Internal Control

https://www.gaodun.com/uploads/soft/140619/2012%E5%B9%B4A
CCA%E6%95%99%E6%9D%90F8.pdf –Page 107

https://vipss.yolasite.com/resources/PCC_BOOKS/Auditing%20and
%20Assurance.pdf –Page 113

https://artlandsresources.com/wp-content/uploads/2017/09/BPP-
ACCA-F8-Audit-and-Assurance-Book-2017-Freebooks.pk_.pdf
-Page 195

file:///C:/Users/obeid/Desktop/New%20folder/audit/auditing
%20and%20assurance%20services%20pdf.pdf - Page 204

file:///C:/Users/obeid/Desktop/New%20folder/audit/Principles%20of
%20Auditing_%20An%20Introduction%20to%20International
%20Standards%20on%20Auditing%20(2nd%20Edition)
%20%20%20(%20PDFDrive%20)%20(1).pdf -Page 250
 1. The importance of Internal Control

1.1 The auditor’s assessment of internal controls:

Assessment of risk at both financial statement level and assertion level.

The responses at the assertion level involve the auditor selecting appropriate audit procedures
as per assessment.

a. Inherent risk

b. Control risk

1.2 The meaning of Internal Control

Internal control is a process. It is a means to an end, not an end in itself. Internal control is
affected by people. It’s not merely policy manuals and forms, but people at every level of an
organization. It is also dynamic, operating every day within an entity’s operating structure, which
evolves as the entity and its environment constantly change. Internal control can be expected to
provide only reasonable assurance, not absolute assurance. Internal control is geared to the
achievement of objectives in one or more separate but overlapping categories. Internal Audit’s
responsibilities include internal controls over strategy and operating effectiveness and regulatory
compliance, as well as reliability of financial reporting.

Internal control is defined as a process, effected by an entity’s board of directors, management

and other personnel, designed to provide reasonable level of assurance regarding the
achievement of objectives in the following three categories:

 effectiveness and efficiency of operations,

 reliability of financial reporting,
 compliance with relevant and applicable laws and regulations

Internal control are a part of the internal control systems. Internal control is designed to achieve
management objectives in three categories. In the financial reporting category, the management
objectives are related to producing reliable financial reports and safeguarding assets. In the
operations category, some examples of management objectives are maintaining a good business
reputation, ensuring a positive return on investment, increasing market share, promoting new
product innovation, and using assets effectively and efficiently. In the compliance category, the
broad management objective is to comply with laws and regulations that affect the entity.
External auditors are primarily concerned with the financial reporting category.

Some controls related to operations and compliance can also be relevant to the external audit. For
example, controls over the completeness and accuracy of key nonfinancial information such as
scrap reports can be relevant if the audit team uses such information in completing their
analytical procedures or to provide evidence about the valuation assertion for inventory.
Compliance controls related to laws and regulations directly affecting the financial statements
(e.g., income taxes) are also relevant to the external audit.

1.3 How the auditor uses internal controls

 The internal control audit is conducted along with the financial statement audit as part of
an overall integrated audit process. In essence, the public accounting firm employs one
integrated audit process that culminates in the issuance of two opinions: one on the
entity’s financial statements and one on the effectiveness of the entity’s internal control
over financial reporting. With ‘system based approach’ the auditor relies on the
accounting systems and the related controls to ensure that the transactions are properly
recorded.

a) If the systems and internal controls are adequate, the transactions should be
processed correctly.

From the perspective of the financial accounts, materiality is an important

criterion. This means that whether adequate controls exist for those accounts that
are relevant to the financial statements. Internal controls normally relate to clear
control objectives in order to cover the corresponding risks and ensure that the
business processes are compliant overall. This is to ensure that all values entered
in financial account have been duly confirmed by controls based on clearly
described business processes and that these controls cover, or at least reduce the
involved business risks.
 b) The audit emphasis on the systems processing the transactions rather than
the transaction themselves.

 Understanding of what these systems and controls are;

Internal auditors' responsibilities typically include ensuring the adequacy of the system of
internal control, the reliability of data, and the efficient use of the organization's
resources. Internal auditors identify control problems and develop solutions for
improving and strengthening internal controls. Internal auditors are concerned with the
entire range of an organization's internal controls, including operational, financial, and
compliance controls.

 And how to carry out an evaluation of the effectiveness of the controls.

Audit team should evaluate whether the client has implemented control activities that are
specifically designed to address each fraud risk identified during the planning stage.
These might include control activities that are designed to address risks of fraud to
specific financial statement accounts or more generally, control activities that are
designed to promote a culture of honest and ethical behavior. For example, the audit team
should evaluate the controls related to the use of period-end journal entries, which have
been used in the past to commit frauds at companies. Internal control will also be
evaluated by the external auditors. External auditors assess the effectiveness of internal
control within an organization to plan the financial statement audit. In contrast to internal
auditors, external auditors focus primarily on controls that affect financial reporting.
External auditors have a responsibility to report internal control weaknesses (as well as
reportable conditions about internal control) to the audit committee of the board of
directors.

The auditors evaluate the effectiveness of the internal control structure of a business
organization and determine whether the business policies and activities are followed
properly. The communication network helps an effective internal control structure in
execution. And all officers and employees are part of this communication network.

The degree of reliance on the system depends upon the effectiveness of internal control
system; therefore, the Auditor should review and evaluate the internal control system of
 an organization to prepare his audit Program. The auditor should try to reach a judgment
about how strong (or weak) the internal controls, in order to make a decision about the
amount of testing that should be carried out in the audit.

 The degree of effectiveness of an internal control system will depend on the following
two factors:

a) Design of the internal control system

 Is the control system able to prevent material misstatement?

The final reason for evaluating an entity’s internal control is to assess the
risk of material misstatement (RMM) for each relevant assertion. The
assessment of RMM at the assertion level is completed for all financial
statement audits in order to give the audit team a basis for planning the
audit and determining the nature, timing, and extent of further audit
procedures to be conducted for the financial statement audit.

 Is it able to detect and correct material misstatement if they occur?

The audit team assesses control risk to determine RMM for each relevant
assertion identified in the audit plan; the higher the assessment of control
risk, the higher the assessment of RMM. The audit team would likely to
use substantive tests of details designed to obtain the highest quality of
external evidence ( nature ) at or near the entity’s fiscal year-end ( timing )
with large sample sizes ( extent ). On the other hand, an audit team’s
assessment of control risk as low implies that the controls are effective at
preventing or detecting material misstatement and could possibly be relied
upon by the audit team. In this situation, the audit team might be able to
use tests of detail or a less time-consuming substantive analytical review
to obtain external evidence (nature) at an interim date before the entity’s
fiscal year-end ( timing ) with much smaller sample sizes ( extent ). Of
course, an audit team might assess control risk as moderate (between low
and high) and adjust the substantive procedures accordingly in order to
 obtain enough evidence to mitigate the risk of material misstatement to a
low level for the relevant assertion being tested.

b) The outcome will help auditor to assess control risk.

