CHAPTER 5

INTERNAL CONTROL
Internal Control Meaning & Objectives

 A system of internal control consists of:

– Policies and
– procedures
designed to provide management with reasonable assurance
that the company achieves its objectives and goals
 Management typically has three broad objectives in
designing an effective internal control system:
– Reliability of reporting
– Efficiency and effectiveness of operations
– Compliance with laws and regulations
Benefits of Internal Control
– Benefits of internal control : it helps organizations
 To make jobs easier and help people to do jobs better- If
policies and procedures are established, authority and
responsibility will be clearly defined, expectations will be
clear, so people know what to do and not to do
 To meet their goals and objectives,
 To safeguard assets from waste, fraud and inefficient use; -
(only few trusted people can modify IC)
 To promote efficiencymaking transactions
(by
transparent to anyone who looks), reduce risk of loss,
 To improve accountability and maintain public trust
 To ensure accurate and reliable accounting records
 To ensure compliance with company policies( can be an
early warning system, enabling early identification
and correction of deficiencies)
 To reduce legal liability
Weak Internal Control
Weak internal control can result in:
• Fraud, Embezzlement and Theft at various levels- management,
employees, customers, vendors, or the public-at-large.
• Statutory Sanctions - penalties arising from failure to comply with
regulatory requirements, as well as overt violations.

• Excessive Costs – results in expenses which could have been

avoided,
• Deficient Revenues – results in loss of revenues to which the
organization is entitled.
• Loss, Misuse or Destruction of Assets - unintentional loss of
physical assets such as cash, inventory, and equipment.
• Business Interruption – it may cause system breakdowns, excessive
re-work to correct for errors.
Limitation of Internal Control
Limitations of internal control
 It provides reasonable, not absolute assurance ie:
– No system is perfect, internal control system cannot provide
absolute assurance because of the following inherent limitations,
• its effectiveness depends on the behavior of those who use it;
• it is affected by human factors such as error in designing it, can
be wrongly understood (lack of understanding), carelessness
and abuse or override (employee collusion, management
override), its effectiveness depends on competence of people
designing and implementing it
• Can be affected by resource limitations-since it involves cost,
smaller organizations may not implement it
– The concept of reasonable assurance also recognizes that the cost of an entity’s
internal control should not exceed the benefits expected to be derived. Thus, in
designing internal control system, it is essential to weigh the costs and benefits.
1.Human error= tired, disturbed
2.Ineffective understanding of the control purpose= people many not
understand why control , perhaps forgetting to use a control step. Or,
the person does not understand how a control system
3.Collusion by two or more individuals to avoid control
4.Software progrrame control being overridden , disabled
5.Mgt decision about the nature and extent of control being
implemented
Management and Auditor Responsibilities for
Internal Control
– Management’s Responsibility
 Establish and maintain control system
 To publicly report on the operating effectiveness of
those controls Serbanes-Oxley Act of 2002)
• Two key concepts underlie management’s design and
implementation of internal control:
 Reasonable assurance
 Inherent limitations
– Auditor’s Responsibility
 To understand and test internal control over financial
reporting
 Management’s Reporting Responsibilities
 Management of all public companies are to issue:
- internal control report that includes the following:
– A statement that management is responsible for establishing and
maintaining an adequate internal control structure and procedures
for financial reporting
– An assessment of the effectiveness of the internal control structure
and procedures for financial reporting as of the end of the company’s
fiscal year
• Management’s assessment of internal control over financial reporting
consists of two key aspects:
– Management must
 Evaluate the design of internal control over financial reporting
 Test the operating effectiveness of those controls
Auditor Responsibilities for
Understanding Internal Control
• Auditors are required to:
– Obtain an understanding of internal control relevant to the
audit on every audit engagement
– Report on the effectiveness of internal control over financial
reporting, if the client is an accelerated filer
• Auditors are primarily concerned about:
– Controls over the reliability of financial reporting
– Controls over classes of transactions
Example Management Report on Internal
Control over Financial Reporting
 Internal Control and Internal Audit
 Internal controls –
=Are systems, policies & procedures designed to address risks and
provide reasonable assurance whether the following objectives are
achieved”:
– Accountability obligations are fulfilled,
– Operations are executed orderly, ethically, economically,
efficiently and effectively
– Rules and regulations are complied with
– Resources are safeguarded from loss, misuse and damage
 Internal controls - are policies and procedures designed to control all of an entity’s
functions. They are built in the operations

