the source of an error or irregularities and correct it. Detective controls
can assist in preventing small problems from becoming large problems. For instance, regular
measuring of volume of petrol may uncover the fact that a petrol preserver does not consider
petrol evaporation during loading to the lorry tanks. Correcting evaporation estimates could
avoid a large inventory discrepancy between the records and the physical amount

Corrective controls on the other hand strive to remedy problems that can be systematically
corrected. Additional training or, changes in procedures are examples of corrective controls.
More often corrective controls are put in place because of regulatory requirements.
Corrective controls become directive and preventive controls. The distinction is that they are
developed from seeing systematic problems, not through an assessment of risks. For example,
while posting a journal entry, the accountant has debited Mr. Mazengo instead of Mr.
Mkwawa for TZS 2,000,000. In this case, the trial balance still agrees, and later on
verification of ledgers, this error was identified. The rectification entry here is to debit Mr.
Mkwawa and credit Mr. Mazengo, each by TZS 2,000,000. This is called corrective control

1
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

The Three Types of Internal Control

Internal control activities are usually classified into the following three types: preventive
controls; detective controls; and corrective controls. This is because internal controls can be
designed for various functions. Some controls can be installed to prevent undesirable
outcomes from occurring (preventive controls). Other controls can be installed to identify the
undesirable outcomes when they occur (detective controls). Other controls can be installed to
make sure that corrective action is taken to reverse undesirable outcomes or to see that they
do not recur (corrective controls). All three of the three types are critical to the creation of an
effective control environment

Preventive Controls
Preventive Controls are more cost-effective than detective controls and are designed to
discourage (avoid) errors and irregularities from occurring. They are proactive controls that
help prevent a loss. When built into a process, preventive controls prevent errors and fraud
from occurring and thus avoid the cost of correction. In general, preventive control activities
are the most cost effective of the three types of internal control activities, because they help
prevent the loss of assets in the first place and are often not very expensive to implement.
Examples of preventive controls include:
 Supervision of staff; i.e. instructing, guiding, monitoring and observing the employees
while they are performing jobs
 Employing trustworthy staff by investigating their background prior to employment;
 Employing competent staff by examining their educational certification;
 Segregation of duties among employees to reduce the risk of error or inappropriate
action. Responsibilities for authorization, recording transactions are divided.
 Proper authorization (approvals) of transactions to prevent improper use of resources.
 Dual (two) signature requirements on all issued cheques
 Store blank cheques in a locked drawer or cabinet, and limit access to the cheques.
 Require accounting department employees to take vacations.
 Require receipts for all petty cash disbursements with the date, amount received,
purpose or use for the funds, and name of the employee receiving the funds listed on
the receipt.

2
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

 Requiring receipts for all petty cash disbursements with the date, amount received
 Adequate documentation as well as proper record-keeping procedures to deter
improper transactions;
 Issue receipts for cash, using a pre-numbered receipt book.
 Physical control over cash by locking it in a safe box or in strong rooms
 Important documents should be kept in locked cabinets
 Fixed assets should be guarded by using security personnel; security camera systems
 Visible cameras can also act as a preventative control: discourage potential attackers.
 The use of passwords (PW) to stop unauthorized access to systems/applications;
 Ensuring that employees have a strong password for accessing computer systems
 Computer PW should be periodically changed and shouldn’t be written down or kept
by the PC, or the drawer

Detective Controls
Detective controls are designed to detect errors and irregularities, which have already
occurred and to assure their prompt correction. These types of internal controls measure the
effectiveness of preventive controls. In certain cases, some errors and frauds cannot be
effectively controlled through a system of prevention; however, they can be detected when
they occur. Detective controls supply the means with which to correct data errors, modify
controls or recover missing assets. These controls represent a continuous operating expense
and are more costly than preventive controls, but necessary. Examples include reconciliations:
An employee compares different sets of data to one another, identifies and investigates
differences, and takes corrective action. The common comparisons include:
 The amount of cash shown in the accounts holder’s books and the cash balance shown
in a bank statement (bank reconciliation).
 Value of inventory shown in the records and value of inventory and the value of
inventory obtained during physical count.
 Reviews of Performance: Management compares information about current
performance to budgets, forecasts, or other benchmarks to identify unexpected results
 Comparison of the amount of physical petty cash on hand and the amount of petty
cash in the books (surprise checks). This can be done at any time without notice

3
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

 A verification for ensuring that computer users change their password regularly
 Comparing the actual price paid for raw material, with the standard cost

Other examples of detective controls include closed-circuit television (CCTV). A CCTV

camera is a good example of a detective control. A store manager who notices a pattern of
a cash drawer coming up short when attended by a particular clerk can easily look at video
of the clerk’s actions throughout the day to detect potential theft.