RMM is composed of inherent risk and control risk. Inherent risk,is the
susceptibility of an account to misstatement. The control risk is the probability
that an entity’s controls will fail to prevent or detect material misstatements due to
errors or frauds that would otherwise have entered the system. The audit team
assesses control risk to determine RMM for each relevant assertion identified in
the audit plan; the higher the assessment of control risk, the higher the assessment
of RMM. Most audit teams express their control risk assessment decision with
descriptive terminology (e.g., high, moderate, low), which recognizes the
imprecise nature of evaluating risk. An audit team’s assessment of control risk as
high implies that the controls are not effective at preventing or detecting material
misstatements and could not be relied upon by the audit team.

Summary of the audit approach:

Tests of controls or substantive tests?

a) Test the underlying internal control systems themselves, using tests of controls

b) Perform some tests on the transactions and balances in the financial statements.

 Tests on transactions and balances are referred to as substantive procedures

 Where system of control is weak, auditor will have to carry out extensive substantive
procedures, this approach is called as transaction-based approach.

The audit team assesses control risk to determine RMM for each relevant assertion
identified in the audit plan. The higher the assessment of control risk, the higher the
assessment of RMM. In this situation, the audit team would more likely use substantive
tests of details designed to obtain the highest quality of external evidence ( nature ) at or
near the entity’s fiscal year-end ( timing ) with large sample sizes ( extent ).
 When the internal controls are strong, he will carry tests on the control and needs a
smaller amount of substantive procedures, this approach is called as system based
approach.
An audit team’s assessment of control risk as low implies that the controls are effective at
preventing or detecting material misstatement and could possibly be relied upon by the
audit team. In this situation, the audit team might be able to use tests of detail or a less
time-consuming substantive analytical review to obtain external evidence (nature) at an
interim date before the entity’s fiscal year-end ( timing ) with much smaller sample sizes
( extent ).
 2. The elements of Internal Control

2.1 The five elements of internal control system

Internal Control System Requirements

  The Internal Control framework is a non-binding recommendation for establishing an
internal control system.
 Visually, the model is presented in the form of the COSO cube to illustrate the
overlapping relationships between the objectives, components and levels of the
organization

A concept that provides a non-binding, generally applicable framework to support companies in

establishing, using, monitoring, and assessing their internal control systems could be used to do
an internal audit. It specifies a standard definition of an internal control system, thus ensuring
that financial reports are comparable and of high quality.

The framework of an internal control system has three key objectives:

 Effectiveness and efficiency of operations,

 Reliability of financial reporting, and
 Compliance with applicable laws and regulations.

Internal Audit also pursues these objectives as part of the internal monitoring system. An
internal control system is shaped by the characteristics of different internal control components,
which are necessary to achieve the above key objectives.

The components are:

1. The control environment

2. The entity’s risk assessment process

3. The information system

4. Control activities (Internal Controls)

5. Monitoring of Controls

The five components should not operate independently of each other. Instead, they should be
considered as working in an interrelated manner to support the internal control system’s overall
effectiveness.

 ISA 315 requires the auditor to:

  Gain of understanding of each of these elements as part of his evaluation of the
control systems
 Document the relevant features of the control systems together with his
evaluation of their effectiveness

 The auditor should confirm that his understanding is correct by performing ‘walk-
through’ tests on each major transaction type.

 Walk through testing involves the auditor selecting a small sample size of
transactions apply the procedure on it in order to test whether his understanding
of the process is correct.

2.2 The control environment

 The ‘control environment’ is often regarded as the general ‘attitude’ to internal control of
management and employees in the organization. The control environment sets the tone of
the organization. It is the foundation for all other components of internal control. It
provides discipline and structure to all participants and stakeholders. Control
environment factors include the integrity, ethical values, and competence of the entity’s
people.

 The control environment includes the following elements:

 Communication and enforcement of integrity and ethical values

Sound integrity and ethical values, particularly of top management, are developed
and understood and set the standard of conduct for financial reporting. These
include essential elements which influence the effectiveness of the design,
administration and monitoring of controls.

The proper functioning of any system depends on the honesty of those operating
it. The personal characteristics of the personnel involved are important features in
establishing and maintaining a system of internal control.

 Commitment to competence
 The company retains individuals who are competent in financial reporting and
related oversight roles. Management's consideration of the competence levels for
particular jobs and how those levels translate into requisite skills and knowledge
are considered. The proper functioning of any system depends on the competence
of those operating it. The qualifications, selection and training of the personnel
involved are important features in establishing and maintaining a system of
internal control.

 Participation of management

Management is responsible for devising and maintaining the system of internal

control. In carrying out its supervisory responsibility, management should review
the adequacy of internal control on a regular basis to ensure that all significant
controls are operating effectively. When an entity has an internal audit
department, management may delegate to it some of its supervisory functions,
especially with respect to the review of internal control. This particular internal
audit function constitutes a separate component of internal control undertaken by
specially assigned staff within the entity with the objective of determining
whether other internal controls are well designed and properly operated.

The board of directors understands and exercises oversight responsibility related

to financial reporting and related internal control. The effectiveness of the control
environment is influenced heavily by a company’s management team and is
strongly and unquestionably related to the tone set by top management. The key
is for management to be deliberate in trying to impact the attitudes toward
internal controls throughout the organization by setting the proper example for
the organization to follow. The management and people charged with governance
are Independent from management. The management and people charged with
governance provide Experience and stature Extent of involvement and scrutiny of
activities done by are seen. Appropriateness of actions and interaction with
internal and external auditors of management and the people charged with
governance are seen.

 Management’s philosophy and operating style

 Management’s philosophy and operating style support achieving effective
internal control over financial reporting. Effective internal control over financial
reporting is managed through:

 Approach taken to manage business risks

 Attitudes and actions of management’s philosophy and operating
style adopted towards financial reporting
 Attitudes of management’s philosophy and operating style
adopted towards information processing and accounting
functions and personnel

 Organizational structure

The company’s organizational structure supports effective internal control over

financial reporting. The organizational structure is the framework within which
an entity's activities for achieving its objectives are planned, executed, controlled
and reviewed.

The organizational structure of an entity serves as a framework as practicable, to

preclude an individual from overriding the control system and should provide for
the segregation of incompatible functions. Functions are incompatible if their
combination may permit the commitment and concealment of fraud or error.
Functions that typically are segregated are access to assets, authorization,
execution of transactions, and record keeping.

 Assignment of authority and responsibility

Management and employees are assigned appropriate levels of authority and

responsibility to facilitate effective internal control over financial reporting. How
authority and responsibility for operating activities are assigned and how
reporting relationships and authorization hierarchies are established need to be
considered as an element for control environment.

 Human resource policies and practices

 Human resource policies and practices are designed and implemented to facilitate
effective internal control over financial reporting. Recruitment, orientation,
training, evaluating, counselling, promoting, compensation and remedial actions
are examples of human resource policies that need to be considered while making
an effective and efficient control environment.

The auditor shall assess whether these elements of the control environment have been
implemented using a combination of enquiries of management and observation and inspection.

 A strong control environment is one where management shows a high level of

commitment to establishing and operating appropriate controls.

 Without a strong control environment, the control system as a whole is likely to be weak.

The control environment has a “pervasive” effect on the reliability of financial reporting
because control environment impacts all other components of an organization’s internal
control system. Because the control environment sets the overall foundation for internal
control, professional auditing standards require an auditor to obtain an understanding of
the control environment on all engagements. The results emphasize the importance of
both the tone at the top and the functioning of its board of directors and the audit
committee of that board to the control environment.