 Internal audit - is an independent function that:

= checks whether internal control systems are working well or not.
 Internal control - and internal audit are related but not the same.
 COSO Components of Internal Control
(Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication
Figure 11.2 COSO Internal Control
Objectives and Components
1. Control environment
Consists of the
– actions,
– policies, and
–procedures
- that reflect the overall attitudes of top management, directors, and owners
of an entity about internal control and its importance to the entity
 It is the foundation for all other components of internal control
 It has pervasive influence on all the decisions and activities of an
organization.
 It sets the tone of an organization, it influences the control
consciousness of the staff
 Effective organizations set a positive “tone at the top”, it means:
(If top management believes that control is important, others in the
organization will sense this commitment and respond by strictly
observing the controls established).
 If members of the organization believe that control is not an important concern to top
management, it is almost certain that management’s control objectives will not be
effectively achieved.
 ..Control env… (CE)
• How do auditor’s understand and assess the control environment of an
entity?
• By consider important factors (-Elements of the CE).
Factors considered in assessing the Control Environment:
– Integrity and ethical values- Auditors assessment include whether the
entity has ethical and behavioral standards;
– If it has, are these standards communicated to employees?
– Are they enforced?
– What is management’s reaction for unethical behavior?
– Does it encourage/discourage illegal practices and unethical
behaviors?
– Commitment to competence – this is related to the human resource
policy of the organization.
– Eg. Is management committed for better result by assigning the
right person for the job?
..Control env… (CE)
– The functioning of BOD’s and Audit committee
 Auditors collect information- about the
=composition of the BODs, the audit committee, their
independence from management
( since it provide an insight about the effectiveness of the governance
of the organization).
 If the audit committee - is composed of individuals with
knowledge of financial reporting issues,
- they will be able to effectively evaluate the internal control
system, the internal audit functions and the financial statement
prepared by the management, thus, the likely hood that material
misstatement exists in financial statement will be low.
 ..Control env…. (CE)
 Management’s philosophy and operating style
Management, through its activities, provides clear signals to employees
about the importance of internal control.
(If management is a type that override internal controls, employees will
follow the same, so the risk that misstatements exist will be high
 Organizational Structure
– The entity’s organizational structure shows the lines of responsibility and
authority,
– it gives an insight as to how controls are implemented.
Human resource Policies & Practices
– The human resource policy is integral part of the internal control system
of the organization that auditors assess its strength/weakness.
– If the human resource policy of an organization enables the company to
attract and retain competent and trustworthy employees, with minimum
control, reliable financial statements will still result.
– In this case, the risk that financial statements will misstate will be low.
 2. Risk assessment

