AC 271: COMPUTER APPLICATION IN ACCOUNTING

Topic 7A
Internal Controls
Prepared by: CPA Mulogo [CPA (T), MFA-OG, [Link] (hons)

09/06/2024 11:41 1
Internal Controls (IC)
▪ The users of accounting information rely on the accuracy of the
system's reports and displays.
▪ Organisations adopt internal control policies and procedures to
maintain accurate information and reliable operations.
▪ Internal control is a process, effected by an entity's board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
✓Effectiveness and efficiency of operations.
✓Reliability of financial reporting.
✓Compliance with applicable laws and regulations.
Features of Internal Control
i. Process - combination of many ongoing processes that occur as a
part of organization activities
ii. People - make internal controls work. Management, board of
directors and accountants. Accountants by participating in system
design help to create internal control.
iii. Objectives
➢Safeguarding assets
➢Ensuring accurate and reliable accounting data
➢Promoting operational efficiency
➢Encouraging managers to follow management policies
Features of Internal Control
The above objectives are important to accountants and managers and
hence we need accounting controls and administrative controls.

iv. Reasonable assurance - cannot guarantee that management’s

objectives will be obtained, can only provide reasonable assurance of
attaining them.
Limitations and Threats
Limitations of Internal Control
▪ Errors - poor judgement due to poor training, lack of experience, lack of
knowledge, etc.
▪ Collusion - difficult to prevent: to minimize - hire honest people
▪ Management Override - controls should reflect authority levels

Threats to accounting data.

▪ Errors - An error is an accidental misstatement of accounting information. Arise
from poor judgement due to lack of knowledge, Lack of attention
▪ Irregularities - An irregularity is an intentional misstatement. Management fraud
(intentionally misstates financial information). Defalcation – theft of assets from
the company for personal use
Control Frameworks
▪ There are many control frameworks, but the three below are
the most important, and widely used:
❑COBIT Framework – it is developed by ISACA based on IS security
and control practices.
❑COSO`s Internal Control Framework – it`s widely accepted as
authority on IC.
❑COSO`s Enterprise Risk Management Framework – it is more
comprehensive and latest.
The COSO Control Framework
▪ In order to address divergent meanings attached to internal control by
different stakeholders, COSO (a thought leader in executive management
and governance) came up with an official definition to cater for the needs
of groups of people and a framework to explain the components of internal
control.
It is a CRIME not to have good internal controls, therefore to have good internal controls we would see:

C - Control Activities R - Risk Assessment I - Information & Communication

M - Monitoring of Controls E - Environment

1. Control Environment
▪ Sets the tone for the organisation.
▪ Management should have the right attitude.
▪ Base for all other components and creates conditions (discipline and structure)
for efficient controls.
▪ The control environment is defined in ISA 315 as being made up of:
➢Communication and Enforcement of Ethical Values: because management
creates, administers, and monitors the system of internal control, its
effectiveness is limited by management attitudes toward integrity and
ethical
➢Commitment to Competence
➢Participation by those charged with Governance i.e. BOD and Audit
Committee.
1. Control Environment
➢Management's Philosophy and Operating style.
➢management need to have awareness and action in place.
➢Organisational Structure.
➢Assignment of Authority & Responsibility.
➢Human Resources Policies and Practices - staff training,
recruitment procedures, compensations etc.
2. Risk Assessment Process
▪ Management's process of identifying, analysing and managing the
risks that might prevent the organization from achieving its
objectives.
▪ If the entity has robust procedures for assessing the business risks it
faces, the risk of misstatement or fraud will be low.
▪ Risks (external and internal) includes:
• Competition
• Economic or technological change
• Government regulation
• Natural catastrophes
2. Risk Assessment Process
▪ Risks includes: (cont.)
oRisks from internal factors
• disruption of the information system,
• errors due to untrained or unmotivated employees or
• due to changes in management responsibilities, and
• the result of an ineffective board of directors or audit committee).
▪ Management has to identify, estimate significance, assess
likelihood, and identify actions that should be taken to
reduce significance and likelihood of risk to effect
achievement of organizational objectives.
3. Control Activities
▪ These are policies and procedures that management adopts to
provide reasonable assurance that management directives are carried
out.
▪ Also, they are policies and procedures that management of a
company develops to help protect all of the different assets of the
firm, based on a careful risk assessment.
• Combination of manual and automated controls.
• It includes approvals, authorizations, verifications,
reconciliations, review of operating performance, and
segregating of duties….
Control Activities
▪ They help ensure that actions are taken to address risks to the
achievement of the organization's objectives. ACCA MAPS
[Mnemonic].
• Approval - a senior employee like a manager to sign off an action.
(Same as authorisation) e.g. an employee wants to do overtime, a
manager should authorise this in advance.
• Computer Controls - having passwords, backups, virus checks
• Comparison - looking at budget versus actual and reviewing for
variances, any variances should then be investigated.
3. Control Activities
• Arithmetic Controls - recalculating an employee’s work, sequence
checking. (A check procedure.)
• Maintain and review control accounts - like wages, PAYE, bank.
• Account Reconciliations.
• Physical Controls - restricted access, either through locking doors,
or code entry, CCTV, safes.
• Segregation of Duties - division of responsibilities to reduce the
risk of fraud. E.g. one person dealing with ordering, processing
purchase invoices and bank payments is a lack of segregation of
duties, different people should process different stages of a
system. splitting the responsibility on a transaction stream.
▪ Control activities can either be preventive or detective
Segregation of Duties
▪The purpose is to structure work assignments so that
one employee`s work serves as a check on another
employee (or employees).
▪The work of authorizing transactions, recording
transactions, and maintaining custody of assets,
should be given to different employees.
Segregation of Duties
• Authorizing – is the decision to approve transactions (e.g. sales
manager authorizing a credit sale to a customer)..
• Recording – includes functions such as preparing sources
documents, maintaining journals and ledgers, preparing
reconciliation, and preparing performance reports
• Custody of assets – can be handling of cash, maintain inventory
storeroom or receiving customer checks through the mail or writing
checks on a company bank account.
Cost & Benefit analysis of Controls
▪ Management should implement a control activity or
procedure that have more benefits than costs.
▪ Benefits may include
• Increased sales & productivity
• Reduced losses
• Better integration with customers and suppliers
• Increased loyalty
• Lower insurance premiums
Cost and Benefit Analysis
▪Costs may include
• Personnel costs
• Time to perform a control
• Cost of hiring additional employees for segregation of
duties.
• Costs of implementing the controls
✓Programming, software, hardware, etc…
Cost & Benefit Analysis
▪ One way of estimating value of internal control involves:
▪Expected loss = Impact x Likelihood
▪ For example, At Atlantic Richfield data errors occasionally required an
entire payroll to be reprocessed at a cost of $ 10,000. Management
determined that a data validation step would reduce the likelihood of
this event from 15% to 1%, at a cost of $ 600 per pay period.
Cost & Benefit Analysis
Without Validation With Validation Net Expected
Procedure Procedure Difference

