3.

2 - INTERNAL
CONTROL
TABLE OF CONTENTS

 Fundamental concepts
 Objective, characteristics & limitations
 Definition of IC
 Importance of IC to auditors
 Relationship of IC and audit evidence
 Review & documentation of ICS
 IC’s compliance test in transaction cycle
 Strength & deficiencies of internal control
 Management letter
INTERNAL CONTROL –DEFINITION

 IC is defined as a process designed and

implemented by those charged with the governance,
management & other personnel to provide
reasonable assurance regarding the achievement of
objective in the following categories:

 Reliability
of financial reporting
 Compliance with applicable laws & regulation
 Effectiveness & efficiency of operations
 Prevention & detection of fraud & errors
INTERNAL CONTROL - OBJECTIVES
All the policies and procedures (IC) adopted by the
management of an entity to assist in achieving
management’s objectives of ensuring the efficient
conduct of its business.
Several objectives of internal control includes : -
 adherence to mgmt policies

 safeguarding of the company’s assets

 prevention & detection of fraud & error (FS)

 accuracy & completeness of the accounting records

 timely preparation of reliable financial information

 compliance to laws and regulations

 risk are identified & minimised

 management DM is effective & bizprocess are efficient.

 INTERNAL CONTROL –
OBJECTIVES & DEFINITION
The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) defines IC as a
“process effected by the board, senior mgmt & employees & is
designed to p.v. reasonable assurance that risks are managed
to ensure the achievement of an organization’s objectives”
in relation to:

 The effective and efficient accomplishment of goals &

operations
 The safeguarding & economical & efficient use of resources
 The reliability & integrity of info including fin. reporting
 Compliance with policies, plans, procedures, laws &
regulations.
COMPONENTS OF IC
(FEATURES OF GOOD ICS) (1)
 Control Environment

 Entity’s Risk Assessment Process

 Information & Communication System

 Control Procedures/Control Activities

 Monitoring of Control
 COMPONENTS OF IC (2)
(FEATURES OF GOOD ICS)
1) Control Environment
 Consists of actions, policies & procedures which reflect the overall

attitudes of top mgmt, directors & owners of an entity about IC & its
importance to the entity.
 Factors that may affect it :

 Integrity & ethical values of the mgmt

 Mgmt commitment to competence

 Participation of the BOD

 Organizational structure

2) Entity’s risk assessment process

 The process that the entity identifies & manages its business risks. Risk

assessment for financial reporting may cover identification, analysis &

mgmt of risks, relevant to the preparation of FS, which gives a true & fair
view & in accordance with an applicable fin. reporting framework.
 COMPONENTS OF IC (3)
(FEATURES OF GOOD ICS)

3) Control Procedures
 Policies & procedures that help to ensure that mgmt directives
are carried out to achieve its objectives and also to
reduce/address risks.
 AI 400 states that control activity generally relates to:

 Segregation of duties
 Information processing

 Physical control

 Performance review
 COMPONENTS OF IC (4)
(FEATURES OF GOOD ICS)

4) Information & Communication System

 Methods & procedures used to initiate, record process & report
transactions as well as to maintain accountability of individual roles &
responsibilities, for instance the co.’s A/c Info System.

5) Monitoring
 Mgmt’s ongoing & periodic assessment of the quality of IC
performance to determine whether controls are operating as intended
& modified when needed.
 CHARACTERISTICS OF IC
1) Management perform independent checks on performance
 Mgmt is responsible for devising & maintaining the system
of IC. Review on the adequacy of IC need to be performed
on regular basis to ensure that all significant controls are
operating effectively.
 For example: personnel are likely to forget or intentionally
fail to follow procedures, or they may become careless
unless someone regularly observes and evaluate their
performance.
2) Organisational structure
 Mgmt creates an org.structure to facilitate delegation of
duties, coordination of activities and to control the actions
of its employees. Such org. structure should be clearly
defined by hierarchy to show who is responsible for what
area of the org and the official title of the person in charge.
 Eg. Organization chart.
 CHARACTERISTICS OF IC (2)

3) Arithmetic & accounting

 Transactions are correctly & accurately recorded &
processed
 E.g. adequate chart of a/c, systems/procedures manual
preparation of monthly bank reconciliation,
sales/purchases ledger control accounts)