 Involves a process for identifying and analyzing risks that may prevent the
organization from achieving its objectives
 The process includes:
-identifying,
-evaluating, and
-deciding how to manage these events…
Management will assess:
A. What is the likelihood of the event occurring?
B. What would be the impact if it were to occur?
C. What can we do to prevent or reduce the risk?
 Risk assessment for financial reporting is -management’s identification and analysis of risks relevant to
the preparation of financial statements in conformity with appropriate accounting standards.
• Factors that may lead to increased risk include:
– Poor quality of personnel(eg. Not know revenue
recognition),
– Geographic dispersion of company operations,
– Complexity of core business processes,
– Introduction of new information technologies(affects
production process and information system) ,
– Economic downturns, and
– Entrance of new competitors
 …Risk ass…
 Once management identifies a risk,:
o it estimates the significance of that risk (it evaluates as high, medium, low)
o assesses the likelihood of the risk occurring, and
o develops specific actions that need to be taken to reduce the risk to an
acceptable level. (management addresses the high category risk); How?
 management will respond to the risk:
eg. -by transferring it to third party (insurance);
– by tolerating it-deciding to live with the risk (tolerable /accept risk) if it
is too expensive to treat it;
– by terminating the risk- (terminate/discontinue the activity) involving a
high risk
 If management effectively assesses and responds to risks:
=the risk of misstatement of financial statement will reduce,
= the auditor will accumulate less evidence
o
 …Risk ass….
Purpose of Management’s & Auditors’ assessment of risk:
• Management -it assesses risks as a part of designing and operating internal
controls (to minimize errors and fraud)
• Auditors -they assess risks to-( decide the evidence needed in the audit (to satisfy
various audit objectives. –timing, extent, and audit guide)
How Auditors obtain knowledge about management’s risk assessment?
• -Through (questionnaires and discussions) with management

What information they collect in relation to management’s risk assessment?

 Information about :
– how management identifies risks relevant to financial reporting,
– how it evaluates the significance and
– likelihood of the risks occurring, and
– how it decides the actions needed to address the risks.
 3.Control activities
Are policies and procedures - that help ensure that necessary actions are taken
to address risks to the achievement of the entity’s objectives
• Control activities include both manual and automated controls.
 Control activities generally fall into the following five types:

1. Adequate separation of duties

2.Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
 ….Control activities

1. Adequate separation of duties -Adequate internal control exists when the

following duties are separated:
– Custody of assets from accounting
– Authorization of transactions from the custody of related assets
– Operational responsibility from record keeping responsibility
– IT duties from user departments

2. Proper authorization of transactions and activities

– Every transaction must be properly authorized if controls are to be
satisfactory.
(Eg. If any person in an organization could acquire or expend assets at will,
complete chaos would result).
– The distinction between authorization and approval is also important;
=authorization is about the - decision on the policies & procedures; but
=approval is about implementation of the authorized policies &
procedures.
 ….Control act…

3. Adequate documents and records

 Documents showing the occurrence of transactions should be adequately
documented. This means,
Documents should be:
 Pre-numbered to identify if there are missing documents;
 Prepared at the time a transaction takes place, or as soon as possible
thereafter, to minimize timing errors
 Designed for multiple use, when possible, to minimize the number of
different forms. (one form can be designed in a way that it can provide
many related information)
 Constructed in a manner that encourages correct preparation. (Eg
well designed chart of account ensure accurate classification of accounts)
 ….Control act…

4. Physical control over assets and records

– To maintain adequate internal control, assets and records must
be protected. (If assets are left unprotected, they can be stolen).
– If records are not adequately protected, they can be (stolen,
damaged, altered, or lost, seriously disrupt the accounting
process and business operations).
– When a company is highly computerized, its (computer
equipment, programs, and data files must be protected.)
– The data files are the records of the company and, if damaged,
could be (costly or even impossible to reconstruct).
– The most important type of protective measure- for
safeguarding assets and records is the use of (physical
precautions- cash vaults ).
 ….Control act….
Example of physical safeguards include:
–Use of storerooms for inventory to guard against theft. When the storeroom is under the
control of a competent employee, there is further assurance that theft is minimized.
-Use of Fireproof safes and safety deposit vaults for the protection of assets such as
currency and securities ;
- Off site back-up of computer software and data files.

