Chapter 4

Internal Control Structure

4.1 Meaning and Nature of an internal control system
The second standard of GAAS, stated that:
“A sufficient understanding of internal control structure is to be
obtained to plan the audit and to determine the nature, timing, and
extent of tests to be performed”
What are Internal Controls?
Few definitions of internal control:
– Internal controls are structures/systems consisting policies and procedures
established to provide reasonable assurance that organization’s objectives are
achieved in the following categories:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations
1
 …4.1 Meaning and Nature of an internal
control system
• Reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable rules and regulations are the
three broad objectives for which management design internal control
systems, this is because:
– Management is responsible for preparing statements in accordance with
reporting requirements of accounting frameworks such as GAAP and
IFRS and Effective internal control over financial reporting helps to
fulfill these financial reporting responsibilities
– Effective internal control is essential for efficient and effective use of
entity’s resources to optimize the company’s goals.
– Organizations are required to follow many laws and regulations
(accounting related and others such as environmental protection and
civil rights laws, income tax regulations and anti-fraud legal provisions).
2
 …..4.1 Meaning and Nature of an internal
control system
Weak internal control can result in:
• Fraud, Embezzlement and Theft at various levels- management,
employees, customers, vendors, or the public-at-large.
• Statutory sanction - penalties arising from failure to comply with
regulatory requirements, as well as overt violations.
• Excessive Costs – results in expenses which could have been avoided,
• Deficient Revenues – results in loss of revenues to which the
organization is entitled.
• Loss, Misuse or Destruction of Assets - unintentional loss of physical
assets such as cash, inventory, and equipment.
• Business Interruption – it may cause system breakdowns, excessive re-
work to correct for errors.
3
 …..4.1 Meaning and Nature of an internal
control system
– Benefits of internal control : it helps organizations
• To make jobs easier and help people to do jobs better- If
policies and procedures are established, authority and
responsibility will be clearly defined, expectations will
be clear, so people know what to do and not to do
• To meet their goals and objectives,
• To safeguard assets from waste, fraud and inefficient
use;
• To promote efficiency, reduce risk of loss,
• To improve accountability and maintain public trust
4
…4.1 Meaning and Nature of an internal
control system
• To ensure accurate and reliable accounting records
• To ensure compliance with company policies
• To reduce legal liability
In sum, internal control system consists of all measures taken to
assure management that everything is functioning as it should

Limitations of internal control

• It provides reasonable, not absolute assurance ie:
– No system is perfect, internal control system cannot provide
absolute assurance

5
 …..4.1 Meaning and Nature of an internal
control system
• Contrasting Management’s & Auditor’s Responsibility
for Internal Control System
– Management’s Responsibility
• Primary responsibility to establish and maintain control
system
• To publicly report on the operating effectiveness of those
controls (Sarbanes-Oxley Act of 2002)
– Auditor’s Responsibility
• To understand and test internal control over financial
reporting Second standard of field work).
• To annually issue an audit report on the operating
effectiveness of those controls
6
 4.2 Internal Control and Internal Audit

Internal Control Internal audit

• “an internal process operated by the
management and personnel, and is
designed to address risks and
provide reasonable assurance that
the following objectives are
achieved”:
– Accountability obligations are fulfilled,
– Operations are executed orderly,
ethically, economically, efficiently and
effectively
– Rules and regulations are complied
– Resources are safeguarded from loss,
misuse and damage
• “Internal auditing is an independent,
objective assurance and consulting
activity designed to add value and
improve an organization's
operations. It helps an organization
accomplish its objectives by
bringing a systematic, disciplined
approach to evaluate and improve
the effectiveness of risk
management, control, and
governance processes”.

