UNIT FOUR
INTERNAL CONTROL SYSTEMS
Introduction
Internal control is a process affected by entity's board of directors, management and other personnel
designed to provide reasonable assurance regarding the achievement of objective and goals of the
entity. The system consists of many specific policies and procedures designed to provide
management with reasonable assurance that the goals and objectives it believes important to the entity
will be met.
Internal control consists of all measures used by an enterprise to provide assurance that specific
objectives of the company and enterprise will be achieved, including safeguarding its resources, and
encouraging and measuring compliance with policies and preparing accurate financial statements. The
stronger the internal control system, the less testing required by auditors in completing their
examination. If weakness in the control system exists, auditors usually try to compensate by
expanding the scope and intensity of their tests.
For convince purpose, this unit is divided in to six subunits. The first three subunits discusses about
the meaning, objectives and types of internal control. The fourth subunit discusses the components of
internal control in detail. The fifth subunit deals with auditors and internal control and the last subunit
deals with internal auditing.
6.1 Meaning of Internal Control
Differences of opinion have long existed about the meaning & objectives of internal control. Many
people interpreted the term internal control as the steps taken by a business to prevent fraud-both
misappropriation of assets and fraudulent financial reporting. Others while acknowledging the
importance of internal control for fraud prevention believed that internal control has an equal role in
assuring control over manufacturing and other processes. In the broadest sense, an enterprise’s internal
control structure consists of the policies and procedures established to provide reasonable assurance
that organization’s objectives will be achieved.
After the establishment of the Committee of Sponsoring Organizations [COSO] by major professional
organizations, the committee commissioned a study established a common definition of internal
control. The study was titled as Internal Control-Integrated Framework, and defines internal
control as:
A process, effected by the entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
Reliability of financial reporting.
Effectiveness and efficiency of operations.
Compliance with applicable laws and regulations.
The above three categories in the definition can be explained as follows:
Page 1 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� Reliability of financial reporting- Management has both legal and professional
responsibility to be sure that the information presented in the financial statements for
investors, creditors, and other users is fairly prepared in accordance with the reporting
requirements of Generally Accepted Accounting Principles.
Enhancing efficiency and effectiveness of operations - Adequate control system should be
established by organizations to encourage efficient and effective utilization of resources
(financial, human and material) to optimize the company's goals and objectives. On top of
this, internal control systems should safeguard assets and records of the organization from
theft, misuse, embezzlements, misappropriations and accidental damages.
Compliance with applicable laws and regulations - There are many laws regulations and
procedures that organizations are required to follow some of which are only indirectly related
to accounting (environmental protection and civil rights laws). Others such as income tax
regulations and fraud are closely related to accounting.
COSO’s definition of internal control emphasizes that internal control is a process, or a means to an
end, and not an end by itself. The process is effected by individuals, not merely policy manuals,
documents, and forms. By including the concept of reasonable assurance, the definition recognizes
that internal control cannot realistically provide absolute assurance that an organization’s objectives
will be achieved. Reasonable assurance recognizes that the cost of an organization’s internal control
system should not exceed the benefit expected to be obtained.
The American Institute of Certified Public Accountants [AICPA] defined internal control as follows:
Internal control comprises the plan of an organization and all of the
coordinated methods and measures adopted with in a business to
safeguard its assets, check the accuracy and reliability of its accounting
data, promote operational efficiency and encourage adherence to
prescribed managerial policies.
This
definition possibly is broader than the meaning sometimes attributed to the term. It recognizes that a
system of internal control extends beyond those matters that relate directly to the function of the
accounting and finance departments. Such a system might include budgetary control, standard costs,
periodic operating reports, statistical analysis and the dissemination thereof, a training program
designed to aid personnel in meeting their responsibilities, and an internal audit staff to provide
additional assurance to management as to the adequacy of its outlined procedures and the extent to
which they are being effectively carried out. It properly comprehends activities in other fields as, for
example, time and motion studies that are an engineering nature and use of quality control through a
system of inspection, which fundamentally is production function. This is an extremely useful
definition of internal control, giving us an understanding of the number and variety of means open to
management to control the actions of its employees.