Evaluating the Internal Environment:

The internal environment is established through:

 Management participation in the control process, including participation by the board of

directors;
 Management’s commitment to a control culture;
 The existence of an appropriate organization structure with clear divisions of authority and
responsibility;
 An organization culture that expects ethically- acceptable behavior from its managers and
employees; and
 Appropriate human resources policies, covering recruitment, training, development and
motivation, which reflect a commitment to quality and competence in the organization.
2.3 The entity’s risk assessment process

 Significant business risks are any events or omissions that may prevent the entity
from achieving its objectives.

The entity faces business risk. Business risk are factors, events, and conditions that can
prevent the organization from achieving its business objectives, including effective
financial reporting. Management must first clearly articulate its objectives to identify and
assess the risk of failure for the company to meet its objectives. These range from overall
strategy to specific entity and activity-level objectives.

Management should take steps to identify risks, estimate their significance and
likelihood, and consider how to manage the risks. By setting management objectives,
management can identify critical success factors and institute policies and procedures to
ensure that they are met.

 Identifying risks: recognizing the existence of risks

In completing their work, the audit team members seek to understand whether
management is specifying financial reporting objectives with sufficient clarity and
criteria to enable the identification of risks of material misstatement in financial
reporting, in particular due to fraud.

It needs to be identified in which department is the risk. The risk can be in any
department for example poor advertising due to marketing department,
operational, cash flow volatility due to purchasing, poor logistics due to supply
and chain management, finance department, HR department hire unqualified
employees reducing efficiency of the business. Potential Problems could be
identified by reviewing goals and objectives. Potential problem areas could be
determined by:

 areas that receive complaints or have had problems in the past,

 Areas that have undergone recent changes in staff or structure
 Complex activities.
 Event identification is the identification of conditions and events that could
adversely affect management’s objectives. For example problems for retail stores
could include Supplier problems, poor weather conditions that can affect the
trucks supplying the stores, and information system breakdowns are just several
of the events that could adversely affect store’s ability to keep its stores’ shelves
stocked

 Assessing risks

Assessing risk means deciding whether the risks are significant. An audit client’s
risk assessment process should relate to all its objectives. The professional
standards require the auditor to specifically gain an understanding of the process
as it relates to financial reporting risks, including fraud risk. When gaining such
an understanding, the auditor should determine whether management is actually
assessing the likelihood of fraud risks and how they are managing such risks.

Risks are assessed in terms of impact. Significance of risk is determined in

amounts i.e. at level. The risk that causes most damage to business is identified.
Determine severity of risks by asking both, Where do we face the greatest
possible harm? What types of losses are most likely to occur? A moderate loss
that is likely to occur presents as much danger as a more serious loss that is less
likely to occur. Use this evaluation to prioritize your efforts.

Risks are assessed in terms of likelihood. It is the chances of the risk occurring.
Chances is multiplied with significance to identify the risk that causes most
damage or expense for the company.

 Managing risks:

Once risk is identified, the audit team also would like to see that management has
a basis for determining how to manage the identified risks. Managing risk means
developing and implementing controls and other measures to deal with those
risks.
 Information system is used to reduce risk .A written narrative or flow chart could
be used to explain how the problem is supposed to be handled by describing each
activity or transaction within the cycle. The following could be described in the
narrative:

 Who is performing each step?

 What is involved in the step?
 Any resulting documentation, for example, reports

Review the information available in policy and procedure manuals to find out
ways to reduce risk. Written materials such as organizational charts, job
descriptions, reviews, checklists, department records, and reports could also be
used to review the methods to reduce problem. Supplement written sources
through conversations with and observations of appropriate staff could help in
providing a suggestion to reduce risk. The problem is identified and reduced.
Finally, communicate the process to be sure every action to reduce risk is
understood.

If the entity has established such a process, the auditor shall obtain an understanding of it. If
there is not a process, the auditor shall discuss with management whether relevant business risks
have been identified and how they have been addressed.

 Risk can arise or change due to circumstances such as:

 Changes in the entity’s operating environment.

Industry developments may pose a risk. For example, a potential related business
risk might be that the company does not have the personnel or expertise to deal
with the changes in the industry. The changes in nature of the entity's business,
for example, in the products and services, the complexity of its capital structure,
the significance of related parties and the number of locations and geographical
spread of its production facilities

 New personnel
 Risk increases during a time of change, for example, turnover in personnel. The
quality of personnel should commensurate with their responsibilities and duties.
If ot does not, a risk is imposed on the business. New personnel may need to be
considered while answering the following questions:

 Is the client centralized or decentralized?

 Who makes the decisions?
 Are senior managers familiar with accounting and reporting
requirements?
 Do they value the importance of good controls?
 Are any officers, employees, or shareholders involved in
related-party transactions?

 New or revamped information systems

Communication is very important for achieving management goals. The

employees are to realize what is expected of them and how their responsibilities
are related to the activities of others. If the information system is new or
revamped, there may be a risk of difficulty in communication inside and outside
of the business.

 Rapid growth

Business may have a problem coping with the changing and developing world.
For example, the company has a rigid top management that does not want to
develop itself with the changing world. This may cause problems to attract and
expand the business.

 New technology

The world is a developing and changing place. There are new technologies being
made. Business that do not adopt the new technologies may have difficulty in
competing with their competitors. They may face loss and customers of the
business may interact with the competitor due to competitor’s ability to adapt to
the changing world.
  New business models, products or activities

New products and services, for example, a potential related business risk might be
that the new product or service will not be successful.

 Corporate restructurings

This may include expansion of the business or a change in corporate structure.

Foer example, the corporate structure may become centralized instead of
decentralized. Risk may be involved in making the staff adopt to the change.

 Expended foreign operations

Does the company operate internationally? Do subsidiaries operate in diverse

industries? Expansion of the business in a foreign country may pose a risk to the
business. For example, a potential related business risk might be that the demand
in the foreign country for the company’s products or services has not been
accurately estimated.

 New accounting pronouncements

The effects of implementing a strategy, particularly any effects that will lead to
new accounting requirements may pose a risk. Financing requirements may pose a
risk. For example, a potential related business risk might be the loss of financing
due to the company’s inability to meet financing requirements.

2.4The information system

Every enterprise must capture pertinent information related to both internal and external
events and activities in both financial and non-financial forms. The information must be
identified by management as relevant and then communicated to people who need it in a
form and time frame that allows them to do their jobs.
The information relevant to financial reporting is recorded in the accounting system and is
subjected to procedures that initiate, record, process, and report entity transactions. The
quality of information generated by the system affects management’s ability to make
appropriate decisions in controlling the entity’s activities and preparing reliable financial
reports.
All personnel must receive a clear message from top management that control responsibilities
must be taken seriously. Employees must understand their own role in the internal control
system, as well as how individual activities relate to the work of others, and how to report
significant information to senior management. There also needs to be effective
communication with external parties such as customers, suppliers, and regulators.

 An information system consists of infrastructure, software, people, procedures and

data.

The information system relevant to financial reporting is a component of internal control

that includes the financial reporting system, and consists of the procedures and records
established to initiate, record, process and report entity transactions as well as events and
conditions and to maintain accountability for the related assets, liabilities and equity.