An access log and an alert system can quickly detect and notify management of attempts
by employees or outsiders to access unauthorized information or parts of a building. When
the detective control identifies a departure from standard, it sounds an alarm to attract
attention to the problem so that it can be corrected.

Corrective Controls
Corrective controls are designed to rectify (correct) irregularities that have been detected by
detective controls. They are actions taken to reverse the effects of detected irregularities. They
begin when an irregularity occurs and is detected and keep the "attention" on the problem
until management can correct the defect. They restore the system or process back to the state
prior to a damaging event. Corrective controls help to eliminate or reduce damage once a risk
has materialized. For example, a business may implement a full restoration of a system from
backup tapes after evidence is found that someone has improperly altered the payment data.
Likewise, a person may run an antivirus program after denial of service in the computer.

There is an important distinction between detective controls and corrective controls. Detective
controls identify irregularities and draw attention to them whereas corrective controls actually
correct (fix) the problem. For any detected irregularity, however, there may be more than one
possible corrective action, but the best course of action may not always be obvious. Linking a
corrective action to a detected irregularity as an automatic response, may result in an incorrect
action that causes a worse problem than the original irregularity. For this reason, irregularity
correction should be viewed as a separate control step that should be taken cautiously.
Examples of Corrective Controls include:
 Restore data from backup following a failure;
 Incorrect invoices adjusted and resubmitted

4
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

 Submit corrective journal entries after discovering an error;

 Rectifying transposition errors after being identified by IT application control
 Changing a weak IT antivirus to a strong one after detecting data corruption
 quality teams that address ongoing problems to correct processes,
 Insurance programs that recover financial losses to return the insured to the same
financial position they were in prior to the loss.
 trainings and operations manuals can be revised to prevent future errors and
irregularities
 Modify the processing system(s) to minimize future occurrence of the problem.

Definition of Internal Controls

There are various definitions of internal control, as it affects the various stakeholders of an
organization in a number of ways and at different levels of aggregation. The Authoritative
Definition of Internal Controls is provided by (i) the International Standard on Auditing 315
(Revised 2019) Identifying and Assessing the Risks of Material Misstatement and (ii)
“The Committee of Sponsoring Organizations of the Treadway Commission (COSO),
Internal Control – Integrated Framework”. This hand-out uses COSO (2013) framework
because it is identical to ISA 315.

The Committee of Sponsoring Organizations (COSO) was established by five the largest
accounting, auditing, and finance oversight committees in the United States. The committee
aimed to sponsor the National Committee on Fraudulent Financial Reporting. The National
Committee was tasked with establishing a framework to help address (i) enterprise risk
management (ERM), (ii) fraud deterrence, and (iii) internal controls. This handout focuses on
internal controls. In 1992 COSO released its first Internal Control - Integrated Framework.
The COSO (1992) was updated on May 14, 2013 and the 1992 version was superseded

COSO (2013) defines internal controls as:

“a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating
to operations, reporting, and compliance”.
5
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

Figure 1: The Three Objectives of Internal Control Identified by COSO

The first objective addresses an entity’s fundamental business objectives, including

performance and profitability goals and safeguarding of resources. It also pertains to the
effectiveness and efficiency of the entity’s operations, including operational and financial
performance goals and safeguarding of assets against loss. The second objective pertains to
internal and external financial and non-financial reporting. It encompasses reliability,
timeliness, transparency and other characteristics defined by regulators, standard setters or the
entity’s policy. The third objective deals with complying with those laws and regulations to
which the entity is subject. Figure 1 indicates the three objectives of internal control .

Components of Internal Controls

IAASB identify five components of an effective internal control system. They are as follows:
(1) Control Environment; (2) The entity’s risk assessment process (3) Control activities
relevant to the audit (4) The information system, including the related business processes,
relevant to financial reporting, and communication and (5) Monitoring of controls. Similarly,
The COSO 2013 Internal Control-Integrated Framework identifies five components of the
internal control structure

1. The Control Environment.

The control environment (CE) is the foundation for all other components of internal control,
providing discipline and structure. The importance of internal control to the entity is reflected

6
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

in the overall attitude and actions of management through those charged with governance and
owners (e.g., shareholders) with regard to control. The core of any business is its people, that
is, their individual attribute such as: integrity*, ethical values and competence** of the
entity’s people; management’s philosophy and operating style; the way management assigns
authority and responsibility, and organises and develops its people; and the attention and
direction provided by the board of directors. Auditors consider the control environment as the
most important component of the internal control structure. The effect of weakening this
component is that auditors will assess the overall internal control structure as less reliable

