TANZANIA INSTITUTE OF ACCOUNTANCY

DAR ES SALAAM CAMPUS

DIPLOMA IN ACCOUNTANCY II- DA. II/DPSAF II
ACT. 06208 : PRINCIPLES OF INTERNAL AUDIT AND CONTROL SYSTEM
2. Internal Control System
2.1. Internal Control and Internal Check
2.1.1. Internal Control
Internal control has been defined as the whole system of controls, financial and
otherwise, established by the management in order to carry on the business of the
company in an orderly, manner, safeguard its assets and secure as far as possible
the accuracy and reliability of its records. ( a simple definition)
OR
Internal control is the process designed, implemented and maintained by those
charged with governance, management and other personnel to provide reasonable
assurance about the achievement of an entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations and
compliance with applicable laws and regulations.
2.1.1.1. Types of Internal Controls
Various types of controls which the company can adopt can be classified as
follows:

a) Voluntary and Mandatory Controls

b) Financial and Non – financial Controls
c) Manual and Computerised Controls
d) Administrative and Accounting Controls
e) Discretionary and Non – discretionary Controls
f) General and Application Controls
g) Preventive, Detective and Corrective Controls
a) Voluntary and Mandatory controls
 Voluntary Controls
These are controls which are not enforceable by law
 Mandatory Controls
These are controls which are enforceable by law
b) Financial and Non – financial Controls
 Financial Controls
These are controls which lead to safeguarding the assets of the
company and maintaining and providing proper and reliable
financial information. For example, financial records on sales,
purchases, expenses and purchase of non – current assets
 Non – financial Controls
These are controls which deal with areas which are not directly
reported in the financial statements. For example organization
structure, strategic policies, policies and procedures for various
activities of the company such as the company’s HR policy.

1
c) Manual and Computerised Controls
 Manual Controls
These are controls which are monitored manually. For example a
manual system of monitoring sales orders( recorded in a register)

 Computerised Controls
These are controls which are programmed to prevent, detect and
correct errors. For example, inbuilt controls (software use by
authorized personnel only, transactions cannot be cancelled etc.)
d) Administrative and Accounting Controls
 Administrative Controls
These are controls established to accomplish the objectives of the
company. For example establishing and appropriate organization
structure
 Accounting Controls
These are controls which lead to accurate and reliable financial
statements. For example transactions supported by appropriate
documentation and recorded properly
e) Discretionary and Non – discretionary Controls
 Discretionary Controls
These controls which are based on judgment i.e based on
discretion. For example not making purchases from vendors who
have a bad reputation in the market
 Non - discretionary Controls
These are controls which are automatically generated by the
compter system. These controls can not be evaded. For example,
access to software by authorized persons only.
f) General and application Controls
IT controls are grouped under two categories:
 General Controls
These are controls over the environment in which the
computer functions. They enable the continued proper operation
of information systems by ensuring the effective functioning of
application controls.Some of these controls are as follows:
- System need to be used for authorized purposes
only.( A system of password access to the system
ensures that data is not misused or corrupted
- Authorised programs need to be used. Programs
used should be authorized by the IT department and
ratified by the Management
 Application Controls
- These are controls which relate to the processing of
individual applications. Applications are the
computer programs and processes, that will enable
the organization to conduct its essential activities
- Application controls help to ensure;; that transactions
are authorized, complete and accurately recorded.
g) Preventive, Detective and Corrective Controls
 Preventive Controls
This type of control is aimed at preventing any errors or
Irregularities from occurring which may have negative effects on
the institution
 Detective

2
 Detective controls are designed to find out and discover the
different errors or irregularities which may have occurred and
thus, can affect the institution's ability to achieve its objectives.
 Corrective 
Corrective controls work to try and fix the problem which may
have arisen.
2.1.1.2.Characteristics of Good Internal Control System
 There should be a well developed plan of organization with delegation of
proper responsibilities at various levels of operational hierarchy.
 These should be a well developed system of record procedures with a view
to maintain reasonable control over assets, liabilities, revenues and
expenses.
 There should be managerial supervision and reviews of the company's
financial operation and positions at regular intervals
2.1.1.3.Divisions of Internal Control
Depending upon the nature of business and the environment in which it works, the
main divisions of an overall internal control system are:
 General Financial Control
This control includes a proper efficient system of accounting,
adequate supervision, recording, good efficient staff and the
maintenance of healthy relationships amongst the staff.
 Cash Control
The system includes certain important aspects of control for receipts,
payments and balances held.
 Employee Remuneration
The system must cover all sections of employee remuneration and
maintenance of records for remuneration, their preparation and
methods of payment should be brought under tight control.
 Trading Transactions
These refer to the purchases, sales etc. So in respect of these
transactions, effective procedure should be laid down for acquisitions,
handling and accounting of goods purchased or sold.
 Non - Current Assets
  Capital expenditure on non- current assets should be kept under strict
check and supervision.
 Inventory Maintenance
Inventory of raw materials, work-in-progress and finished goods
should be properly maintained and accounted for.
2.1.2. Internal Check
Internal check is a method of organising the accounts system of a business concern
or a factory where the duties of different clerks are arranged in such a way that
the work of one person is automatically checked by another and thus the
possibility of fraud, or error or irregularity is minimised unless there is
collusion between the clerks. For example, the receipt of cash is entered by the
cashier on the debit side of the cash book; this entry is carried to the ledger by
another clerk; the statement of account relating to this transaction is sent to
the customer by a third clerk and so on. Thus the same transaction has passed
through three different hands and the work of one is checked automatically by
the other. It is a kind of division of labour. This minimises the possibilities of
frauds and errors unless all the three join hands in defrauding their employer.
2.2. Components of Internal Control
i) The Control Environment