An organization uses an array of information. The information systems used by

companies include the accounting system; production system; budget information;
personnel system; systems software; applications software for word-processing,
calculating, presentations, communications, and databases; and all the records and files
generated by this software such as customer and vendor records. The information system
also includes information about external events, activities, and conditions necessary to
make informed business decisions and comply with external reporting

 ISA 315 requires an auditor to gain an understanding of the business information

systems.

 This aspects of the auditor’s work will involve identifying and understanding the
following:

 The entity’s principal business transactions;

The classes of transactions in the entity's operations that are significant to the
financial statements are considered.

 How these transactions and other events relevant to the financial reporting
process are ‘captured’ by the entity;
 Communication also involves expectations, responsibilities of individuals and
groups, and other important matters. Specific duties must be made clear, and
people need to know how their activities relate to the work of others. People also
need to know what behavior is expected. The auditor shall obtain an
understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting. Controls
surrounding journal entries, including non-standard journal entries used to record
nonrecurring, unusual transactions or adjustments are considered.

The processing methods, both manual and computerized, applied to those

transactions;

The procedures, within both IT and manual systems, by which those transactions
are initiated, recorded, processed, corrected, transferred to the general ledger and
reported in the financial statements are considered.

 The accounting records used, both manual and computerized, to support the
figures appearing in the financial statements;

The related accounting records, supporting information and specific accounts in

the financial statements in respect of initiating, recording, processing and
reporting transactions are considered. The account balances are summarized in
internal management reports and external financial statements. The internal
reports are management’s feedback for monitoring operations. The audit trail
begins with the source documents (purchase orders, sales orders, etc.) and
proceeds through to the financial reports.

 The processes used in the preparation of the financial statements.

The financial reporting process used to prepare the entity's financial statements,
including significant accounting estimates and disclosures will be seen. The
external reports are the financial information for outside investors, creditors, and
others Auditors often follow audit trail from source documents frontward and
backward, identifying and testing relevant control activities along the way. They
follow it backward from the financial reports to the source documents to
 determine whether everything in the financial reports is supported by appropriate
source documents (the occurrence assertion). They follow it forward from source
documents to reports to determine whether everything that happened (i.e.,
transactions) was recorded in the accounts and reported in the financial statements
(the completeness assertion).

2.5 Control Activities

Once risks to management’s objectives have been identified, internal control activities need to be
established to eliminate, mitigate, or compensate for the risks. Control activities are specific
actions a client’s management and employees take to help ensure that management’s directives
are carried out.

The professional standards require the audit team members to document their understanding of
the internal control system, which includes their understanding of whether management has
implemented control activities that are sufficient to address the risks of material misstatement for
each relevant assertion.

The audit team members begin the process by considering what they learned about the internal
control activities as they were gaining an understanding of the other components of the internal
control system in particular, the control environment and risk assessment. The next step in the
process requires the audit team members to document their understanding of the extent to which
each of the client’s control activities has been designed to support a relevant financial statement
assertion by mitigating a risk of material misstatement. If their assessment is positive, the audit
team might want to consider testing the control activity in the hopes of relying on it to reduce
substantive testing for the relevant assertion that was supported.

 Policies and other procedures included in the control environment is used to ensure
that the entity’s objectives are achieved. Have the policies related to reliable financial
reporting been documented and communicated throughout the company?

Control procedures may be divided into two elements: a policy establishing what should
be done and procedures to effect that policy. A policy, for example, might be that a
securities dealer retail branch manager must monitor customer trades. The control
procedure is a review of a computer printout of daily trade activities by the customer,
 performed in a timely manner and with attention given to the nature and volume of
securities traded. Control procedures implement the control policies by specific routine
tasks, performed at particular times by designated people, held accountable by adequate
supervision and evidence of performance

Control Activities are used:

 To prevent errors that may arise in processing information, or

 To detect and correct errors that may arise in processing

information.

Financial reporting control activities are imposed on the accounting system for the purpose of
preventing, detecting, and correcting errors and frauds that could enter and flow through to the
financial statements

 Preventive controls are designed to stop an errors or anomalies from occurring. The
preventive controls are procedures that prevent misstatements before they occur. It ensures
hiring competent people, limiting access, requiring approval, separating duties, etc.
Preventive control are preferable to detective controls.

It ensures:

 Adequate segregation of duties

 Proper authorization of transactions

 Adequate documentation and control of assets

 Detective controls are designed to find errors or irregularities after they have occurred.
Detective controls are procedures that detect misstatements after they occur.

In some sense, all control activities can be thought of as preventive controls because the
possibility of being caught by a detective control might prevent someone from committing an
error or a fraud.
  Exception reports are computerized reports to identify unexpected results or unusual
conditions that require follow-up.

 Reconciliations occurs when an employee relates different sets of data to one another,
identifies and investigates differences, and take corrective action, when necessary.

 Periodic audits: Both internal audit and independent external audit are done to detect
error, irregularities and non-compliance with laws and regulations.

 Corrective Controls are designed to prevent errors and irregularities from recurring once
they are discovered. For example:

 Policies and procedures for reporting errors and irregularities so they can be
corrected

 Training employees on new policies and procedures.

 Positive discipline to prevent employees from making future errors.

 Continuous improvements processes to adopt the latest operational

techniques.

Categories of control activities (internal controls):

The categories of control activities given are:

 Performance reviews: These include reviews and analyses of actual performance against
budgets, forecasts and prior period performance, most done by management as
Management Control.

Performance reviews are independent checks on performance by a third party not directly
involved in the activity. These are sometimes called internal verification, these reviews
include reviews of actual performance versus budgets; surprise checks of procedures;
periodic comparisons of accounting records and physical assets; and a review of
functional or activity performance.

Management has primary responsibility for ensuring that the organization’s objectives are
being met. Performance reviews require management’s active participation in the
 supervision of operations. Management’s study of budget variances with follow-up action
is an example of a performance review. Management that performs frequent performance
reviews has more opportunities to detect errors in the records than management that does
not. The frequency, of course, is governed by the costs and benefits.

A routine comparison of accounting records and physical assets is a bank reconciliation

performed by a person independent of the accounting records and handling of cash. A
review of functional or activity performance would be a bank’s consumer loan manager’s
review of reports by branch, region, and loan type for loan.

 Information processing: A variety of controls are used to check the accuracy,

completeness and authorization of transactions. Information processing control activities
are essential to the effectiveness of an internal control system. Generally, all organizations
employ computerized information processing on a routine basis. When entities use
computerized information processing, the professional standards make clear that
information technology (IT) poses specific risks to an entity’s internal control system. The
management should be aware that the use of computerized information processing
requires entities to implement specific control activities to enable it to support the relevant
financial statement assertions.

 Information processing control procedures are primarily of two types:

 Application controls

Application controls are controls that apply to applications that initiate,

record, process, and report transactions (such as MS Office, SAP,
QuickBooks), rather than the computer system in general. Examples of
application controls are edit checks of input data, numerical sequence
checks, and manual follow-up of exception reports. In manual systems
applications controls may be referred to as adequate document and record
controls.

 General IT controls
 General controls are policies and procedures that relate to many
applications and support the effective functioning of application controls by
helping to ensure the continued proper operation of information systems.
Some examples of general controls are controls over data center and
network operations, controls over system software acquisition, controls
over access to the computer software (password controls), change and
maintenance controls, access security, and application system acquisition
and development controls. A good example of a general control in
accounting software is an error message if there is a problem in using the
operating system (e.g. “Please insert a CD-ROM in Drive D”). In manual
systems, general controls are controls over proper authorization of
transactions and activities.