2. Risk Assessment
Every entity faces a variety of risks from external and internal sources. As economic,
industry, regulatory and operating conditions will continue to change, mechanisms are
required to identify and address the special risks associated with change. Risk is defined as
the possibility that an event will occur and adversely affect the achievement of objectives. The
entity must therefore, be aware of and deal with its risks effectively. It must establish
mechanisms to identify, analyze and manage the related risks. Risk assessment is the
identification and analysis of relevant risks to achievement of the objectives. This forms a
basis for determining how the risks should be managed. There is no practical way to reduce
risk to zero. Management must determine how much risk is to be prudently accepted, strive to
maintain risk within these levels, and understand how much tolerance it has for exceeding its
target risk levels.

3. Control Activities
Control activities are the actions established by policies and procedures to help ensure that
management directives to mitigate risks to the achievement of objectives are carried out, i.e.
management uses control activities to manage risks. Control activities are the policies and
procedures that help to ensure that management directives are carried out effectively. They
help ensure that necessary actions are taken to address risks to achievement of the entity’s
objectives. Control activities are the responsibility of all levels of the entity, can be preventive
or detective, automated through the use of technology or manual and include identifying and
segregating incompatible functions to reduce to an acceptable level the risk of material error
or fraud.

7
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

Control activities include a number of activities such as approvals, authorizations,

verifications, reconciliations, reviews of operating performance, information processing, and
security of assets and segregation of duties. Control policies and procedures must be
established and implemented to help ensure that the actions identified by management are
necessary to address risks to achievement of the entity’s objectives are effectively carried out.

4. Information and Communication

Important information must be identified, captured and communicated in a form and
timeframe that enable people to carry out their responsibilities effectively. Information
systems produce reports, containing operational, financial and compliance-related information
that enables to run and control the business. They deal not only with internally generated data,
but also information about external events, activities and conditions necessary to business
decision-making and external reporting. Every personnel must receive a clear message from
top management that control responsibilities must be taken seriously. Personnel must
understand their own responsibility in the internal control system, as well as how individual
activities relate to the work of others. There also needs to be an effective communication with
external parties, such as customers, suppliers, regulators and shareholders

5. Monitoring Activities
Internal control systems need to be monitored. This involves assessing the effectiveness of
controls on a timely basis and taking effective remedial actions. This is accomplished through
ongoing monitoring activities, separate evaluations or a combination of the two. All
components of the internal control framework require continuous monitoring - either as
ongoing evaluations, separate evaluations or a combination of the two. Assessments can be
conducted by the persons performing the control (self-assessments) or by independent internal
or external third parties.

Ongoing monitoring occurs in the course of operations. It includes regular management and
supervisory activities, and other actions personnel take in performing their duties. The scope
and frequency of separate evaluations depends primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures. Management’s monitoring activities may
include using information from external parties such as customer complaints that may indicate
weaknesses or highlight areas in need of improvement. Certain entities monitor controls
8
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

through the use of automated monitoring applications, which can be programmed to identify
anomalies or track patterns and trends. This information often leads to process improvements

Summary

Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

• Sets the tone at the top • Establishes standards of conduct • Evaluates adherence to standards
of conduct • Addresses deviations in a timely manner

2. The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control.

• Establishes oversight responsibilities • Applies relevant expertise • Operates independently •

Provides oversight for the system of internal control

3. Management establishes, with board oversight, structures, reporting lines, and

appropriate authorities and responsibilities in the pursuit of objectives.

• Considers all structures of the entity • Establishes reporting lines • Defines, assigns, and
limits authorities and responsibilities

4. The organization demonstrates a commitment to attract, develop, and retain

competent individuals in alignment with objectives.

• Establishes policies and practices • Evaluates competence and addresses shortcomings •

Attracts, develops, and retains individuals • Plans and prepares for succession

5. The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives

• Enforces accountability through structures, authorities, and responsibilities • Establishes

performance measures, incentives, and rewards • Evaluates performance measures, incentives,
and rewards for ongoing relevance • Considers excessive pressures • Evaluates performance
and rewards or disciplines individuals

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives

Operations Objectives: • Reflects management’s choices • Considers tolerances for risk •

Includes operations and financial performance goals • Forms a basis for committing of
resources
9
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

External Financial Reporting Objectives: • Complies with applicable accounting standards •

Considers materiality • Reflects entity activities

External Non-Financial Reporting Objectives: • Complies with externally established

standards and frameworks • Considers the required level of precision • Reflects entity
activities

Internal Reporting Objectives: • Reflects management’s choices • Considers the required level
of precision • Reflects entity activities

Compliance Objectives: • Reflects external laws and regulations • Considers tolerances for
risk

7. The organization identifies risks to the achievement of its objectives across the entity
and analyzes risks as a basis for determining how the risks should be managed

• Includes entity, subsidiary, division, operating unit, and functional levels • Analyzes internal
and external factors • Involves appropriate levels of management • Estimates significance of
risks identified • Determines how to respond to risks

8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.