Internal control extends beyond the accounting and financial functions. Its scope is organization wide
and touches all activities of the organization. It includes the methods by which management delegate
authority and assigns responsibility for such functions as selling, purchasing, accounting, and
production. Internal control also includes the program for preparing, verifying and distributing to
various levels of supervision those reports and analyses that enable executives to maintain control
over the variety of activities and functions that constitute a large enterprise. The use of budgetary
techniques, production standards, inspection laboratories, time and motion studies, and employee
training programs involve engineers and many other technicians far removed from accounting and
Page 2 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�financial activities, yet all of these devises are part of the mechanism now conceived as a system of
internal control.
Activity
1. Define Internal control
2. Do you agree with the statement “Internal control is limited to the accounting and
financial functions.”? Why? / Why not?
6.2 Objectives of Internal Control System
The objectives of the internal control system are determined by the management keeping in view its
specific requirements that in turn depend on the nature of the enterprise, volume of operation etc.
Among internal control system objectives, the following are the common ones:
1) To adhere to policies and procedures lay down by management.
2) To safeguard assets.
3) To ensure that the enterprise is conducting in an orderly and efficient manner.
4) To prevent and detect fraud and error.
To accomplish these objectives, management needs an adequate and reliable system of internal
control, for which management bears the primary and sole responsibility.
To the external auditors, the quality of the internal controls enforces, more than any factor, and
determines the pattern of their examination. Thus, both auditors and management need a system of
internal control to perform their respective functions. However, the auditors’ objective for internal
control is not the same as management’s. The external auditors’ objective in their study and evaluation
of the system of internal control is to determine the nature, extent and timing of the audit work
necessary to express an opinion as to the fairness of the financial statements.
Systems of internal control vary significantly form one organization to the next. The specific control
features in any system depend upon such factors as size, organizational structure, and nature of
operations and objectives of the organization for which it was designed.
An auditor obtains information about internal control and uses that information as a basis for audit
planning. The auditor considers internal control by first obtaining an understanding of internal control,
which is then used to initially assess control risk. When the auditor’s control risk assessment is below
maximum, the auditor considers how those results affect planned detection risk and substantive
testing. The following are reasons for studying internal control.
To be satisfied that sufficient, competent evidence is available to support the audit of financial
statement
To identify potential material misstatement
To assess control risk for each objective, which affect planned detection risk and planned audit
procedures
Allow the auditor to design effective test of financial statement balances and analytical
procedures.
Activity
1. What are the objectives of establishing internal control systems?
2. Why auditors need to study the internal control of an organization?
6.3 Scopes and Types of Internal Controls
The system of internal control involves the plan of organization and various other methods and
procedures. The plan of organization refers to the organizational structure and the method of assigning
Page 3 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�authorities and responsibilities. Appropriate plan of organization is significant for effective operation
of the entire internal control system. Similarly, proper authorities and responsibilities can be allocated
in such a manner that no single person has control over all the phases of any significant transactions.
This minimized the possibilities of errors and frauds.
The plan of organization refers to the study of authority, responsibilities and duties among members of
an organization. A well-designed organization plan is a first step to assure that transactions are
executed in conformity with company polices, to enhance the efficiency of operations to safeguard
assets, and to promote the reliability and timely preparation of accounting data. These objectives may
be achieved in large part through adequate separation of responsibility for initiation of approval of
transactions, custody of assets and record keeping. When accounting and custodial departments are
relatively independent, the work of each department serves to verify the accuracy of the work of the
other. Periodic comparison should be made for accounting records and physical assets on hand.
Investigation as to the cause of any discrepancy will uncover weakness either in the procedures for
safeguarding assets or in the procedures to maintain the related accounting records. If the accounting
records were not independent of the custodial department, the records could be manipulated to conceal
waste, loss or theft of the related assets.
An internal control system has a wide coverage that extends beyond those matters, which relate
directly to the functions of the accounting system. From this angle, internal control can be divided into
two broad categories, accounting and administrative controls.
