Lesson 02

Internal Controls
University of Colombo - Faculty of Management & Finance
Bachelor of Business Administration 2023
Semester V
BBA 3304 – Auditing
By: P. I. S. Jayathilaka
Internal control and the statutory audit
Auditors shall:
• Assess the adequacy of the accounting system as a basis for preparing
the accounts
• Identify the types of potential misstatements that could occur in the
accounts
• Consider factors that affect the risk of misstatements
• Design appropriate audit procedures
Financial statement assertions
Audit tests are designed to obtain evidence about the financial statement
assertions. Assertions relate to classes of transactions and events, account
balances at the period-end, and presentation and disclosure.
• Financial statement assertions:
Are the representations by management, explicit or otherwise, that are
embodied in the financial statements, as used by the auditor to consider
the different types of potential misstatements that may occur.
Auditor must use assertions in sufficient detail to form the basis for the
assessment of risks of material misstatement and to design and perform
further audit procedures.
Assertions about classes of transactions and events
and related disclosures (statement of profit or loss)

Occurrence Completeness Accuracy

Cut-off Classification Presentation

• Occurrence: Transactions and events that have been recorded or
disclosed have occurred, and such transactions and events pertain to
the entity.

• Completeness: All transactions and events that should have been

recorded have been recorded, and all related disclosures that should
have been included in the financial statements have been included.

• Accuracy: Amounts and other data relating to recorded transactions

and events have been recorded appropriately, and related disclosures
have been appropriately measured and described.
• Cut-off: Transactions and events have been recorded in the correct
reporting period.

• Classification: Transactions and events have been recorded in the

proper accounts.

• Presentation: Transactions and events are appropriately aggregated or

disaggregated and are clearly described, and related disclosures are
relevant and understandable in the context of the requirements of the
applicable financial reporting framework.
Assertions about account balances and related
disclosures (Statement of financial position)

Rights and
Existence Completeness
Obligations

Accuracy,
Valuation and Classification Presentation
Allocation
• Existence: Assets, liabilities and equity interests exist.

• Rights and obligations: The entity holds or controls the rights to assets,
and liabilities are the obligations of the entity.

• Completeness: All assets, liabilities and equity interests that should

have been recorded have been recorded, and all related disclosures
that should have been included in the financial statements have been
included.
• Accuracy, valuation and allocation: Assets, liabilities and equity
interests have been included in the financial statements at appropriate
amounts and any resulting valuation or allocation adjustments have
been appropriately recorded, and related disclosures have been
appropriately measured and described.

• Classification: Assets, liabilities and equity interests have been

recorded in the proper accounts.

• Presentation: Assets, liabilities and equity interests are appropriately

aggregated or disaggregated and clearly described, and related
disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
Recording accounting and control systems
• The auditors must keep a record of the client's systems which must be
updated each year.
• Techniques for recording the assessment of control risk:
Narrative notes
Questionnaires- ICQs, ICEQs
Flowcharts
Checklists
• Record will usually be retained on the permanent file and updated
each year.
Narrative notes
• A written description of the system showing what happens and the
controls operating at each stage.
• The purpose of narrative notes is to describe and explain the system,
at the same time making any comments or criticisms which will help
to demonstrate an intelligent understanding of the system.
• Advantages:
Simple to record and understand
can be used for any system due to the method's flexibility
Editing is relatively easy
• Disadvantages: Can be a lot more time consuming than representing
it as a simple flowchart
Flowcharts
• Graphical illustrations of the physical flow of information through the
accounting system.
• Flowlines represent the sequences of processes, and other symbols
represent the inputs and outputs to a process.
• Flowchart symbols
Common flowchart symbols
Additional flowchart symbols-best utilized when mapping out a process flow
diagram for apps, user flow, data processing, etc
Common flowchart symbols
Name Symbol Description
Process symbol/ Represents a process, action, or function.
Action Symbol

Start/End symbol/ Represents the start points, end points, and

Terminator potential outcomes of a path.
Symbol

Document symbol Represents the input or output of a document.

Examples of and input are receiving a report,
email, or order.
Examples of an output using a document symbol
include generating a presentation, memo, or letter.
Common flowchart symbols (contd..)
Name Symbol Description
Decision symbol Indicates a question to be answered — usually
yes/no or true/false. The flowchart path may then
split off into different branches depending on the
answer or consequences thereafter.

Connector symbol Usually used within more complex charts. This

symbol connects separate elements across one
page.

Off-Page Frequently used within complex charts, this

Connector/Link symbol connects separate elements across
Symbol multiple pages with the page number usually
placed on or within the shape for easy reference.
Common flowchart symbols (contd..)
Name Symbol Description

Input/Output Represents data that is available for input

symbol/ or output as well as representing resources
Data Symbol used or generated.

Comment/Note Placed along with context, this symbol adds

symbol needed explanation or comments within
the specified range. It may be connected by
a dashed line to the relevant section of the
flowchart as well.
Additional flowchart symbols
Name Symbol Description
Database Represents data housed on a storage
symbol service that will likely allow for searching
and filtering by users.