 Internal control and internal audit are related but not the same.
Internal controls are policies and procedures designed to control 7
all of an entity’s functions. They are built in operations.
 4.3-4.5 Basic internal control structure

The Components of Internal Control System

• Committee of Sponsoring Organizations (COSO) has developed an internal control
framework that has come to be accepted as the standard in US and all over the world.
• COSO’s Internal Control—Integrated Framework, describes five components of
internal control that management designs and implements to provide reasonable
assurance that its control objectives will be met.
• Each component contains many controls, but auditors concentrate on those designed
to prevent or detect material misstatements in the financial statements.
The COSO internal control components include the following:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
8
 …… Basic internal control structure
(The five Components of the Control Environment)

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication

9
 .. Basic internal control structure
1.Control environment (CE)
– The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about internal
control and its importance to the entity.
– It sets the tone of an organization, it influences the control consciousness of the staff
– It is the foundation for all other components of internal control
 It has pervasive influence on all the decisions and activities of an organization.

– Effective organizations set a positive “tone at the top”, it means:

- If top management believes that control is important, others in the organization will sense
this commitment and respond by strictly observing the controls established.
- If members of the organization believe that control is not an important concern to top
management, it is almost certain that management’s control objectives will not be
effectively achieved.

10
 .. Basic internal control structure
• How do auditor’s understand and assess the control environment of an entity?
They consider important factors (elements of the CE).
• Factors considered in assessing the control environment:
– Integrity and ethical values- Auditors assessment include whether
the entity has ethical and behavioral standards; If it has, are these
standards communicated to employees? Are they enforced? What is
management’s reaction for unethical behavior? Does it
encourage/discourage illegal practices and unethical behaviors?
– Commitment to competence – this is related to the human resource
policy of the organization. Eg. Is management committed for better
result by assigning the right person for the job? Is management
committed for continuous improvement of staff’s knowledge and
skill-to develop the human capital in the entity?
11
 .. Basic internal control structure
…..Factors considered in assessing the control environment:
– The functioning of BOD’s and Audit committee
• Auditors collect information about the composition of the BODs,
the audit committee, their independence from management since it
provide an insight about the effectiveness of the governance of the
organization.
• If the audit committee is composed of individuals with knowledge
of financial reporting issues, they will be able to effectively
evaluate the internal control system, the internal audit functions
and the financial statement prepared by the management, thus, the
likely hood that material misstatement exists in financial
statement will be low.

12
 ..Basic internal control structure
…..Factors considered in assessing the control environment:
 Management’s philosophy and operating style
Management, through its activities, provides clear signals to employees about the
importance of internal control. If management is a type that override internal
controls, employees will follow the same, so the risk that misstatements exist will
be high
 Organizational Structure
– The entity’s organizational structure shows the lines of responsibility and
authority, it gives an insight as to how controls are implemented.
Human resource Policies & Practices
• The most important aspect of internal control is personnel.
• If the human resource policy of an organization enables the company to attract and
retain competent and trustworthy employees, with minimum control, reliable
financial statements will still result. In this case, the risk that financial statements
will misstate will be low.
13
 .. Basic internal control structure
…..Factors considered in assessing the control environment:
• On the other hand, incompetent or dishonest people can damage the system
even if there are numerous controls in place. In such cases, the risk of
misstatement will be high.
• However, honest and efficient people who are able to perform at a high level
even when there are few other controls to support them, may also make an
error when they are dissatisfied or due to other personal problems.
• In general, the human resource policy is integral part of the internal control
system of the organization. Then, by assessing its strength/weakness, auditors
can obtain information about the strength/weakness of the internal control
system of the organization.
• Thus, a control conscious environment is an environment that
– supports ethical values and business practices,
– conveys an attitude of honesty and accountability at all levels.
14
 ..Basic internal control structure
2. Risk assessment
 Risks are internal & external events (economic conditions,
staffing changes, new systems, regulatory changes, natural
disasters, etc.) that threaten the accomplishment of objectives.
 Risk assessment is management’s process of identifying,
evaluating, and deciding how to manage these events… What is
the likelihood of the event occurring? What would be the impact if
it were to occur? What can we do to prevent or reduce the risk?
• Risk assessment for financial reporting is management’s
identification and analysis of risks relevant to the preparation of
financial statements in conformity with appropriate accounting
standards.
15
 .. Basic internal control structure
…….2. Risk assessment
•Factors that may lead to increased risk include:
– Failure to meet prior objectives, Poor quality of personnel,
Complexity of core business processes, Introduction of new
information technologies, Economic downturns, and Entrance
of new competitors
– Once management identifies a risk, it estimates the significance
of that risk (it evaluates as high, medium, low), assesses the
likelihood of the risk occurring, and develops specific actions
that need to be taken to reduce the risk to an acceptable level. It
is clear that management addresses the high category risk
16
 ..Basic internal control structure