4) Segregation of duties
 Means that proper segregation of duties between staff in-
charge of authorisation on transactions, recording of
transactions & custody of assets. As a result, no one
person sees a transaction through from beginning to end
of their own.
 CHARACTERISTICS OF IC (3)

5) Supervision
 Supervision should be carried out on a regular and continuous
basis. For example, work done by a clerk must be supervised by
his/her superior or supervisor in charge.
 (e.g. manager supervises the officer, officers supervises the clerk)

6) Physical control over assets and records

 The use of physical precautions prevent unauthorized access to
physical assets, unauthorized access and alteration to documents
and records.
 E.g. cash kept under lock & key, security doc kept in fire-proof
safe, inventories kept in store room, UiTM Melaka use ID for
photostating
 CHARACTERISTICS OF IC (4)
7) Personnel Hiring & Training Policy
 The co. should employ competent and honest staff besides being
qualified. Training programmes should be conducted for new
recruitment as well as experienced staff.
 (E.g. policy that only qualified individuals are employed)

8) Authorisation & approval

 Only VALID transactions are recorded i.e. transactions performed
according to mgmt general / specific authorisation
 E.g. policy that cash pymt > RM 10K must be approved by 2
officers, ordering goods approved by the purchasing officer
 LIMITATIONS OF IC
 IC can only provide reasonable assurance that mgmt objectives
are attained. The IC are effective in reducing errors and fraud
only to a certain extent, due to the inherent limitations of IC i.e.

 Circumvention of control where management override the IC

 Circumvention of control - Collusion among employees and
with 3rd parties. Eg. kickbacks
 Personnel errors or mistakes – negligence/human error
 Cost constraints – cost vs benefit derived from control must
justify the cost of having staff with incompatible function
 IC procedures may become inadequate due to changes in
company size and activities
 IMPORTANCE OF IC TO AUDITORS &
MGMT (1)
 Management’s concerns about IC
 IC provides a way for mgmt to meet its agency
responsibilities
 IC system ensures that the info generated for decision-
making purposes are reliable

 EFFECTIVE IC CAN P.V. MGMT WITH REASONABLE

ASSURANCE THAT ASSETS ARE SAFEGUARDED
FROM UNAUTHORISED USE OR DISPOSITION AND
THAT FINANCIAL RECORDS ARE RELIABLE TO
PERMIT THE PREPARATION OF FINANCIAL
INFORMATION
IMPORTANCE OF IC TO AUDITORS &
MGMT (2)

 Auditor’sconcern about IC
Auditor needs to understand the IC systems of
an entity in planning the audit
If the IC system is strong , the FS & other data
generated by the entity more reliable & thus,
the auditor could possibly reduce substantive
tests
OTOH, if the IC is weak, the auditor needs to
perform > ST & detailed checking during the
audit
WHO’S RESPONSIBLE TO
MAINTAIN THE ICS?
 Mgmt / Auditor?
 Auditor – will evaluate & ascertain the ICS in
deciding the level of testing required. A
good ICS will reduce the amt of audit work
required.
 Management – Responsible to maintain
good ICS to make sure the organisation run
smoothly and the company will not exposed
to the possible misstament of FS.
 REASONS FOR AUDITORS TO
UNDERSTAND CLIENT’S IC
1) To obtain info abt integrity of mgmt
2) To obtain info abt the nature & extent of available acc.
records
3) To identify the types of potential errors & fraud that
might affect the FS
4) To assess the Control Risk
5) To plan & design the appropriate audit test

** ISA 400 : auditor needs to inform client on any material

IC weaknesses identified during audit, i.e. called letter
of weaknesses / mgmt letter.
 RELATIONSHIP OF IC & AUDIT
EVIDENCE
 Effective IC reduces planned audit evidence in the audit of FS
 Types of potential misstatement
 Risk of material misstatement

 Once audit of IC completed, auditor can use the results to

determine the nature, timing & extent of audit procedures
REVIEW OF THE CLIENT’S IC
SYSTEM

 Update & evaluate auditor’s previous experience

with the entity
 Make inquiries of client personnel
 Examine client’s documents & records
 Observe client procedures/ activities / operations
 Perform walkthroughs of the Accounting System (
i.e. trace few transactions from the initiation to
final recording
DOCUMENTATION OF CLIENT’S ICS

 Auditorsusually document their understanding

of the design of their client’s IC in:

1. Narrative description
2. Internal control questionnaires (ICQ)
3. Flowcharts
DOCUMENTATION OF CLIENT’S ICS (2)
 Narrative - a written description of a client’s IC system
 A proper narrative of an a/c system & related procedures includes
4 characteristics
 Origin of every document & recording in the system

 All processing that takes place

 Description of every document & record in the system

 The filing of documents, sending them to customers/ destroying

them should be shown

 Advantage
 Simple to use

 Easy to describe

 Disadvantage
 Difficult to describe details of large org IC system

 Difficult to interpret and understand

 DOCUMENTATION OF CLIENT’S ICS (3)
 Internal control questionnaire (ICQ)
 Asks series of Q? about ctrl in each audit area, including
the ctrl environment
 Designed such that it requires a “yes” or “no” response
where “no” may indicate potential control deficiencies
(Refer t/book p.,)
 The use of questionnaire is highly desirable for
understanding of the client system whilst it becomes a
useful checklists to remind auditor of many different types
of controls that should exist.
 Allows auditors to work in efficient manner. It is
uneconomical to record every findings of audit job in
writing.
 METHODS TO RECORD IC
 Flowcharts – diagram of the client’s documents ^& their
sequential flow in the org.
 1. Systems flowchart
 Simple presentation on flow of documents & records in
the organisation
 2. Internal control flowchart
 > elaborate & show the segregation of duties & other
controls present in the system
 3. Program flowchart
 Relate to specific computer programs.
 Usually used by auditor whom is also EDP specialists
 DOES ENTITY SIZE AFFECT IC?
 Large entity (complex)
 Able to implement IC in
formal manner
 Less effective
communication channel
 Less effective monitoring
procedures
 Shareholders are
separated from the BOD,
thus mgmt could not
personally ensure the
completeness, accuracy &
validity on most
transactions carried out by
its staffs.
 Small entity (simple)
 Usu. Implement IC in a less
formal manner
 > effective communication
channel
 > effective monitoring
procedures
 Usu. owner is also the
manager who can loosely
monitor & participate in the
operation of the co. itself.
TESTS OF CONTROL IN
TRANSACTION CYCLES
 Auditor should perform tests of control in
transaction cycles over a period of time to
determine whether the control are working or
not.
1) Identify significant account & relevant assertion
2) Perform walkthrough for each process
associated with account & disclosure
E.g ) Walkthrough the revenue cycle of a firm
3) Roll forward procedure – Obtain evidence
about the effectiveness of a control at an interim
date & not test its operation at year end.
 Auditor can used the work of others including the
company’s internal auditor to evaluate internal
control.
 Auditor must evaluate the operating effectiveness of
control involving all relevant assertion for all
significant account & disclosure.
 DEFICIENCY OF INTERNAL
CONTROL
 Mgt must identify any control deficiencies to
prevent/detect any misstatement.
 Deficiency exist due to the missing of IC

 Material weaknesses is a deficiency that the

material misstatement will not be prevented by the
organisation.
 Significant deficiency is a weaknesses that is less
severe than material deficiency.
LETTER OF WEAKNESSES (LOW) =
A.K.A MANAGEMENT LETTER
Letter by auditor to mgmt at the end of his audit
work, listing any weaknesses in the design /
operation of the IC system which may have
come to his attention, explaining the significance
& the effect on current & future FS and make
suggestions as the ways these weaknesses can
be removed / reduced.
 PROCEDURES IN PREPARING LOW

 Discuss weaknesses in IC with client verbally

 Follow up with a formal letter which will include
recommendations for improvement
 Follow up at the next visit to the client
CONTENTS OF LOW
 Purpose of the letter
 Purpose of the IC investigation
 Disclaimer/ clause that the weaknesses notified are
not necessarily all the weaknesses that may exist
 Weaknesses
 Recommendations for improvement
 Request info on remedial action
 QUESTION TO PONDER!!!
 Explain the basic control necessary for the validity,
completeness & accuracy of the accounting records?
 Basically basic control techniques are designed to ensure that a
co.’s transactions are valid & that they are recorded completely &
accurately in the books. Below are the std control techniques
designed to achive the obj of validity, completeness & accuracy.
 Pre-numbering documents

 Maintaining control total accounts

 Detailed checking of one document against another

 Authorisation on documents

 Confirmation with third parties

 Physical examination
SUMMARY
 IC is important for the effective operation of entities
 The auditor must obtain an understanding of the IC
structure to effectively plan the audit