Summing Sums the input of several converging

junction paths
symbol

Manual input Represents the manual input of data into

symbol a field or step in a process, usually
through a keyboard or device. Example
scenario includes the step in a login
process where a user is prompted to enter
Additional flowchart symbols (contd…)
Name Symbol Description

Manual Indicates a step that must be done

operation manually, not automatically.
symbol

Merge Combines multiple paths to become

symbol one.

Multiple Represents multiple documents or

documents reports.
symbol
Process Flowchart
Question 01
A company has launched a one time promotion for its loyal customers
on a particular day. According to the promotion, the loyal customer will
receive a gift voucher worth of Rs. 500 with their present bill if they
spend Rs. 5,000 more than their last bill and their last bill is not less
than Rs.5,000.
Prepare the process flow chart for the above procedure.
Advantages of flowcharts
• After a little experience they can be prepared quickly.
• As the information is presented in a standard form, they are fairly
easy to follow and to review.
• They generally ensure that the system is recorded in its entirety, as all
document flows have to be traced from beginning to end.
• They eliminate the need for extensive narrative and can be of
considerable help in highlighting the salient points of control and any
deficiencies in the system.
Disadvantages of flowcharts
• Most suitable for describing standard systems. Procedures for dealing
with unusual transactions will normally have to be recorded using
narrative notes.
• Major amendment is difficult without redrawing.
• Time can sometimes be wasted by charting areas that are of no audit
significance.
Questionnaires
• Internal Control Questionnaires (ICQs)
They comprise a list of questions designed to determine whether
desirable controls are present.
They are formulated so that there is one list of questions to cover
each of the major transaction cycles.
One of the most effective ways of designing the questionnaire is to
phrase the questions so that all the answers can be given as 'YES' or
'NO' and that a 'NO’ answer indicates a deficiency in the system.
Internal Control Questionnaires (ICQs)
Examples
• Are purchase invoices checked to goods received notes before being
passed for payment?
• Are these records reviewed by a person independent of those
responsible for the receipt and control of goods?
• Are the bank reconciliations and bank deposits are performed by two
different staff?
• Are all disbursements are made by cheques?
• Are the payments are authorized by the autorised signatory before
processing the payment?
Internal Control Evaluation
Questionnaires (ICEQs)
• Designed to assist in the identification of strengths and weaknesses in
internal control structure.
• Deficiency which should be prevented by a key control is highlighted.
• E.g.
Question Answer Comments or
explanation of “Yes”
answer
Can a payment be made to the same invoice
twice?

Can an employee resign without handing over the

assets given?
Advantages of questionnaires
• If drafted thoroughly, they can ensure all controls are considered
• They are quick to prepare
• They are easy to use and control
• Because they are drafted in terms of objectives rather than specific
controls, ICEQs are easier to apply to a variety of systems than ICQs
• Answering ICEQs should enable auditors to identify the key controls
which they are most likely to test during control testing
• ICEQs can highlight deficiencies where extensive substantive testing
will be required
Disadvantages of questionnaires
• They may contain a large number of irrelevant controls

• They can give the impression that all controls are of equal weight. In
many systems one answer will cancel out a string of other answers.
E.g. Will the resignation notice of an employee be forwarded to payroll
division?
Is the attendance considered in calculating the payroll?

• The client may be able to overstate controls

Checklists
• Checklists may be used instead of questionnaires to document and
evaluate the internal control system.
• Instead of asking questions, statements are made to 'mark off' and tick
boxes are used to indicate where the statement holds true.

Eg: Will the variance analysis be carried out once a month comparing the
budget and actual expenditure?
Checklist may state “Variance analysis be carried out once a month
comparing the budget and actual expenditure”, which would be ticked if
this does actually occur, or crossed if not.
Evaluation of internal control
• If the auditors believe the system of controls is strong, they may
choose to test controls to assess whether they can rely on the
controls having operated effectively.
• Not all controls relevant to financial reporting are relevant to the
audit. Auditor may exercise professional judgement to determine
which controls are to be tested.
• In addition to enquiry, auditors will often carry out walk-through
tests.
Picking up a transaction and following it through the system to see whether
all the controls were in existence with regard to that transaction.
Aspects of Control Evaluation
• Design effectiveness of controls
Whether it is capable of effectively preventing, or detecting and correcting
material misstatements.
E.g. Bank recs- have to review, sign but by the same person- badly designed
control
• Implementation of the control
Test by a combination of enquiry, observing the control or inspecting related
documents.
• Operating effectiveness
Reasonable evidence that the control was operating effectively throughout the
period
Tests of controls
Tests of controls are used to test the effectiveness of the design of the
internal controls systems and operating effectiveness of the controls.
• Inspection of documents
• Enquiries about internal controls
• Re-performance of control procedures
• Examination of evidence of management views. E.g. minutes
• Testing of IT controls E.g. Access controls
• Observation of controls
Revision of risk assessment, audit strategy
and audit plan
• If the evidence contradicts the original risk assessment, the auditors
will have to amend the further procedures they have planned to carry
out.
• If controls testing reveals that controls have not operated effectively
throughout the year, the auditor may have to extend substantive
testing.
• The new or changed procedures will need to be reflected on the audit
plan which details the nature, timing and extent of audit procedures
to be performed.