Management should (follow up) :

– Secure and restrict access to -equipment, cash, inventory, confidential
information, etc.(essential to reduce the risk of loss or unauthorized use).
– Perform periodic physical inventories- (to verify existence, quantities,
location, condition, and utilization).
– Base the level of security on the riskiness of items being secured, the
likelihood of loss, and the potential impact should a loss occur.
 If such protections are adequate, the level of risk for misstatement of
financial statement will minimize.
 ….Control act…
5. Independent checks on performance
• This is the careful and continuous review of the other four,
• ( independent checks or internal verification -eg. It can be achieved)

=through strict application of separation of duties (least costly method);

or
=(having internal audit department that performs independent review).
• What justify the need for internal verifications?
i) Internal controls tend to change over time, unless there is frequent review.
ii) Personnel are likely to forget or intentionally fail to follow procedures, or
they may become careless unless someone observes and evaluates their
performance.
iii) Regardless of the quality of the controls, personnel can make errors or
commit fraud.
 ….Control act…

 Control activities - can be summarized as Directive, preventive, detective and

corrective controls
Directive controls-are designed to establish outcomes eg. Laws, policies,
procedures, manuals
Preventive controls: These are measures that occur before a transaction or action
is performed to prevent a risk from occurring. (eg training, pre-authorization,
physical control over assets, system access control etc)
Detective controls: these are measures that occur after a transaction or action is
performed to detect misdeeds/something that had gone wrong. (eg reviews and
comparisons, reconciliations, physical count of inventories and post audits ).
Corrective controls : are controls designed to correct errors that have been
discovered. (Controls that restore the system or process back to the state prior to a
harmful event. Eg. Restoring from a back up after it is known that someone
has improperly altered the payment data on the computer)
 ….Control act…

 As general rule, preventive controls are better than detective controls, any
good system of internal control should have a good mixture of both.
– However, it is not advisable to place excessive reliance only on preventive
control and ignoring detective control, because, once preventive controls
are compromised there is no way of detecting the illegal act that has occurred
 Controls can also be categorized as Soft Controls and Hard Controls
– Soft Controls include tone at the top: performance evaluations, and training
programs
– Hard controls include segregation of duties, reviews and approvals and
reconciliations
 4. Information system and Communication
 Adequate internal control requires an entity to- maintain an
information system:
 That allow the flow of information across organizations

 That clearly communicate employees duties and responsibilities

 That incorporate channels to report suspected improprieties, and

encourage employees suggestions for improvement
 That provide relevant and reliable information

 That provide timely, understandable and usable information to

ensure accountability for the related assets (eg. it requires an entity to
maintain a proper accounting system).
 Effective information and communication systems enable the right
people to get information on time to allow appropriate action (to
conduct, manage, and control operations).
 Effective information and communication system reduces risks of
financial misstatements
 5. Monitoring the internal control
= ongoing or periodic assessment of- the quality of internal control by
management to determine that:
For many companies(by internal audit) :
=specially larger ones, an internal audit department is essential for effective
monitoring of the operating performance of internal controls
 Internal control systems must be monitored –
-to assess their effectiveness…
-to know if they operating as intended.

 Ongoing monitoring is necessary to react dynamically to changing

conditions…
 Have controls become outdated, redundant, or obsolete?
 The board, audit committee, the risk assessment process and internal audit are
key components of entity level control
 Indicators of good internal control
Include:
– Documented policies and procedures
– Physical safeguarding of assets
– Systems to track employees activities, systems to follow up problems and
ensure resolution
– Existence of code of conduct, Job description
– BOD’s timely communications of organization’s objectives, strategy,
assignment of responsibilities
– Policies to hire, train, promote and compensate employees
– Positive atmosphere in the work environment
– Clear chain of command, adequate segregation of duties
– Approvals of transactions setting different levels of approvals for transactions)
 Effective internal control allow organizations to achieve its goals
effectively and efficiently
 Internal Controls Specific to Information
Technology

