Chapter 5

Chapter 5
Internal Control
1. The importance of Internal Control
 1.1 The auditor’s assessment of internal controls:
 Assessment of risk at both financial statement level and assertion level.
 The responses at the assertion level involve the auditor selecting appropriate audit
procedures as per assessment.
 Inherent risk
 Control risk
 1.2 The meaning of Internal Control
 Defined as the process designed, put in place and maintained to provide assurance of a
reasonable level regarding the achievement of the objectives of an entity.
 Reliability of the financial reports
 Efficiency and effectiveness of operations
 Adherence to relevant and applicable laws and regulations.
 Internal control are a part of the internal control systems.
 1.3 How the auditor uses internal controls
 With ‘system based approach’ the auditor relies on the accounting systems and the related controls
to ensure that the transactions are properly recorded.
 If the systems and internal controls are adequate, the transactions should be processed correctly.
 The audit emphasis on the systems processing the transactions rather than the transaction themselves.
 Understanding of what these systems and controls are;
 And how to carry out an evaluation of the effectiveness of the controls.
 The degree of effectiveness of an internal control system will depend on the following two factors:
 Design of the internal control system
 Is the control system able to prevent material misstatement?
 Is it able to detect and correct material misstatement if they occur?
 The outcome will help auditor to assess control risk.

Summary of the audit approach:

tests of controls or substantive tests?
 Test the underlying internal control systems themselves, using tests of controls
 Perform some tests on the transactions and balances in the financial statements.
 Tests on transactions and balances are referred to as substantive procedures
 Where system of control is weak, auditor will have to carry out extensive substantive
procedures, this approach is called as transaction-based approach.
 When the internal controls are strong, he will carry tests on the control and needs a smaller
amount of substantive procedures, this approach is called as system based approach.
2. The elements of Internal Control
2.1 The five elements of internal control system
 The control environment
 The entity’s risk assessment process
 The information system
 Control activities (Internal Controls)
 Monitoring of Controls
 ISA 315 requires the auditor to:
 Gain of understanding of each of these elements as part of his evaluation of the control systems
 Document the relevant features of the control systems together with his evaluation of their
effectiveness
 The auditor should confirm that his understanding is correct by performing ‘walk-
through’ tests on each major transaction type.
 Walk through testing involves the auditor selecting a small sample size of transactions apply the
procedure on it in order to test whether his understanding of the process is correct.
2.2 The control environment
 The ‘control environment’ is often regarded as the general ‘attitude’ to internal control of management
and employees in the organization.
 The control environment includes the following elements:
 Communication and enforcement of integrity and ethical values
 Commitment to competence
 Participation of management
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies and practices
 A strong control environment is one where management shows a high level of commitment to establishing
and operating appropriate controls.
 Without a strong control environment, the control system as a whole is likely to be weak.
 Evaluating the Internal Environment:

 Management participation in the control process, including participation by the board of
directors;
 Management’s commitment to a control culture;
 The existence of an appropriate organization structure with clear divisions of authority and
responsibility;
 An organization culture that expects ethically- acceptable behavior from its managers and
employees; and
 Appropriate human resources policies, covering recruitment, training, development and
motivation, which reflect a commitment to quality and competence in the organization.
2.3 The entity’s risk assessment process
 Significant business risks are any events or omissions that may prevent the entity from achieving its
objectives.
 Identifying risks: recognizing the existence of risks.
 Assessing risks: deciding whether the risks are significant.
 Managing risks: developing and implementing controls and other measures to deal with those risks.
 Risk can arise or change due to circumstances such as:

 Changes in the entity’s operating environment.
 New personnel
 New or revamped information systems
 Rapid growth
 New technology
 New business models, products or activities
 Corporate restructurings
 Expended foreign operations
 New accounting pronouncements
2.4 The information system
 An information system consists of:
 Infrastructure, software, people, procedures and data.
 ISA 315 requires an auditor to gain an understanding of the business information systems
 This aspects of the auditor’s work will involve identifying and understanding the
following:
 The entity’s principal business transactions;
 How these transactions and other events relevant to the financial reporting process are ‘captured’
by the entity;
 The processing methods, both manual and computerized, applied to those transactions;
 The accounting records used, both manual and computerized, to support the figures appearing in
the financial statements;
 The processes used in the preparation of the financial statements.
2.5 Control Activities
 Policies and procedures other the control environment, used to ensure that the entity’s objectives are achieved.
 To prevent errors that may arise in processing information, or
 To detect and correct errors that may arise in processing information.
 Preventive controls: designed to stop an errors or anomalies from occurring.
 Adequate segregation of duties
 Proper authorization of transactions
 Adequate documentation and control of assets
 Detective controls: designed to find errors or irregularities after they have occurred.
 Exception reports: computerized reports to identify unexpected results or unusual conditions that require follow-
up.
 Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences,
and take corrective action, when necessary.
 Periodic audits: Both internal audit and independent external audit are done to detect error, irregularities and
non-compliance with laws and regulations.
 Corrective Controls: designed to prevent errors and irregularities from recurring once they are discovered. E.g;
 Policies and procedures for reporting errors and irregularities so they can be corrected
 Training employees on new policies and procedures.
 Positive discipline to prevent employees from making future errors.
 Continuous improvements processes to adopt the latest operational techniques.
 Categories of control activities (internal controls):
 Performance reviews: these include reviews and analyses of actual performance against budgets, forecasts and
prior period performance, most done by management as Management Control.
 Information processing: A variety of controls are used to check the accuracy, completeness and authorization of
transactions.
 Application controls
 General IT controls
 Physical Controls: these includes control over the physical security of assets and records to prevent unauthorized
use, theft or damage.
 Segregation of assets: This control involves assigning different people the responsibilities of authorizing or
recording the transactions and maintaining the custody of assets.
 Reduces carry out and concealing of errors or frauds.
2.6 Internal controls in IT systems:

general controls and application controls
 General IT controls: policies and procedures that relate to many different applications.
 Support the effective functioning of Application Controls.
 If General IT controls are weak, it is unlikely that the processing undertaken by the system
will be complete and accurate.
 The auditor will therefore firstly review and test the general IT controls, in order to reach a
conclusion on their effectiveness.
 If control risk is assessed as low he will then move on and test application controls, to
decide if he can rely on specific systems and reduce it substantive testing.
 The auditor would expect computer-based information system are:

 Controls over the development of new computer information systems and applications.
 Controls over the documentation and testing of changes to programs
 The prevention or detection of unauthorized changes to programs
 Controls to prevent the use of incorrect data files or programs
 Controls to prevent unauthorized amendments to data files
 Controls to ensure that there will be continuity in computer operations.
 Application Controls: apply to the processing of individual transactions.
 Authorization control: All significant transactions being authorized at an appropriate level.
 Arithmetic control: checking the arithmetic accuracy of records.
 E.g; checking invoices from suppliers, to make sure that the amount payable has been calculated
properly.
 Accounting controls: maintaining and reviewing accounts and trial balances. These are provided within
accounting procedures to ensure the accuracy or completeness of records.
 Use of control account reconciliations to check the accuracy of trade receivables or trade payables.
 IT controls such as edit checks of input data.
 Numerical sequence checks
 Manual follow-up of exception reports.
 e.g; specific inventory controls are different from internal controls over payroll.
Segregation of duties: dividing the work to be done between two or more individuals.
Purpose: Work done by one individual acts as a check on the work of other, reduces the risk of
error or fraud.
It is more difficult for a person to commit fraud , because a colleague may identify suspicious
transactions by a colleague who is trying to commit a fraud.
2.7 Logical access control

 Tools and procedures used for identification, authentication, authorization and
accountability in computer information systems.
 Local access control can be embedded with operating systems, applications, add-on
security packages or database or telecommunication management systems.
 Logical access controls depends on the in-built security facilities.
 Additional access control can be gained through the appropriate use of proprietary security
programs.
 Unique login identifiers and authenticated password.
2.8 Controls over data transmission
 Help to ensure data is transmitted both intact and also securely without fear of
breach of confidentiality. It includes:
 Program controls that ensure data is transmitted in the correct format.
 Firewalls to prevent intrusion
 Restricting access to source data
 Only using secured Wi-Fi with password protection
 Using check sums and check digits
 Data encryption
 Data encryption: use of an algorithm for information transfer.
 Data can be incorporate in one of two ways:
 At rest – for example in a database or on a flash memory stick
 In transit – when data flows across a network
2.9 System Logs
 A log file is a file that records even taking place in the execution of a system.
 For generation of an audit trial to understand the activity and to diagnose problems.
 For understanding the activities of complex systems
 For analyzing a system’s performance
 Where there is a little user interaction.
2.10 Control Weaknesses and the exam
 Control environment: if management show a little concern for risks and controls, it is
probable that the entire system of internal controls will be weak and ineffective.
 A lack of checks and controls: suitable controls simply do not exist.
 Segregation of duties: discussed previously
 Physical controls: to protect the physical security of assets and records.
 Personnel: weaknesses in the personnel who perform particular tasks.
 Management and Organization Structure: A lack of supervision may be a control weakness, lines
of responsibility and reporting may not clear.
 IT controls: Weakness in both general and specific application controls.
 Computational work and risk of computational error: weakness in procedures and for making
and checking calculations, e.g; service charges to customers.
 Lack of internal audit: weakness in internal audit department.
2.11 Monitoring of Controls
 Monitoring and reviews of operations on a timely basis my management.
2.12 Recording internal control system:
 The need to record internal control system:
 The auditor should carry out an evaluation of the systems and to conduct an audit risk
assessment. Helps in identifying audit approach.
 Systems based approach
 Transactions based approach
 Recording Methods: Narrative notes, questionnaire and systems flowchart.
2.13 Narrative Notes
 Written description of the control system and the controls that are in place.
 Simple to prepare
 Time consuming
 2.14 Systems flowcharts
 Representation of the accounting system in the form of a diagram.
 For each type of transaction, they show the documents generated, the process applied to the
documents and the flow of the documents between the departments.
 Present an immediate visual impact of the system.
 Help to identify weaknesses in control more easily.
 Accounting and Control System flowcharts.
 Flowcharts show the flow of work by showing how documents are transferred within a system
 Benefits and limitations of flowchart: Advantages are:

 Enhance auditor’s evaluation.
 Annual updating of a chart with easy additions or deletions of symbols and lines.
 Easily evaluated and informative description of the system.
 Graphic evidence of any conflicting responsibilities.
 Logical sense facilitates easy understanding of the system.
 System is recorded entirely as all documents have to be traced from the beginning to end.
 Permanent record of system with minor changes year.
 Highlights the strength and weaknesses of a system, easier to spot any missing controls.
 Can be prepared easily by an inexperienced staff.
 Benefits and limitations of flowchart: Limitations are:

 Only suitable for describing standard systems rather than recording systems with unusual
transactions.
 Not appropriate for recording systems with further classifications of subsystems or
subroutines.
 Time consuming process as an auditor must learn about the operating personnel involved
in the system and gather samples of relevant documents.
 Possibility of recording and checking areas that are of no audit significance.
 Flowcharts are difficult to amend.
2.15 Questionnaires
 A standard questionnaire is a list of questions about controls in a particular aspect of operations or
accounting.
 Internal Control Questionnaire (ICQ): designed to establish whether appropriate controls exist, that
meet specific control objectives.
 A ‘yes’ answer to a question indicates a control strength.
 A ‘no’ answer to a question indicates a control weakness.
 ICQs help in providing means in recording systems, assist in the evaluation process and gain an
overall picture of the reliability of the system under review.
 Relatively simple, can be completed by relatively junior members, though time-consuming.
 For example, for credit worthiness of potential new customers.
 Are credit references taken on all potential new customers? Y/N
 Are credit limit sets for customers? Y/N
3. LIMITATIONS OF INTERNAL CONTROL
SYSTEMS
3.1 Reasons why internal controls may be ineffective
 Human errors may not be detected by control systems.
 Not cost effective for certain types of control
 Ignored or overridden by employees or management
 Existence of collusion.
3.2 Problems of small entities
 For example segregation of duties
 Features of control system in small entities:
 High level of involvement by the directors
 Owner-manager personally authorizing many transactions
 Mitigate risk arising from a lack of segregation of duties.
 Fewer chances of lower code of conduct so a culture of integrity and ethical behavior will be a key to auditor’s
risk assessment.
 Auditor will often see management involvement as only a partial substitute for ‘normal’ control system.
3. LIMITATIONS OF INTERNAL CONTROL
SYSTEMS
 The following problems may arise when control system rely excessively on the involvement
of the senior management:
 Lack of evidence as to how systems are supposed to operate.
 Rely more on enquiry than on review of documentation.
 Lack of evidence of controls
 Existence and application of controls
 Management may override other controls that are in place.
 Management may lack the expertise necessary to control the entity effectively.
 Lower chances to have an independent person within the management team.
 Lower tests of control and higher substantive testing.
4. EVALUATION OF CONTROLS AND
AUDIT RISK ASSESSMENT
4.1 The purpose of evaluating controls
 2 stage process
 Whether controls are effective ‘on paper’.
 Obtain a general picture of the effectiveness of control established by management.
 Whether the controls are applied properly, and so whether they are actually working and operating
effectively.
4.2 The evaluation process
 If ‘paper’ review shows major weaknesses, the audit approach will have to focus on tests of transactions
(substantive tests) rather than on tests of control (a system-based approach)
 Good for high level of control risk
 If the controls appear to be acceptable on paper, the auditor has to perform tests of control.
 If tests indicate that the controls are operating effectively, audit can be system based with lower
substantive testing.
 ISA 330 requires that the substantive procedures are carried out for each material class of transactions,
account balances and disclosures.
4. EVALUATION OF CONTROLS AND AUDIT
RISK ASSESSMENT
 4.3 Management Letter
 A report typically presented in columnar fashion detailing weaknesses observed in the
client’s system of internal controls.
 Control weaknesses is a by-product of external audit not an objective.

Chapter 5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 5

Uploaded by

Copyright:

Available Formats

Chapter 5

 The outcome will help auditor to assess control risk.

Summary of the audit approach:

 Evaluating the Internal Environment:

 Risk can arise or change due to circumstances such as:

2.6 Internal controls in IT systems:

 The auditor would expect computer-based information system are:

2.7 Logical access control

 Benefits and limitations of flowchart: Advantages are:

 Benefits and limitations of flowchart: Limitations are:

You might also like