Cost to reprocess entire $ 10,000 $ 10,000

payroll
Risk of payroll data errors 15% 1%
Expected reprocessing cost = $ 1,500 $100 $ 1,400
Impact x likelihood
Cost of Validation procedure $0 $ 600 ($ 600)

Net Expected benefits of $ 800

validation procedure
Cost & Benefits Analysis
Example 02
• WEB sells fashionable ladies clothes, jewelry and other
accessories..
• The company is faced with theft from customers…shoplifting
problem
• If no control are implemented accountant estimated total
loss to be $ 120,000
• The company is considering two controls
Cost & Benefits Analysis
Alternative 01
▪ Hire six plain-clothed security guards to patrol the boutique. Based
on annual salaries that would have to be paid to the security
guards, this control would cost the WEB an estimated $ 240,000 a
year, with the $ 0 theft from shoplifting problem
Cost and Benefit Analysis
Alternative 02
▪ Hire two plain-clothed security guards who would patrol the walkways, and
install several cameras and mirrors throughout the company`s premises to
permit managers to observe any shoplifters. The estimated annual cost of this
control would be $ 80,000 with reduced loss from shoplifting problem to $
25,000.
▪ What alternative control should be implemented?
4. Information & Communication
▪ The information system is the set of formal procedures by which data
are collected, processed into information, and distributed to users.
▪ The system accepts input, called transactions, which are converted
through various processes into output information that goes to users.
▪ Good communication system is crucial for efficient financial control
systems, transaction cycles, application controls and general controls.
• Debit and credit analysis
• Chart of accounts and trial balance
• Standard journal vouchers
• Control accounts e.g. accounts receivables, inventory, etc.
4. Information & Communication
▪ Managers must inform their employees about their roles and
responsibility pertaining to internal control.
• Giving employees documents such as policies and procedures
manuals
• Training sessions
• Establishment of “whistle-blowing systems”
5. Monitoring of Controls
▪ A component that assesses the quality of internal control
performance over time, if a control is either ineffective or simply does
not function (permanent supervision and special evaluation).
• Ongoing Monitoring Activities e.g. clerical checks, reconciliations,
comparing assets on hand with the accounting records, control
procedures carried out by computer programs, management
review of summaries of changes in account balances, and review
of users of computer reports.
• Separate Evaluations e.g. evaluating a section of controls
• Independent Auditors
• Internal Auditors
Certified Information Systems Auditor (CISA)
▪ Certified Information Systems Auditor (CISA) is a globally recognized
certification in the field of audit, control and security of information
systems. CISA gained worldwide acceptance having uniform
certification criteria, the certification has a high degree of visibility
and recognition in the fields of IT security, IT audit, IT risk
management and governance.
▪ Vacancies in the areas of IT security management, IT audit or IT risk
management often ask for a CISA certification. The certification is
extremely challenging and is associated with a high failure rate. CISA
is awarded by the Information Systems Audit and Control
Association (ISACA).
Term of the Day:
Accounting Manuals…
▪ A manual that contains pertinent accounting rules and other
information for a business or organization. Accounting manuals can
contain guidelines for various policies and procedures. They also
often specify organizational rules and standards for corporate
accounts.
▪ The classification of the various types of accounts used by a company
or organization is frequently referred to as a chart of accounts. This
chart is also usually included in an accounting manual. These manuals
will differ from one organization to another depending on the type
and size of the organization.