3
 ii) The Entity’s risk assessment process
iii) The information system
iv) Control Activities
v) Monitoring of Controls
i) The Control Environment
It includes the governance and management concerning the entity’s internal
control and its importance in the entity
ii) The Entity’s risk assessment process
It is the entity’s process for identifying business risks relevant to financial
reporting objectives and deciding about actions to address those risks, and
results thereof
iii) The Information System
It consists of hardware components, software, people, procedures and
data
iv) Control Activities
The policies and the procedures which help to endure that the
management directives are followed.
v) Monitoring of Controls
A process to assess the effectiveness of internal control performance
over time. It includes assessing the design and operation of controls on
a timely basis and taking necessary corrective actions for changes in
conditions
2.3. Objectives of Internal Control System
An internal control system comprises the whole network of systems established in an
organisation to provide reasonable assurance that organisational objectives will be
achieved. 
i) Authorization
To ensure that all transactions are approved by responsible personnel in
accordance with specific or general authority before the transaction is
recorded
ii) Validity
The objective is to ensure that all recorded transactions fairly represent the
economic events that actually occurred, are lawful in nature, and have
been executed in accordance with management's general authorization.
iii) To safeguard the assets of the business. Assets include tangibles and
intangibles, and controls are necessary to ensure they are optimally utilised
and protected from misuse, fraud, misappropriation or theft.
iv) Segregation of Duties
To ensure that duties are assigned to individuals in a manner that ensures
that no one individual can control both the recording function and the
procedures relative to processing the transaction
v) Error Handling
To ensure that errors detected at any stage of processing receive prompt
corrective action and are reported to the appropriate level of management
vi) To prevent and detect fraud. Controls are necessary to show up any
operational or financial disagreements that might be the result of theft or
fraud
vii) To ensure the completeness and accuracy of accounting records. Ensuring
that all accounting transactions are fully and accurately recorded, that assets
and liabilities are correctly identified and valued, and that all costs and
revenues can be fully accounted for.
viii)To ensure the timely preparation of financial information which applies to
statutory reporting

4
2.4. Internal Controls in Computerized Accounting
2.4.1. Introduction.
In recent years, there has been development in the use of computers as a means of
keeping the accounting records and producing financial information.This trend has
brought about significant changes in the way the organisations process, store data,
and disseminate information. Hence a significant effect on internal control
systems employed by the entity.
2.4.2. Computerised environment
This includes the following:
 Hardware (i.e. CPU, monitor, printers, zip drive, scanners
 Software (Operating systems, database, application software etc.
 The transmission media (i.e. wires, optical fiber cables and microwave links)
 Network devices (i.e. modems, gateways etc)
2.4.3. Risk aspect to consider in Computer Systems
 Hardware-The computer may be stolen or damaged
 Unauthorized access-possibility for unauthorized users to obtain information
held on file.
 System breakdown-there may be a loss of data for example if there is power
failure.
 Corrupt files.
2.4.4. Internal controls in ICT Environment.
They are classified into:
 General Control
 Application Control
2.4.4.1. General controls.
Controls over general environment in which the system is developed,
maintained and operated. They include:
 Complete review, testing and approval of the system and programs before
they become fully operational.
 Competence of staff to implement the system
 Authorization of any changes in the system by responsible official.
 Segregation of duties so that different staffs perform the duties of system
development, programming and data entry.
 Access control- only authorized personnel should have access of
hardware, programs and data files.
 Stand by facilities for use in case of a temporary computer failure
 Back-up facilities to avoid loss of data.
2.4.4.2. Application controls classified into:
These are Controls within a computer to ensure- completeness, accuracy of
input, processing and validity of the resulting accounting entries. They can
be done for specific areas of the system for example, control over sales, payroll,
control over inventory and etc.
a) Input controls
b) Processing controls
c) Output controls.
a) Input controls
The main aim of input controls is to reduce errors in the data entered in
the system for processing. Input controls include checking and ensuring
that:

5
  Input data are authorized by the appropriate official.
 Data represent valid record of actual transaction
 Correctly classified for the purpose of accounting.
Input control-examples
- Sequence checks.
Transactions that are serially numbered should be in
sequence and checked by the programs
- Batch control
Group together the sum of either sales invoice, purchase
invoice or whatever, then their totals should be obtained
manually then compare with computer own generated
totals. Any difference means an error to be traced and
corrected.
- Digits check
Ascertaining the validity of number digit.
- Reasonableness checks
Input data should be checked to ensure data items are within
pre-defined limits.For example on a payroll system, overtime
hours recorded per day should fall within a certain range,
let say 2hrs-8hrs.
b) Processing controls
There are divided into mechanical and programmed controls.
Programmed control is done during the system development to
ensure that only data related to a particular transaction is processed
and not otherwise.
c) Output Controls
Controls relating to input and processing itself with the final objective of
ensuring that the output:
 Relates precisely to the original input.
 Represents the outcome of a valid and tested program of
instructions. (eg, digit check, reasonableness checks)
 Output reports are only accessed by the authorized personnel.
 Output reports checked by someone as to their
reasonableness.
2.5. Internal Control Questionnaires (ICQs)/Internal Control Evaluation
Questionnaires and Internal Control Tests
2.5.1. Internal Control Questionnaires(ICQs)
These are used to check whether a particular control exists or not to detect or
prevent and correcting a material misstatement (or simply misstatement) at an
assertion level. In simple words ICQs are used to appraise the design of the internal
control system. And if a certain control is not present, which in auditor’s opinion was
necessary, then it represents a deficiency in the internal control system.
ICQs are developed by the auditor usually after assessing the risk of material
misstatement through understanding entity and its environment. Keeping the level of
risk of material misstatement in mind, he thinks of controls which should exist in the
internal control system which is ideal to cater such level of risk.
2.5.2. Internal Control Evaluation Questionnaires (ICEQs)
These are used to check whether a certain existing control is operating effectively
or not to detect or prevent and correct a material misstatement (or simply
misstatement) at an assertion level. In simple words ICEQs are used to appraise
the operating effectiveness of the internal control system. And if a certain control is

6
 operating effectively up to the standards, which in the opinion of auditor was necessary,
then it represents a deficiency in the internal control system.
ICEQs are developed by the auditor usually after assessing the risk of material
misstatement through understanding entity, its environment and internal control
system. Keeping the level of risk and the internal control system, he evaluates the
internal control system whether the system is working as it was intended to be.
2.5.3. Internal Control Tests
Are tests conducted by auditors to gather audit evidence to test the operating
effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the assertion level.
Test of Controls are performed by a combination of various methods, namely:
i) Observation
ii) Enquiry
iii) Inspection
iv) Re – calculation
v) Re – performance
vi) Confirmation
vii) Analytical Procedures

i) Observation
The auditor observes the different procedures of an entity
ii) Enquiry
The auditor consults the purchase manager about the method of
making capital expenditure
iii) Inspection
The auditor checks for the signature of the person responsible for
authorization on the purchase order to ensure that the purchase order
is authorized
iv) Re – calculation
The auditor re – calculates the different amounts (e.g. the sales
amount on the sales invoice)
v) Re – performance
The auditor carries out a physical verification of inventory
vi) Confirmation
The auditor gets a confirmation of balance from the accounts
receivables
vii) Analytical Procedures
The auditor computes and analyses the profitability ratios of the client
2.6. Management Responsibility to Internal Control System
In summary, management is responsible for:
 Internal controls is an inherent part of a manager’s responsibility, not a new
or additional function.
 Assuring that internal controls are supportive of and consistent with the
operating mandate and philosophy of the institution
 Developing goals and objectives that are consistent with those established
by the institution
2.7. Features of Effective Internal Control System
i) Adequate and Competent Personnel
Personnel must be competent to carry out the work entrusted to them
ii) Separation of Duties
The internal control system is effective if the following functions are separated
- Initiation and authorization of transactions
- The custody of the assets involved

7
 - The documentation and recording of the transactions
iii) Establishment of Responsibilities
Prepare manuals with clear definition of scope and areas of
responsibilities. This helps in fixing the responsibility in case of occurrence
of error or fraud
iv) Acknowledgment of all work done
Persons performing operations should acknowledge their activities by
means of signatures ( e.g invoice checked by….)
v) Physical Protection of Property and Records
These include safes, locked cash registers and secure premises. Their use is
not only in safeguarding assets physically but also in securing reliable
records
vi) Review of Work done
Regular review of work of subordinates by supervisors ensure efficiency and
improvement
2.8. Limitations of Internal Controls
No matter how well internal controls are designed, they can only provide reasonable
assurance that objectives have been achieved.  Some limitations are inherent in all
internal control systems.  These include:
i) Judgment
The effectiveness of controls will be limited by decisions made with human
judgment under pressures to conduct business based on the information at
hand.
ii) Breakdowns
Even well designed internal controls can break down.  Employees sometimes
misunderstand instructions or simply make mistakes.  Errors may also
result from new technology and the complexity of computerized information
systems.
iii) Management Override
 High level personnel may be able to override prescribed policies and
procedures for personal gain or advantage. 
iv) Collusion
 Control systems can be circumvented by employee collusion. 
Individuals acting collectively can alter financial data or other management
information in a manner that cannot be identified by control systems.