 Technology can strengthen a company’s system of internal

control but can also provide challenges
– To address risks associated with reliance on technology,
organizations often implement specific IT controls
 Auditing standards describe two categories of controls for
IT systems:
– General controls
– Application controls
General Controls
 General controls- are those that relate to all aspects of
the IT function.
• They include controls related to the following six
categories:
– Administration,
– Separation of IT duties,
– Systems development,
– Physical and on-line security,
– Backup and contingency planning, and
– Hardware controls.
….cont..
• Application controls - relate to the
-processing of individual transactions.
-software applications and (typically do not affect all IT
functions).
 These controls may be manual or automated and include:
– Input controls
– Processing controls
– Output controls
COSO Internal control Objectives
• Operations objectives, such as performance
goals and securing the organization's assets
against fraud, focus on the effectiveness and
efficiency of your business operations.
• Reporting objectives, including both internal and
external financial reporting as well as non-financial
reporting, relate to transparency, timeliness and
reliability of the organization's reporting habits.
• Compliance objectives are internal control goals
based around adhering to laws and regulations
that the organization must comply with.
Process for Understanding Internal Control and
Assessing Control Risk
Auditors need to understand the design and implementation of
controls that are relevant to the audit to identify and assess the risks
of material misstatements
There are four steps in this process:
 Step 1: Obtain and Document Understanding of Internal
Control

 Auditors commonly use three types method of documenting -to

obtain and document their understanding of the design of internal
control:
– Narratives-written descriptions of control-is a big story (Rich , long)
– Flowcharts-diagrams- overview of control systems in symbols
(pictures convey meaning , Condense)
- preferred on
- Internal control questionnaires-series of yes/no questions/list of questions
you ask (any one can use them,. Clients do not like them, not customized)

- Think of planning phase : talk to client and getting information about

internal control environment
• Auditors use the following methods to evaluate whether the
controls are implemented:
– System walkthrough/perform again
– Make inquiries of client personnel
– Inspect documents and records
– Observe entity activities and operations
 Step 2: Assess Control Risk-how it works
 Obtaining an understanding of the design and implementation of
internal control helps the auditor to:
– Make a preliminary assessment of control risk
 It is a measure of the auditor’s expectation that internal controls
will prevent material misstatements from occurring or detect and
correct them if they have occurred
 How do auditors assess control risk?
a) Starting by the assessment of entity-level controls . Which includes:
– Control environment,
– Management override,
– Risk assessment process,
– Monitoring components (audit committee & internal audit), etc
 By nature, entity-level controls have an overarching impact on most major
types of transactions in each transaction cycle.
Eg. .
• An ineffective board of directors or management’s failure to
have any process to identify, assess, or manage key risks, has
the potential to undermine controls for most of the
transaction-related audit objectives.
• (Thus, auditors generally assess entity-level controls before
assessing transaction specific controls.)
 ..Step

b) make a preliminary assessment for each transaction-related audit objectives

for each major type of transaction in each transaction cycle. (Top down approach)
– Many auditors use a control risk matrix to assist in the control risk assessment process at the
transaction level
– The purpose:
= to provide a convenient way to organize assessing control risk for each audit objective

 Components of the control risk matrix include:

– Audit objectives (transaction related )
– Key controls
– Associate controls with related audit objectives
 Key controls (the five key controls: Separation of duty,
Authorization, Documentation, Physical control, & Independent
review ) are sufficient to achieve the transaction-related audit
objectives.
..Step ..
 Auditors must evaluate whether key controls are absent in the
design and implementation of internal control over financial
reporting as a part of evaluating control risk and the likelihood
of financial statement misstatements
 Auditing standards define three levels of the absence of
internal controls:
– Level 1: Control deficiency
– Level 2: Significant deficiency
– Level 3: Material weakness
..cont …
Level 1: Control deficiency
 A control deficiency exists -if the design/operation of controls
does not permit company personnel to prevent or detect
misstatements on a timely basis in the normal course of
performing their assigned functions.
– A design deficiency exists- if a necessary control is: -
-missing or
-not properly designed.
 An operation deficiency exists- if:
-a well-designed control does not operate as designed or
- the person performing the control is insufficiently
qualified or authorized.
..cont ….