 Physical Controls: These includes control over the physical security of assets and records
to prevent unauthorized use, theft or damage.

Physical controls are procedures to ensure the physical security of assets. Assets and
records that are not adequately protected can be stolen, damaged, or lost. In highly
computerized companies damaged data files could be costly or even impossible to replace.
For these reasons only individuals who are properly authorized should be allowed access
to the company’s assets.

Direct physical access to assets may be controlled through physical precautions, for
example: storerooms guard inventory against pilferage; locks, fences and guards protect
other assets such as equipment; and fireproof safes and safety deposit vaults protect assets
such as currency and securities.

Physical access to assets and important records, documents, and blank forms should be
limited to authorized personnel. Assets such as inventory and securities should not be
available to persons who have no need to handle them. Likewise, access to records should
be denied to people who do not have a record-keeping responsibility for them. Some blank
forms are very important for accounting and control, and their availability should be
restricted. For example, someone not involved in accounting for payroll should not be able
to pick up blank time cards. Only authorized persons should be able to obtain blank
 checks after signing for them. Sometimes access to blank forms is the equivalent of access
to an important asset. For example, someone who has access to blank checks has a
measure of actual custody and access to cash.

 Segregation of assets: This control involves assigning different people the

responsibilities of authorizing or recording the transactions and maintaining the custody of
assets. It reduces carry out and concealing of errors or frauds.

Risk of Material Control Activity Test of Control Activity

Misstatement
Sales revenue is recorded All sales invoices are For a sample of sales revenue
when the goods had not been matched to shipping entries in general ledger,
shipped to the customers. documents before recording vouch to proper shipping
them in general ledger. document
Goods will be shipped to a Credit department performs a For a sample of new
new customer that is unable detailed credit check for all customers, examine
to pay for the goods. new customers documentation that indicates
a proper credit check was
performed.
Goods will be shipped to a All shipping documents are For a sample of shipping
customer, and the revenue is matched to sales invoices that documents, trace amount
not recorded. have been recorded in general shipped to a sales invoice
ledger. recorded in the general
ledger.

Example of control Activities

Example Explanation Category
Approval and control
of Transactions should be Authorization
documents approved by an appropriate
person. For example,
overtime should be approved
by departmental managers.
Controls over computerised The boards have developed Information processing
applications an IT tool for analyzing and
evaluating the internal
controls, which is intended to
support compliance with the
requirements of the
applicable financial
framework reporting system.
General IT controls are
policies and procedures that
relate to many different

Checking the arithmetical
accuracy of records
Maintaining and reviewing
control accounts and trial
balances
Reconciliations
Comparing the results of
cash, security and inventory
counts with accounting
records
Comparing internal data with
external sources of
information
Limiting physical access to
assets and records
Segregation of duties
applications.
For example, checking to see Information processing
if individual invoices have
been added up correctly.
Control accounts bring Performance review
together transactions in
individual ledgers. Trial
balances bring together
transactions for the
organization as a whole.
Preparing these can highlight
unusual transactions or
accounts
Reconciliations involve Information processing
comparison of a specific
balance in the accounting
records with what another
source says the balance
should be; for example, a
bank reconciliation.
Differences between the two
figures should only be
reconciling items (resulting
from eg timing differences).
For example, in a physical Performance review
count of petty cash, the
balance shown in the cash
book should be the same as
the amount held.
For example, comparing Performance review
records of goods despatched
to customers with customers'
acknowledgement of goods
that have been received.
Only authorised personnel Physical control
should have access to certain
assets (particularly valuable
or portable ones), eg ensuring
that the inventory stores
locked are unless store
personnel are there.
Assigning different people Segregation of duties
the responsibility of
authorising transactions,
recording transactions and
maintaining custody of assets
Example

One part of the sales system at Dolally operates as set out below:

 Orders are received by telephone. On receipt of an order a clerk enters the details into the
system.
 The system checks that the goods are available and, if so, a despatch note is produced
and e-mailed to the distribution centre.
 Distribution centre staff pack the goods and despatch them with two copies of the
despatch note.
 On receipt of the goods the customer signs the despatch notes and one copy is returned
to the accounts department at Dolally.
 The accounts department flag up the despatch note on the system to indicate that the
goods have been delivered and the system automatically produces an invoice and e-mails
it to the customer.
 An exception report of un-invoiced despatch notes is produced weekly.

Required

Set out an example of each of the above five types of control activities set out in ISA 315 as
they might operate in Dolally’s system.
  Performance reviews: Management should compare budgeted sales to actual sales on a
monthly basis (provided that the budgets are reliable, this would detect where significant
sales had not been recorded).
 Information processing – application: Manual follow up of the exception report of un-
invoiced despatch notes.
 Information processing – general IT: Controls over the development and testing of the
sales system to ensure it will lead to accurate processing (such as documentation and
testing of any changes to programs).
 Physical controls access controls over the sales price master files such as access only
being possible via a high-level password, known only to senior employees (such as the
sales director) (as invoices are produced automatically by the system it is important that
the integrity of this file is maintained).
 Segregation of duties: Different employees should be responsible for taking and inputting
orders, despatching goods and flagging up the despatch note.
 Tutorial note: There are a number of other possible examples other than those set out
above

2.6 Internal controls in IT systems:

General controls and application controls

Has the audit client taken full advantage of significant advances in information technology by
using entirely automated control activities whenever it is efficient and effective is seen while
using IT.

 General IT controls

The boards have developed an IT tool for analyzing and evaluating the internal controls,
which is intended to support compliance with the requirements of the applicable financial
framework reporting system. General IT controls are policies and procedures that relate
to many different applications.

General IT controls assure that access to the computer system is limited to people who
have a right to the information. Appropriate delegation of authority sets limits on what
 levels of risk are acceptable and these limits determine the discretion of the employees
delegated to authorize the main types of business transactions. Authorization may be
general or specific. An example of general limits set by policy is product price lists,
inventory reorder points, and customer credit limits. Specific authorization may be made
on a case-by-case basis such as authorization of reduction in the price of a dress with
buttons missing in a retail-clothing store.

 General IT controls support the effective functioning of Application Controls.

 If General IT controls are weak, it is unlikely that the processing undertaken by the
system will be complete and accurate.

 The auditor will therefore firstly review and test the general IT controls, in order to reach
a conclusion on their effectiveness.

 If control risk is assessed as low then he will then move on and test application controls,
to decide if he can rely on specific systems and reduce it substantive testing.

 The auditor would expect computer-based information system are:

 Controls over the development of new computer information systems and

applications.
 Controls over the documentation and testing of changes to programs
 The prevention or detection of unauthorized changes to programs
 Controls to prevent the use of incorrect data files or programs
 Controls to prevent unauthorized amendments to data files
 Controls to ensure that there will be continuity in computer operations.

 Application Controls

Application control apply to the processing of individual transactions. There are several
standard application controls. The chart of accounts is an important application control
because it provides the framework for determining the information presented on to
financial statements and budgets. The most widely applicable control device is the use of
serial numbers on documents and input transactions. Serial numbers provide control over
the number of documents issued. Checks, tickets, sales invoices, purchase orders, stock
 certificates, and many other business papers use this control. Documents should be
recorded immediately because long periods between transaction and recording increase
the chance of misstatement. Systems manuals for computer accounting software should
provide sufficient information to make the accounting functions clear.