Auditors are primarily interested in internal control of an accounting nature, those controls bearing
directly upon the dependability of accounting records and the financial statements. For example,
preparation of monthly bank reconciliation by an employee not authorized to issue checks or handle
cash is an internal accounting control that increases the probability that cash transactions are presented
fairly in the accounting records and financial statements. Some internal controls have no bearing on
the financial statements and consequently are not of direct interest to independent public accountant.
Controls of this nature are often referred to as administrative controls. Management is interested in
maintaining strong internal control over, factory operations and sales activities as well as over
accounting and financial functions. Accordingly, management will establish administrative controls,
to provide operational efficiency and adherence to prescribed policies in all departments of the
enterprise.
Statement of Auditing Standards states that administrative control includes, but not limited to the plan
of organization and the procedures and records that are concerned with the decision processes leading
to management’s authorization of transactions. Such authorization is a management function directly
associated with the responsibility for achieving the objectives of the organization and is the starting
point for establishing accounting control of transactions.
Accounting control comprises the plan of organization and procedures and records that are concerned
with the safeguarding of assets and the reliability of financial records and consequently are designed
to provide reasonable assurance that:
Transactions are executed in accordance with management’s general or specific authorization.
Transactions are recorded as necessary to permit preparation of financial statements in
conformity with generally accepted accounting principles or any other criteria applicable to
such statement and to maintain accountability to assets.
Access to assets is permitted only in accordance with management’s authorization.
The recorded accountability for assets is compared with the existing assets at reasonable
intervals and appropriate action is taken with respect to any differences.
Page 4 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�Both accounting and administrative controls are derived from the organization’s policies established
by management; they are the means by which company policies are satisfactorily accomplished.
Therefore, auditors should be aware of these policies and review them in terms of their impact on
internal control.
The accounting system must be able to measure the performance and efficiency of the individual
organizational units. An accounting system with this should include:
1. Adequate documentation
2. Chart of accounts
3. Manual of accounting policies an procedures
4. Financial forecasts
In general, accounting controls related to the accounting system are:
a) Executing of transaction in accordance with the management’s authorization
b) Prompt recording of transaction in proper manner
c) Maintained accountability to safeguard assets
Accounting controls should further include:
Proper segregation of duties relating to accounting function
Rotation of duties
Periodic reconciliation
Checking the arithmetical accuracy of the records
Maintenance of control accounts and preparation of periodic trial balance
Approval and control of documents
Comparison with external sources of information
Comparison of the results of physical inspection of fixed assets, cash
investments and inventories
Comparison of actual figures with budgets
Accounting controls, policies and procedures generally fall into:
Segregation of duties
Authorization of transactions
Maintenance of adequate records and documents
Accountability and safeguarding of assets
Independent checks on performance
Activity
1. What are the two types of control?
2. List and explain at least 3 examples of accounting control
6.4 Components of Internal Control
Internal control varies significantly from one organization to the other, depending on such factors
as their size, nature of operations, and objectives. Internal controls of large-scale organizations,
however, have certain common characteristics tanned as components of internal control. The
five components of internal control are:
1. The control environments
2. Control activities
3. Risk assessments
4. The information (accounting) and communication
Page 5 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� 5. Monitoring
We will discuss each of them as follows:
1. The Control Environment - The control environment consists of actions, policies and
procedures that reflect the overall attitudes of top management, directors, and owners of the
entity about control and its importance to the entity. The auditors need to consider the following
to assess and understand the control environment.
Integrity and ethical values - Are product of the entity's ethical (code of Conduct) and
behavioral values and how they are communicated and reinforced in practice.
Effectiveness of internal control depends directly on the integrity and ethical values of
the personnel who are responsible for creating, administering and monitoring controls. It
includes management action to remove or reduce incentive and temptations that might
prompt personnel to engage in dishonest, illegal or unethical acts.
Commitment to competence - Competence is the knowledge and skill necessary to
accomplish tasks that define the individual's job. Employees should posses the skill and
knowledge essential to perform their job for that they might be ineffective if they lack the
necessary skill and knowledge. Thus, management should be committed to hiring
employees with appropriate level of education and experience, and providing them with
adequate supervision and trainings.