…….2. Risk assessment

Purpose of Management’s & Auditors

assessment of risk:
• Management -it assesses risks as a part of designing
and operating internal controls to minimize errors and
fraud
• Auditors -they assess risks to decide the evidence
needed in the audit to satisfy various audit objectives.
17
 ..Basic internal control structure
3. Control activities
• Control activities are management policies, procedures, and processes in
addition to those included in the other four control components, designed
and implemented to ensure that management directives are carried out,
risks are managed and entity objectives are achieved.
• They are established by management to address risks and to achieve the
organizations objectives (eg. authorization, approvals, segregation of
duties, physical control of assets, security, reconciliations, performance
reviews and documentations)
 They are designed to prevent or reduce the risks that can impede the
accomplishment of objectives.
 Control activities occur throughout the organization, at all levels, and in all
functions.
18
 .. Basic internal control structure
….3. Control activities
• Control activities include both manual and automated
controls.
• Control activities generally fall into the following five
types:
1. Adequate separation of duties
2.Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
19
 ..Basic internal control structure
….3. Control activities –five categories
1.Adequate separation of duties -Adequate internal control exists when the
following duties are separated:
– Custody of assets from accounting
– Authorization of transactions from the custody of related assets
– Operational responsibility from record keeping responsibility
– IT duties from user departments
2. Proper authorization of transactions and activities
•Every transaction must be properly authorized if controls are to be satisfactory.
(Eg. If any person in an organization could acquire or expend assets at will,
complete chaos would result).
• The distinction between authorization and approval is also important;

authorization is about the decision on the policies & procedures; but approval is
about implementation of the authorized policies & procedures .
20
 ..Basic internal control structure
………3. Control activities –five categories
3. Adequate documents and records
• Documents showing the occurrence of transactions should be
adequately documented. This means,
Documents should be:
• Pre-numbered to identify if there are missing documents;
• Prepared at the time a transaction takes place, or as soon as possible thereafter, to
minimize timing errors
• Designed for multiple use, when possible, to minimize the number of different
forms. (one form can be designed in a way that it can provide many related
information)
• Constructed in a manner that encourages correct preparation. (Eg well designed
chart of account ensure accurate classification of accounts)
-
21
 .. Basic internal control structure
….3. Control activities –five categories
4. Physical control over assets and records
• To maintain adequate internal control, assets and records must be protected.
• If assets are left unprotected, they can be stolen.
• If records are not adequately protected, they can be stolen, damaged, altered, or
lost, which can seriously disrupt the accounting process and business operations.
• When a company is highly computerized, its computer equipment, programs, and
data files must be protected. The data files are the records of the company and, if
damaged, could be costly or even impossible to reconstruct.
• The most important type of protective measure for safeguarding assets and records
is the use of physical precautions.

22
 ..Basic internal control structure
Note: management should:
• Secure and restrict access to equipment, cash,
inventory, confidential information, etc. is essential
to reduce the risk of loss or unauthorized use.
• Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
• If such protections are adequate, the level of risk for
misstatement of financial statement will minimize.

23
 ..Basic internal control structure
….3. Control activities –five categories
5. Independent checks on performance
• This last category of control activities is the careful and continuous review of the
other four, it is called independent checks or internal verification (eg. It can be
achieved through strict application of separation of duties (least costly method);
or having internal audit department that performs independent review).
• What justify the need for internal verifications?
– Internal controls tend to change over time, unless there is frequent review.
– Personnel are likely to forget or intentionally fail to follow procedures, or they
may become careless unless someone observes and evaluates their
performance.
– Regardless of the quality of the controls, personnel can make errors or commit
fraud.