 Authorization control are all significant transactions being authorized at an appropriate

level. Authentication verifies your identity and authentication enables authorization. An
authorization control dictates what your identity is allowed to do. Controls that ensure
that only necessary transactions based on the entity’s objectives are undertaken. They
prevent unnecessary and fraudulent transactions

Examples of authorization control include organizational chart, accounting procedures

manual, chart of accounts, conflict of interest policy, signatures on checks limited to that
of president, etc.

Example where authorization control is applied: Any customer of a bank can create and
use an identity (e.g., a user name) to log into that bank's online service but the bank's
authorization control must ensure that only you are authorized to access your individual
account online once your identity is verified.

 Arithmetic control are checking the arithmetic accuracy of records. For example
checking invoices from suppliers, to make sure that the amount payable has been
calculated properly.

 Accounting controls are maintaining and reviewing accounts and trial balances. These
are provided within accounting procedures to ensure the accuracy or completeness of
records.

Accounting Controls which ensure that all authorized transactions are allowed in the
accounting records, they are properly entered, and are not deleted or amended without
proper authorization.

Examples include entries in journals then ledgers, posting reference in journals, rotation
of accounting personnel, listing of mail receipts, cash register tapes, reconciliation of
 bank statements, etc. Example of accounting control includes using control account
reconciliations to check the accuracy of trade receivables or trade payables.

 IT controls such as edit checks of input data.

Existence checks that will only allow data to be input for valid account codes. This is
useful in a sales or purchases system.

 Numerical sequence checks

Sequence checks will highlight gaps in data both within and between batches.

 Manual follow-up of exception reports.

For example, specific inventory controls are different from internal controls over payroll.

Segregation of duties

Segregation of duties seeks to prevent persons with access to readily realizable assets from being
able to adjust the records that record and thereby control those assets. This means dividing the
work to be done between two or more individuals. Segregation implies a number of people being
involved in the accounting process.

Purpose: Work done by one individual acts as a check on the work of other, reduces the risk of
error or fraud. Duties are divided, or segregated, among different people to reduce the risks of
error or inappropriate actions. For instance, responsibilities for authorizing transactions,
recording them, and handling the related assets (called custody of assets) are divided.

It is more difficult for a person to commit fraud , because a colleague may identify suspicious
transactions by a colleague who is trying to commit a fraud. This makes it more difficult for
fraudulent transactions to be processed since a number of people would have to collude in the
fraud. It is also more difficult for accidental errors to be processed since the more people are
involved, the more checking there can be.

Example: Segregation of duties

Segregation of duties is an essential element of control. Let us use the example of wages.
Authorization is required for hiring of staff and is a function of the personnel department. The
receipt of paychecks and issuance of them to the employees is handled by work supervisors. The
accounting department handles the recording of the time records and the payroll in the payroll
journals.

The purchasing of inventory involves several different tasks. Someone has to initiate a purchase
requisition for a new supply of inventory. Someone has to place a purchase order with a supplier.
Someone has to check that the items are delivered by the supplier. Someone has to record the
amount payable in the accounting system, and someone has to make the payment at the
appropriate time.

Control risks include the risks that inventory will be ordered when it is not needed, that the
supplier will not deliver any inventory or will deliver the incorrect quantity, or that the supplier
will be paid too much or will be paid for items that he has not delivered.

A segregation of duties can help to reduce these risks:

Transaction stage Responsibility

Initiation – Replenishment of inventory item Warehouse staff/stores staff
is required
Purchase order– Item ordered Purchasing officer.The purchasing officer is
able to check the material requisition from the
stores staff
Custody
– Item received Goods inwards officer.The items actually
delivered are checked physically and counted.
This is a check that items have actually been
delivered in good condition, as stated in the
supplier’s delivery note
Recording– Invoice received, checked and Accounts clerk. The invoice from the supplier
processed is checked against the delivery note and the
original purchase order. The amount payable
is recorded in the accounts system.
Payment – Invoice is paid Cashier. The amount payable to the supplier
is eventually paid by a different person in the
accounts department.

Additional controls will also be applied. Segregation of duties entails three fundamental
functions that must be separated and adequately supervised:
1 Authorization is the delegation of initiation of transactions and obligations on the company’s
behalf. For example, there should be authorization controls, and both the placing of a purchase
order with the supplier and the payment to the supplier should be authorized at an appropriate
level of management.

2 Custody is physical control over assets or records.

3 Recording is the creation of documentary evidence of a transaction and its entry into the
accounting records

2.7 Logical access control

Physical security of computer equipment and restricting access to the organization’s data and
computer application files are also important in achieving effective internal control. Logical
access controls are tools and procedures used for identification, authentication, authorization and
accountability in computer information systems. Access controls help prevent the improper use
or manipulation of data files, unauthorized use of computer programs, and improper use of the
computer equipment.

 Local access control can be embedded with operating systems, applications, add-on
security packages or database or telecommunication management systems. Locked
doors, security passes, passwords, and check-in logs can be used to limit access to the
computer system hardware A very important general control is back-up and recovery
procedures, as anyone who has had a system go down without current records being
adequately backed up will tell you.

 Logical access controls depends on the in-built security facilities. Physical controls
such as locks on the doors to the computer room and locked cabinets for software and
back-up tapes protect the tangible components of a computer system

 Additional access control can be gained through the appropriate use of proprietary
security programs. Access controls are general or application controls such as
passwords that allow only authorized people admittance to the computer software on line.
Unique login identifiers and authenticated password can be used.
 One way to detect inappropriate computer usage is by specifying a planned schedule for
running large-scale computerized applications. A schedule can help detect unauthorized
access because most software can produce usage reports that can be compared to the
planned schedule. Applications that are being run at unauthorized times can then be
investigated for inappropriate use of computer resources.

2.8 Controls over data transmission

 Help to ensure data is transmitted both intact and also securely without fear of breach of
confidentiality. It includes:

 Program controls that ensure data is transmitted in the correct format.

 Firewalls to prevent intrusion

 Restricting access to source data

 Only using secured Wi-Fi with password protection

 Using check sums and check digits

 Data encryption

 Data encryption: use of an algorithm for information transfer.

 Data can be incorporate in one of two ways:

 At rest – for example in a database or on a flash memory stick

 In transit – when data flows across a network

2.9 System Logs

 A log file is a file that records even taking place in the execution of a system.

 For generation of an audit trial to understand the activity and to diagnose problems.

 For understanding the activities of complex systems

 For analyzing a system’s performance

  Where there is a little user interaction.

2.10 Control Weaknesses and the exam

 Control environment: if management show a little concern for risks and controls, it is
probable that the entire system of internal controls will be weak and ineffective.

 A lack of checks and controls: suitable controls simply do not exist.

 Segregation of duties: discussed previously

 Physical controls: to protect the physical security of assets and records.

 Personnel: weaknesses in the personnel who perform particular tasks.

 Management and Organization Structure: A lack of supervision may be a control

weakness, lines of responsibility and reporting may not clear.

 IT controls: Weakness in both general and specific application controls.