Board of directors or audit committee participation - Control environment of an
organization is significantly influenced by the effectiveness of its board of directors or
the audit committee. Factors that bear on the effectiveness of the board or the audit
committee consists of the degree of its independence from the management, the
experience and the stature of its members, the extent to which it raises difficult questions
with the management and its interaction with external and internal auditors.
Management philosophy and operating style - Management differ in both their
philosophy towards financial reporting and their attitudes towards taking business risks.
Some management aggressively emphasis on meeting or exceeding earning projections in
their financial reporting and they are willing to undertake activities of high risk with
respect of high return. Others are extremely conservative and risk averse. Management's
philosophy and operating style is also reflected in the way the organization is managed.
That is, whether control is in an informal way (face to face contact between employees
and management) or formal; the organization establishes written policies, performance
reports, and exception reports to control its various activities.
Organization structure - The entity's organizational structure defines the lines of
responsibility and authority that exists. By understanding the client's organizational
structure, the auditor can learn the management and functional elements of the business
and perceive how controls are carried out.
Assignments of authority and responsibility - Personnel in an organization need to have a
clear understanding of their responsibilities and the underlying rules and regulations that
govern their actions. Therefore, management should develop employee job descriptions
and clearly define authority and responsibility within the organization so that the control
environment can be enhanced.
Page 6 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� Human resource policies and practices - The most important aspect of internal control is
personnel. If employees are competent and trustworthy, other controls can be absent and
reliable financial, reports will still result from the system, as honest and efficient people
are able to perform at high level even when there are a few other controls to support
them. Because of the importance of competent and trust worthy personnel in providing
effective control, the policies and practices by which persons are hired, trained, oriented,
evaluated plays a significant role.
Activity
1. What are the factors needed to be considered by an auditor to assess and understand the control
environment?
2. Do you agree with the statement “ The most important aspect of internal control is
personnel.”? Why/ Why not?
2. Control Activities - are the policies and procedures, in addition to those included in the other
four components that help ensure that the necessary actions are considered to address risks in the
achievements of the entity's objectives. Although there are several such control activities in an
entity, they fall into the following five categories:
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent check on performance
Adequate separation of duties- the following four general guidelines for separation of duties to
prevent both frauds and errors are of significant importance to auditors:
Separation of the custody of assets from accounting - The reason for not permitting the
person who has temporary or permanent custody of an asset to account for that asset is to
protect the firm against defalcation. When one person performs both functions, there is
an excessive risk of that person's disposing of that asset for personal gain and adjusting
the records to relief himself or herself of the responsibility.
Separation of authorization of transactions from the custody of related assets - It is
desirable to prevent persons who authorize transactions from having control over the
related assets. For instance, the same person should not authorize the payment of
vendor's invoice and sign checks in payment of the bill as this situation increases the
possibility of defalcations in the organization.
Separation of operational responsibility form record keeping responsibility - If each
department or divisions in an organization are responsible for preparing its reported
performance, In order to ensure unbiased information, record keeping is typically
included in a separate department under the controller.
Segregation of duties within electronic data processing - It is desirable to separate the
major functions within the electronic data processing to the extent possible. The duties of
Page 7 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� system analysts, programmers, computer operations and data librarians should be
separated.
Proper authorization of transactions and activities - Every transaction should be appropriately
authorized if controls are to be satisfactory. If any person in an organization acquires and
expends assets at will, would result in complete chaos. Authorization can be either general or
specific and is different from approval. Authorization is a policy decision for either a general
class of transactions or specific transactions. Approval is the implementation of management's
general authorization decisions. For instance, assume that management sets a policy authorizing
ordering of raw materials when there is less than one-months supply on hand (i.e. general
authorization). When the responsible department orders raw materials, the clerk responsible for
maintaining the perpetual record approves the order to indicate that the authorization policy has
been met.
Adequate documents and records - documents and records are the physical objects upon which
transactions are entered and summarized. Documents perform the function of transmitting
information throughout the client's organization and between different organizations. The
documents must be adequate to reasonable assurance that all assets are properly controlled and
all transactions correctly recorded.