Level 2. Significant deficiency

 A significant deficiency exists- if one or more control deficiencies
exist but that is less severe than a material weakness (defined
below), ( but -needs attention by those responsible for oversight of
the company’s financial reporting.)
Level 3. Material weakness
 A material weakness exists- if a significant deficiency, by itself, or in
combination with other significant deficiencies, results in a
reasonable possibility that internal control will not prevent or detect
material financial statement misstatements on a timely basis
A five-step approach to Identify deficiency
 to identify deficiencies, significant deficiencies, and material weaknesses:
1st Identify existing control
2nd Identify the absence of key controls
3rd Consider the possibility of compensating controls- a control
elsewhere in the system that offsets the absence of a key control,
(ex. Owner manager).
4th Decide whether there is a significant deficiency or material weakness
5th Determine potential misstatements that could result

 In some cases, management can correct deficiencies and

material weaknesses before the auditor does significant
testing, which may permit a reduction in control risk.
 Step 3: Design, perform and evaluate Tests of
Controls
• Tests of controls- are procedures to test effectiveness of
controls which support to reduce assessed control risk.
• (see if auditor can rely on IC-if IC does not work, go to substantive test-test FSs ratio,
comparisons to budget, or details –confirmations , vouching, tracing documents,
journals))

• If the results of tests of controls support the design

and operations of controls as expected, the auditor
uses the same control risk as the preliminary assessment
 The auditor is likely to use four types of procedures to
support the operating effectiveness of internal controls:
i. Make inquiries of appropriate client personnel
ii. Examine documents, records, and reports
iii. Observe control-related activities
 …Step …
 There is a significant overlap (similarity) between ;

-tests of controls and

-procedures to obtain an understanding

– Both include inquiry, inspection, and observation
 There are two primary differences in the application of these common procedures in
the area of:
 Application of procedures: Tests of controls are applied only when the assessed
control risk has not been satisfied by the procedures to obtain an
understanding
 Samples size and timing: Procedures to obtain an understanding are performed
only on one or a few transactions
Step 4: Decide Planned Detection Risk and Substantive Tests
– The auditor uses -control risk assessment and results
of tests of controls to determine planned detection
risk and the related substantive tests for the
financial statement audit.
– The auditor links the inherent risk assessments to
the balance-related audit objectives.
– Control risk is generally set at high for smaller public
companies and nonpublic companies as they face
challenge in implementing effective internal
control due to inadequate separation of duty.
 Communicating Internal Control Related Matters
 An auditor can issue one of the three types of opinions on the
effectiveness of internal control over financial reporting:
Unqualified- when no material weakness found
Disclaimer of opinion-When the audit team cannot perform all
of the procedures considered necessary
Adverse opinion-When one or more material weaknesses found
 Communications to those Charged With Governance &
Management Letter
 The auditor must communicate:
 significant deficiencies and
 material weaknesses
-in writing to those charged with governance as soon as the auditor becomes
aware of their existence.
 The communication is usually addressed to:
- the audit committee and
-management.
 Timely communications may provide management an opportunity to -
-address control deficiencies before management’s report on internal control
must be issued.
– In some instances, deficiencies can be corrected sufficiently early such that
both management and the auditor can conclude that controls are operating
effectively as of the balance sheet date.
– Regardless, these communications must be made no later than 60 days
Management Letter

• Auditors often identify- less significant internal control-

related issues, as well as opportunities for the client to make
operational improvements. (+ve-write to client )
– These issues should also be communicated to the client.
– The form of communication is often a separate letter for that
purpose, called a management letter.
– Although management letters are not required by auditing
standards, auditors generally prepare them as a value-added
service of the audit.
END OF CHAPTER FIVE
• Adudit report

• Audit evidence

• Audit strategy =substatntive Audit procedure

• = Internal control /compliance

• Understanding client---

• ;

• ; =Sampling

• ; ‘’’’’’’’’’’’’’’’’Mixed’’’’’’’’’’’’’’’’

• Audit Strategy ‘’’’’’’’’’’’’Controls’’’’’’’’’’Evidence’’’’’’’’’’’’’Opinion

• ; ‘’’’’’’’’’’’’Substatntive ‘’’’’’’’’’’

• ; =procedures (in gathering evide nce we need 9 prpocedures and

samplinh as well)

• ;AR Model

• ; ; ;

• IR CR DR

• IR AND CR -Back to understanding client