 Computational work and risk of computational error: weakness in procedures and for
making and checking calculations, e.g; service charges to customers.

 Lack of internal audit: weakness in internal audit department.

2.11 Monitoring of Controls

 Monitoring and reviews of operations on a timely basis my management.

Monitoring of controls is a process to assess the effectiveness of internal control

performance over time. It includes assessing the design and operation of controls on a
timely basis and taking necessary corrective actions modified for changes in conditions.
It is a review of the internal control can be done by a process of study, examination and
evaluation of the control system installed by the management.

Categorization of Controls

For exam purposes there is often a focus on controls that can be tested directly. Most, but not all
of these fall under the heading of control activities and a useful categorisation for exam purposes
might be as follows:
  Segregations of duties: segregating those with access to records and those with
access to assets to prevent fraudulent collusion;
 Physical controls: limiting access to assets and records to prevent
misappropriation;
 Arithmetical and accounting controls: including computerised and manual
controls over the completeness and accuracy of records (input to systems,
processing and output) and maintaining reconciliations, control accounts and trial
balances;
 Authorisation and approval: of documents, credit limits and changes to software,
for example;
 Monitoring controls: use of budgets, forecasts and variance analysis and the use
of internal audit to establish whether controls are being applied, are effective and
to make recommendations for improvement.

2.12 Recording internal control system:

The first step involves determination of the control and procedures laid down by the
management. The auditor may ascertain the character, scope and efficacy of the control system
by reading company manuals, studying organization charts and flow charts and by making
suitable enquiries from the officers and employees. Considerable skill and knowledge maybe
called to acquaint auditor about how all the accounting information is collected and processed
and to learn the nature of controls that makes the information reliable and protect the company’s
assets. In many cases, very little of this information is available in writing; the auditor must ask
the right people the right questions if he is to get the information he wants. It would be better if
he makes written notes of the relevant information and procedures contained in the manual or
ascertained on enquiry.

 The need to record internal control system:

The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over financial reporting, including those related to control
activities relevant to the audit, and how the entity initiates corrective actions to
deficiencies in its controls.
 If the entity has an internal audit function, the auditor shall obtain an understanding of the
nature of its responsibilities, its organizational status and the activities performed / to be
performed. The auditor shall also obtain an understanding of the sources of the
information used in the monitoring activities and the basis on which management
considers it reliable.

 The auditor should carry out an evaluation of the systems and to conduct an audit risk
assessment. It helps in identifying audit approach. There are two approaches:

 Systems based approach

 Transactions based approach

 Recording Methods: Narrative notes, questionnaire and systems flowchart.

To facilitate the accumulation of the information necessary for the proper review and evaluation
of internal controls, the auditor can use one of the following to help him to know and assimilate
the system and evaluate the same :

 Narrative notes;
 Questionnaire; and
 Flow chart.
2.13 Narrative Notes

It is a written description of the control system and the controls that are in place.
Narrative note is a complete and exhaustive description of the system as found in
operation by the auditor. Actual testing and observation are necessary before such a
record can be developed.

The advantage of using it is:

 It is Simple to prepare.

 It may be recommended in cases where no formal control

system is in operation.

 It would be more suited to small business.

 The disadvantage to use it is:

 It is Time consuming

 It is quite difficult to comprehend the system in operation.

 It is difficult to identify weaknesses or gaps in the system.

 It is difficult to incorporate charges arising on account of

reshuffling of manpower, etc.

2.14 Systems flowcharts

 It is representation of the accounting system in the form of a diagram. It is a graphic

presentation of each part of the company’s system of internal control. A flow chart is
considered to be the most concise way of recording the auditor’s review of the system.

 Flowcharts show the flow of work by showing how documents are transferred within a
system

It minimizes the amount of narrative explanation and thereby achieves a consideration or

presentation not possible in any other form. It gives bird’s eye view of the system and the
flow of transactions and integration and in documentation, can be easily spotted and
improvements can be suggested. For each type of transaction, they show the documents
generated, the process applied to the documents and the flow of the documents between
the departments.

 It Present an immediate visual impact of the system.

It is also necessary for the auditor to study the significant features of the business carried
on by the concern; the nature of its activities and various channels of goods and materials
as well as cash, both inward and outward; and also a comprehensive study of the entire
process of manufacturing, trading and administration. This will help him to understand
and evaluate the internal controls in the correct perspective.

 It helps to identify weaknesses in control more easily.

 Accounting and Control System flowcharts are commonly used.

 Benefits and limitations of flowchart:

Advantages are:

 It enhance auditor’s evaluation.

 It is an annual updating of a chart with easy additions or deletions of symbols and
lines.
 It is easily evaluated and informative description of the system.
 Graphic evidence of any conflicting responsibilities is given through it.
 Logical sense facilitates easy understanding of the system.
 System flowchart is recorded entirely as all documents have to be traced from the
beginning to end.
 It is a permanent record of system with minor changes year.
 It highlights the strength and weaknesses of a system, easier to spot any missing
controls.
 It can be prepared easily by an inexperienced staff.

Limitations are:

 It can only be suitable for describing standard systems rather than recording
systems with unusual transactions.

 It is not appropriate for recording systems with further classifications of

subsystems or subroutines.

 It is time consuming process since an auditor must learn about the operating
personnel involved in the system and gather samples of relevant documents.

 There is a possibility of recording and checking areas that are of no audit

significance.

 Flowcharts are difficult to amend.

2.14 Questionnaires
 A standard questionnaire is a list of questions about controls in a particular aspect of
operations or accounting.

 Internal Control Questionnaire (ICQ) is designed to establish whether appropriate

controls exist, that meet specific control objectives. This is a comprehensive series of
questions concerning internal control. This is the most widely used form for collecting
information about the existence, operation and efficiency of internal control in an
organization.

 A ‘yes’ answer to a question indicates a control strength while a ‘no’ answer to a question
indicates a control weakness. Yes’ answer denotes satisfactory position and a ‘No’
answer suggests weakness. A provision is made for an explanation or further details of
‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ reply
is given.

 ICQs help in providing means in recording systems, assist in the evaluation process and
gain an overall picture of the reliability of the system under review.

 It is relatively simple, can be completed by relatively junior members. The questionnaire

is usually issued to the client and the client is requested to get it filled by the concerned
executives and employees. If on a perusal of the answers, inconsistencies or apparent
incongruities are noticed, the matter is further discussed by auditor’s staff with the
client’s employees for a clear picture. The concerned auditor then prepares a report of
deficiencies and recommendations for improvement.

 Disadvantages of a Questionnaire
 It is time-consuming.
 Advantages of a Questionnaire

An important advantage of the questionnaire approach is that oversight or ommission of

significant internal control review procedures is less likely to occur with this method.
With a proper questionnaire, all internal control evaluation can be completed at one time
or in sections. The review can more easily be made on an interim basis. The
questionnaire form also provides an orderly means of disclosing control defects. It is the
 general practice to review the internal control system annually and record the review in
detail.

Example

For example, for credit worthiness of potential new customers, a questionnaire including
the following questions could be made:

 Are credit references taken on all potential new customers? Y/N

 Are credit limit sets for customers? Y/N

Example

As part of his evaluation of internal controls, the auditor wishes to establish each of the
following: (a) That the correct product prices are charged on sales invoices to customers.