• Considers various types of fraud • Assesses incentive and pressures • Assesses opportunities
• Assesses attitudes and rationalizations

9. The organization identifies and assesses changes that could significantly impact the
system of internal control.

• Assesses changes in the external environment • Assesses changes in the business model •
Assesses changes in leadership

Control Activities

10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.

• Integrates with risk assessment • Considers entity-specific factors • Determines relevant

business processes • Evaluates a mix of control activity types • Considers at what level
activities are applied • Addresses segregation of duties

11. The organization selects and develops general control activities over technology to
support the achievement of objectives

• Determines dependency between the use of technology in business process and technology
general controls • Establishes relevant technology infrastructure control activities •

10
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

Establishes relevant security management process control activities • Establishes relevant

technology acquisition, development, and maintenance process control activities

12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.

• Establishes policies and procedures to support deployment of management’s directives •

Establishes responsibility and accountability for executing policies and procedures • Performs
in a timely manner • Takes corrective action • Performs using competent personnel •
Reassesses policies and procedures

Information and Communication

13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control

• Identifies information requirements • Captures internal and external sources of data •

Processes relevant data into information • Maintains quality throughout processing •
Considers costs and benefits

14. The organization internally communicates information, including objectives and

responsibilities for internal control, necessary to support the functioning of internal
control

• Communicates internal control information • Communicates with the board of directors •

Provides separate communication lines • Selects relevant method of communication

15. The organization communicates with external parties regarding matters affecting
the functioning of internal control

• Communicates to external parties • Enables Inbound Communications • Communicates with

the board of directors • Provides separate communication lines • Selects relevant method of
communication

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and
functioning.

• Considers a mix of ongoing and separate evaluations • Considers rate of change •

Establishes baseline understanding • Uses knowledgeable personnel • Integrates with business
processes • Adjusts scope and frequency • objectively evaluates

11
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

17. The organization evaluates and communicates internal control deficiencies in a

timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate

• Assesses results • Communicates deficiencies • Monitors corrective action

The Inherent Limitations of Internal Control

No matter how well internal control is designed and operated, it can only provide reasonable
(not absolute) assurance regarding the achievement of an entity’s financial reporting
objectives. The likelihood of achieving corporate objectives is affected by limitations inherent
in internal control systems. This is due to the facts that human judgment in decision-making
can be faulty, and that breakdowns in internal controls can occur due to human failures. For
example, personnel may misunderstand instructions and thus make judgment mistakes.
Personnel may commit errors due to carelessness, distraction, sickness or fatigue.

An accounting department supervisor responsible for investigating exceptions might simply

forget or fail to pursue the investigation far enough to be able to make appropriate corrections.

System changes may be implemented before personnel have been trained to react
appropriately to signs of incorrect functioning (ISA 315). Additionally:

i. Controls can be circumvented by the collusion of two or more people. Individuals acting
collectively to perpetrate and conceal an action from detection often can alter financial and
other management information in a manner that cannot be identified by the control system.

ii. Management can override the internal control system.

The term “management override” is used to mean overruling prescribed policies or

procedures for illegitimate purposes with the intent of personal gain or an enhanced
presentation of an entity’s financial condition to increase reported revenue to cover an
unanticipated decrease in market share

iii. The need to consider controls’ relative costs and benefits. Resources always have
constraints, and entities must consider the relative costs and benefits of establishing controls.
In determining whether a particular control should be established, the risk of failure and the
potential effect on the entity are considered along with the related costs of establishing a new
control

Unfortunately, some people have greater, and unrealistic, expectations on internal control.
They believe that internal control can absolutely ensure achievement of business objectives
or, at least ensure survival. Others believe that internal control can ensure the reliability of
financial reporting and compliance with laws and regulations. This believes are not warranted.
Even effective internal control can only help an entity achieve these objectives. It can provide
management information about the entity’s progress. But internal control cannot change an
12
Auditing & Assurance Internal Control Mwamba Ally Jingu FCPA; PhD

inherently poor manager into a good one, or shift competitors’ actions or economic
conditions.

13