Physical control over assets and records - are those controls that provide physical security over
both records and other assets. Activities that safeguard assets include maintaining control at all
times over unissued pre-numbered documents, as well as other journals and ledgers, and
restricting access to computer programmers and data file. Only authorized persons should have
access to company's valuable assets. Direct physical access to assets may be controlled through
the use of safes, locks, fences, and guards. Improper indirect access to assets, generally
accomplished by falsifying financial records, must also be prevented. Periodic comparisons
should be made between accounting records and the physical assets on hand to detect the waste,
loss or theft of the related assets.
Independent check on performance - It is continuous and careful review of the other four
control activities (i.e. an internal verification). The need for independent checks arises because
personnel are likely to forget or intentionally fail to follow procedures, or become careless unless
someone observes and evaluates their performance. An essential characteristic of the persons
performing internal verification procedure is independence from the individuals originally
responsible for preparing the data.
Activity
1. What are the five categories of control activity?
2. Small businesses usually use one employee to do everything including sales, record keeping and
cash collection. On the other hand the principle of internal control recommends separation of duty by
hiring several employees which will force the small business to incur large amount of money for
salary? What do you advice the small businesses?
3. Risk assessment - Management should carefully identify and analyze the factors that affect
the risk that the organization's objectives will not be attained, and then attempt to manage those
risks. The scope of the management's risk assessment is comprehensive in that it involves
considerations of all the factors that affect the organization's objectives. Auditors are concerned
only with those risks associated with the objective of reliable financial reporting threats to
Page 8 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�preparing financial statements in accordance with generally accepted accounting principles. The
following factors might be indicatives of increases risk of financial reporting for an organization:
Changes in the organization's regulatory or operating environment and personnel
Implementations of new or modified information systems and corporate restructurings.
Changes in technology affecting production process and information systems
Introductions of new lines of business, products or processes
Rapid growth of the organization and expansion or acquisition of foreign operations.
Adoption of new accounting principles or changing in accounting principles.
4. Information and communication - The purpose of an entity's accounting information and
communication system is to identify, assemble, classify, analyze, record and report the entity's
transactions and to maintain accountability for the related assets. An accounting information and
communication has several subcomponents, typically made up of classes of transactions such as
sales, sales returns, collections, acquisitions and so forth. For each class of transaction the
system must satisfy all of the six transaction- related audit objectives. For instance the sales
accounting system should be designed to assure that all shipment of goods by a company are
recorded as sales (completeness and accuracy objectives) and reflected in the financial
statements in the proper period (timing audit objective).
5. Monitoring - Monitoring activities deals with ongoing or periodic assessment of the quality of
internal control performance by management to determine that controls are operating as intended
and whether any modifications are necessary. Ongoing monitoring activities include regularly
performed supervisor and management activities such as continuous monitoring of customer
complaints, or reviewing the reasonableness of management reports. Information for assessment
and modification comes from a variety of sources including studies of existing internal controls,
internal auditor reports, exception reports on control activities, reports by regulatory agencies,
and feedback from operation personnel and complaints from customers.
Activity
1. What does it mean by risk assessment, Information and communication and Monitoring as a
component of internal control?
6.5 Documentation of the Understanding of the Internal Control
Three commonly used methods of documenting the understanding of internal control are narratives,
flow chart, and internal control questioners
1. Narrative is a written description of client’s internal control system. A proper narrative of an
accounting system and related control includes four characteristics;
The description should state where customer order come from and how sales invoice are
generated
All processes that takes place
The dispassion of every document and record in the system
An indication relevant to the assessment of control risk.
2. Flow Chart: an internal control flowchart is a symbolic, diagrammatical representation of the
client’s document and their sequential flow in the organization. An adequate flowchart includes the
four characteristics identified for narrative. Flow chart is advantageous primarily because it provides a
concise overview of the clients system which is useful to the auditor as analytical tool in evaluation. A
Page 9 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�well prepared flowchart aids in identifying inadequacy by facilitating a clear understanding of how the
system operates. For most uses, it is superior to narratives as a method of communicating the
characteristics of a system, especially to show adequate separation of duties
3. Internal Control Questionnaire: an internal control questioner asks a series of questions about the
control in each audit area as means of indicating to the audit aspect of internal control that may be
inadequate. In most cases, it is designed to require yes or no response, with no response indicating
potential internal control deficiencies. The primary advantages of using a questioner are the ability to
thoroughly cover each audit area responsible quickly at the beginning of the audit. The primary
disadvantage is that individual parts of the clients system are examined with out providing an over all
view
Activity
1. List and explain the three methods of documenting the understanding of the internal control of a
given business organization?