24
 .. Basic internal control structure
…. 3. Control activities
Control activities can be summarized as Directive, preventive, detective and
corrective controls
Directive controls-are designed to establish outcomes eg. Laws, policies,
procedures, manuals
Preventive controls: These are measures that occur before a transaction/action is
performed to prevent a risk from occurring. (eg training, pre-authorization,
physical control over assets, system access control etc)
Detective controls: these are measures that occur after a transaction or action is
performed to detect misdeeds/something that had gone wrong. (eg reviews and
comparisons, reconciliations, physical count of inventories and post audits ).
Corrective controls are controls designed to correct errors that have been
discovered. (Controls that restore the system or process back to the state prior to a
harmful event. Eg. Restoring from a back up after it is known that someone has
improperly altered the payment data on the computer)
25
 ..Basic internal control structure
…. 3. Control activities
• As general rule, preventive controls are the better than detective
controls, any good system of internal control should have a good
mixture of both.
• However, it is not advisable to place excessive reliance only on
preventive control and ignoring detective control, because, once
preventive controls are compromised there is no way of detecting the
illegal act that has occurred
• Controls can also be categorized as Soft Controls and Hard Controls
• Soft Controls include tone at the top, performance evaluations, and
training programs
• Hard controls include segregation of duties, reviews and approvals and
reconciliations
26
 .. Basic internal control structure
4. Information and Communication
 It refers to the identification, capture, and exchange of information in the
form and time frame that enables people to carryout their responsibilities
 Adequate internal control require an entity to maintain an information
system:
 That allow the flow of information across organizations
 That clearly communicate employees duties and responsibilities

 That incorporate channels to report suspected improprieties, and

encourage employees suggestions for improvement
 That provide relevant and reliable information

 That provide timely, understandable and usable information to ensure

accountability for the related assets (eg. it requires an entity to
maintain a proper accounting system).
27
 ..Basic internal control structure
…..4. Information and Communication
 Information can be communicated in various ways (meeting, discussions,
reports, through websites etc ); it can also be controlled by physical
measures such as locks and technologies such as passwords.
 Effective information and communication systems enable the right people
to get information on time to allow appropriate action (to conduct,
manage, and control operations).
• Auditor’s evaluate the information and communication system of an
organization to met transaction related objectives (occurrence,
completeness, accuracy, posting & summarization, classification and
timing ) and determine risk of misstatement of FSs.
• Effective information and communication system reduces risks of
financial misstatements
28
 ..Basic internal control structure
5. Monitoring
• It deals with ongoing or periodic assessment of the quality of internal
control by management to determine that controls are operating as
intended and that they are modified as appropriate for changes in
conditions.
• For many companies, especially larger ones, an internal audit department
is essential for effective monitoring of the operating performance of
internal controls.
• In small companies, a separate internal audit department may not be
required since monitoring and control activities are usually conducted by
managers who are also owners. So the owner-manager’s personal interest
and close relationship with personnel enable managers to monitor and
control firm’s activities without the help of internal audit department,
however, this is not feasible for larger organizations.
29
 ….. .Basic internal control structure
• In general, the following are indicators of good internal control practices:
– Documented policies and procedures
– Physical safeguarding of assets
– Systems to track employees activities, systems to follow up problems and ensure resolution
– Existence of code of conduct
– Job description
– BOD’s timely communications of organization’s objectives, strategy, assignment of
responsibilities
– Policies to hire, train, promote and compensate employees
– Positive atmosphere in the work environment
– Safeguards for employees exposing wrong acts (protection for whistle blowers)
– Clear chin of command, adequate segregation of duties
– Approvals of transactions setting different levels of approvals for transactions)
– Effective internal control allow organizations to achieve its goals effectively and
efficiently

30