2. Which method is the best?
6.6 Internal Control and Auditors
Internal audit as we will study in some detail later is means of management control mechanism
established internally and arising out of need for verification, evaluation and compliance of internal
operation. It is designed for management internal purposes. As such internal audit is part of the
internal control system in the organization, while at the same time internal audit (or auditor), is
responsible for the surveillance of the effectiveness of the internal control system and involves its
weakness and strength.
As mentioned earlier, the external auditor’s interest in internal control is in order to help him
determine the extent of reliability of organization’s results, and effectiveness of control of its
operations. To this end, he reviews the internal control (a) to understand the existing control systems
and procedures, (b) to evaluate their adequacy in fulfilling internal control objectives, by identifying
strengths and weaknesses. It is worth noting here that the study and review of internal control is part of
the independent auditor’s standard of fieldwork. He accomplishes this objective through:
(a) Internal control questionnaire
(b) Interview
(c) Testing (compliance test)
(d) Study of organization charts, manuals and procedures.
Through compliance testing, he tries to identify weaknesses. If the compliance test proves to be
reliable it decreases the need for substantive test or vice versa too. The compliance test determines if
internal control systems and procedures are actually present and effective, and thus establishes the
congruence in the procedures of system. It must be distinguished that there is preliminary review as
well as extensive review, one that goes during the examination process.
Activity
1. Explain why internal and external auditors need to understand the internal control system of an
organization?
6.7 Internal Auditing
Internal auditing is a service function established within an organization to examine and evaluate its
activities. Internal audits may focus on financial reporting (financial audits); compliance with
policies, procedures, laws, or regulations (Compliance audits); fraud detection (fraud audits); or
operational efficiency and effectiveness (operational audits). The following diagram shows the
different components clearly
Page 10 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� Internal Auditing
Financial Compliance Fraud Operational
Auditing Auditing Auditing Auditing
tingin all of these endeavors. To guide the practice of internal auditing,
Most internal audit staffs engage
the Institute of Internal Auditors has established general and specific standards. Although not
enforceable in the same sense as the AICPA auditing and attestation standards, they do provide
helpful guidance for the internal auditor concerning such matters as maintaining necessary
independence, required proficiency, audit scope, performing the audit, and administering the internal
audit function. Since the other types of auditing are discussed before, we will briefly discuss
operational auditing as follows
Operational Audit, as a subset of internal auditing, reviews an entity's activities for efficiency and
effectiveness and may evaluate any type of activity at any level within the organization. Unlike
financial auditing, operational auditing focuses on activities rather than financial statement assertions.
The audited activates may be related to a function (e.g., why is ABC plant producing a high
percentage of defective parts?). The overall objective, common to all operational audits, is
maximizing organizational welfare.
Management auditing is a subset of operational auditing that attempts to measure the effectiveness
with which an organizational unit is administered, and that concentrates more on effectiveness than on
efficiency. Efficiency may be viewed as an input measure that relates to cost control and is concerned
with the performance of recurring functions at a minimum of cost to the entity. Effectiveness is
output oriented; it is viewed as a measure of productivity in utilizing the firm's resources and in terms
of long-run profitability.
The internal auditing function includes verification, evaluation and compliance of operations. Among
others the following are specifiable.
Review and appraise internal control procedure
Ascertain effectiveness and efficiency of operations
Verify compliance to policies and procedures
Ascertain reliability of data and documents
Evaluate quality of performance
Recommend improvements in better management controls.
The internal auditor can perform his work either through functional approach, operational approach,
or financial approach.
Responsibility and Authority
Page 11 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
�Internal auditing is a staff function; therefore, the auditor ideally is not in disposition of line function.
His position and place in the organization is determined by the scope of the function he performs and
extent of responsibility entrusted to him by management. It is desirable that he should be placed as
high as possible in the organization structure if he is truly to be of “service to management “without
intimidation, and be in position of surveillance over all the organization’s activity.
The independence of the internal auditor again depends on his place in the organization, the extent of
responsibility and authority required for performing his function and the desire to enhance his
competence and independence in reporting to whom. Here, it must be appreciated that the desire to
have independence in the internal auditing function may not necessarily be attainable or be as high as
in the external auditing function. The matter of qualification for the internal auditor is also dependent
on the above factors. Of course, these factors are definitely much more clearly demarcated in a large
organization than in small.
Internal Audit Report
The end product of any audit work culminates in writing of an audit report, but unlike the external
auditors, the internal audit report is not standardized short-form in its contents consequently the audit
report of internal auditor requires lot of imagination and creativity with communicative ability in its
writing. The audit report should basically contain the following:
Detail of purpose and scope of audit
Description of tools and procedures of audit
Findings, suggestion and opinions
Recommendations.
It is important that verbosity, and negative criticism be avoided, while cooperation and
constructive suggestion should be emphasized.
Internal Auditing and External Auditing
There are similarities as well as differences between internal auditing and external
auditing. The main similarities between internal and external audit are as follows:
1. Both the external and internal auditor carry out testing routines and this may involve
examining and analyzing many transactions.
2. Both the internal auditor and the external auditor will be worried if procedures were very
poor and/or there was a basic ignorance of the importance of adhering to them.
3. Both tend to be deeply involved in information systems since this is a major element of
managerial control as well as being fundamental to the financial reporting process.
4. Both are based in a professional discipline and operate to professional standards.
5. Both seek active co-operation between the two functions.
6. Both are intimately tied up with the organization’s systems of internal control.
7. Both are concerned with the occurrence and effect of errors and misstatement that affect
the final accounts.
8. Both produce formal audit reports on their activities.
There are, however, many key differences between internal and external audit and these are
matters of basic principle that should be fully recognized:
1. The external auditor is an external contractor and not an employee of the organization as
is the internal auditor. However, recently, there is an increasing number of contracted-
out internal audit functions where the internal audit service is provided by an external
body.
Page 12 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
� 2. The external auditor seeks to provide an opinion on whether the accounts show a true and
fair view, whereas internal audit forms an opinion on the adequacy and effectiveness of
systems of risk management and internal control, many of which fall outside the main
accounting systems.
There are arguments that propagate that if there is external auditing why there is a need for
internal auditing, or vice-versa. However, an in-depth understanding of the objectives and
purposes of internal and external auditing can show that they should be rather complementary
and not competitive. If the internal auditing function is strong and wide, and performed by
qualified persons then the results of the operation of the organization can be reliable, which in
turn assists in decreasing the scope of audit work by the external auditor, and thus reduce the cost
of external audit fee? But the purposes of audit of the external and internal auditor are quite
distinct and cannot be a substitute for each other’s responsibility.
Activity
1. What is internal auditing?
2. Since external auditors audits a financial statement of an organization, no need of having an internal
auditor. Do you agree? Why /why not?
Summery
Internal controls are all the systems established within a given organization to safeguard its assets,
check the accuracy and reliability of its accounting data, promote operational efficiency and
encourage adherence to prescribed managerial policies.
The objective of understanding the internal control system of an organization is to determine the
quantity and quality of evidence gathered, to identify potential material misstatement and to assess
control risk
Internal control can be divided in to two categories: Accounting and Administrative control
The five components of internal control are the control environment, control activities, Risk
assessment, Information & communication and Monitoring
The result of understanding of an internal control can be documented for use in the future using
narratives, flowchart and Internal control questioner
Internal Auditing is an auditing activity established within an organization to examine and
evaluate whether the activities of an organization are performed according to established
guidelines and standards.
Page 13 of 13
AUDITING CHAPTER 6: INTERNAL CONTROL Compiled By SABIR FAYISO (MSc)