(b) That raw materials delivered are of the correct specification and in the correct quantity.

Required Draft ICQ questions that could be used to establish the existence of appropriate
controls.

Answer

a) Is a check carried out to match the price on a sales invoice to the Yes/No
official price list?
b) Are raw materials counted and checked against the purchase order Yes/No
when the materials are delivered?

Components of Internal Control System

The control environment activity  Governance and management

The entity’s risk assessment process and
operation of controls over time
functions
 Attitudes and awareness and actions of
management
 “Sets the tone”
 Communication and enforcement of
integrity and ethical values
 How management identifies risks and
decides upon actions to manage them
The information system
  Consists of infrastructure, software,
people, procedures and data
 For financial reporting objectives, the
procedures and records that initiate,
record, process and report transactions
and maintain accountability for assets,
liabilities and equity
The information system  Consists of infrastructure, software,
people, procedures and data
 For financial reporting objectives, the
procedures and records that initiate,
record, process and report transactions
and maintain accountability for assets,
liabilities and equity
Control activities The policies and procedures that help ensure
that management directives are carried out.
The categories most relevant to an audit:
 Performance reviews
 Information processing
 Physical controls
 Segregation of assets
Monitoring of controls  Assessing the design and operation of
controls over time
 Ongoing is monitoring is part of
regular management activity
 Separate monitoring may be
performed by internal auditors

3. LIMITATIONS OF INTERNAL CONTROL SYSTEMS

3.1 Reasons why internal controls may be ineffective

Internal control provides reasonable assurance, not absolute assurance, that management’s
objectives will be achieved. Because people operate the controls, breakdowns can occur. Internal
control can help prevent and detect many errors, but it cannot guarantee that they will never
happen. Several limitations to internal control systems prevent management from obtaining
complete assurance that controls are absolutely effective:

 Human errors may not be detected by control systems.

Human error due to mistakes in judgment, fatigue, and carelessness can still occur.
Although controls are implemented to prevent and detect errors, deliberate circumvention
by people in the system can still occur.

 Not cost effective for certain types of control

Additionally, internal control is subject to cost–benefit considerations. Internal control

could be made perfect, or nearly so, but at great expense. Successive safeguards costs
additional money as does extensive supervision of clerical personnel in an office. At
some point, the cost of protecting the inventory from theft (or of supervisors catching
every clerical error) exceeds the benefit of the internal control activity. In the professional
auditing standards, the concept of reasonable assurance recognizes that the costs of
controls should not exceed the benefits that are expected from the controls. Hence, an
entity can decide that certain controls are too costly considering the risk of loss that can
occur.

 Ignored or overridden by employees or management

Because most internal controls are directed at lower-level employees, management

override can occur. For example, it is often possible for management to override controls
by force of authority (i.e., if the CEO says to do something, most employees will).
Fraudulent financial reporting often involves management override that could occur, in
which management show control by that operations are working effectively.

 Existence of collusion.

Although separation of duties can be extremely effective in an internal control system,

collusion among people who are supposed to act independently can lead to a failure in the
achievement of relevant internal control objectives.
 These factors demonstrate why auditors cannot obtain all their evidence from tests of the
systems of internal control. The key factors in the limitations of control systems are
human error and potential for fraud.

The safeguard of segregation of duties can help deter fraud. However, if employees
decide to perpetrate frauds by collusion, or management commit fraud by overriding
systems, the accounting system will not be able to prevent such fraud

3.2 Problems of small entities

1.6 Small companies – the problem of control (Plagirise)

Many of the controls which would be relevant to a large entity are neither practical nor
appropriate for a small company which often have simple internal control systems. For a small
company, the most important form of internal control is generally the close involvement of the
directors or proprietors.

However, it is also important to note that close involvement by management will enable them to
override controls and, if they wish, to exclude transactions from the records. Auditors can also
have difficulties, not because there is a general lack of controls but because the evidence
available as to their operation and the completeness of the records is insufficient. For example,
an owner-manager may well perform an independent review of payroll records, but will not sign
and date to indicate the review has taken place, and may not document the investigation of
anomalies or how problems were resolved. Therefore it is very difficult for the auditor to obtain
evidence that a control is operating effectively, even if it is.

Segregation of duties will often appear inadequate in enterprises having a small number of staff.
Similarly, because of the scale of the operation, organisation and management controls are likely
to be rudimentary at best.

As discussed above, the onus is on the proprietor, by virtue of their day to day involvement, to
compensate for this lack. This involvement should encompass physical, authorisation,
arithmetical and accounting controls as well as supervision.

Where the manager of a small business is not the owner, the manager may not possess the same
degree of commitment to the running of it as an owner-manager would. In such cases, the
auditors will have to consider the adequacy of controls exercised by the shareholders over the
manager in assessing internal control.

1.6.1 Evidence available in relation to internal control in small companies

Audit evidence for elements of the control environment in smaller entities may not be available
in documentary form, in particular where communication between management and other
personnel may be informal but effective. However, although not documented, small companies
may develop a culture that emphasises the importance of integrity and ethical behaviour through
verbal communication and where management sets a good example. As a result, the attitudes,
awareness and actions of management are very important to the auditor's understanding of a
smaller entity's control environment.

Although size and economic considerations in smaller entities often reduce the opportunity for
formal control activities, there is still likely to be some evidence available in relation to internal
controls. Some basic control activities are likely to exist for the main transaction cycles, such as
revenues, purchases and payroll costs.

In a small company, often management's sole authority for approval of, for example, purchases
and payments can provide strong control over important account balances and the auditor can
seek to test and rely on these controls. These key controls lessen or remove the need for more
detailed control activities and if the auditor can gain enough evidence that these key controls are
operating effectively substantive testing can be reduced.

However, because of the factors discussed in the preceding section, the auditor will often choose
or be forced to turn to substantive procedures to gain sufficient appropriate audit evidence when
auditing a smaller entity. This can often mean use of:

 Confirmations
 Agreeing samples related to different financial statement areas to source
documents
 Analytical procedures where these are considered suitable

 For example segregation of duties

 The internal control required by a sole proprietor of small business is not identical with
that required for a large industrial organisation. A small trader having a grocery shop
hardly needs more than one or two assistants. He decides the work to be done by the
assistants. He always knows his own stock, cash and bank position. He has the
knowledge of daily sales. He himself knows the sources for purchases. He arranges
transport and makes the purchases. He keeps the record of the debtors and creditors. The
assistants merely help him in delivering goods to customers or to arrange the goods in
proper order.

From the above, it can be observed that control is entirely centralised with the owner and
there is no significant delegation of duties.

 Features of control system in small entities:

Small and midsize entities may implement the control environment factors differently
than larger entities. For example, smaller entities might not have a written code of
conduct but instead develop a culture that emphasizes the importance of integrity and
ethical behavior through oral communication and by management example. Similarly, a
smaller entity may not have an independent or outside member on its board of directors.

 High level of involvement by the directors

 Owner-manager personally authorizing many transactions

 Mitigate risk arising from a lack of segregation of duties.

 Fewer chances of lower code of conduct so a culture of integrity and ethical

behavior will be a key to auditor’s risk assessment.

For smaller entities, the risk assessment process is likely to be less formal
and less structured. Although all entities should have established financial
reporting management objectives, they may be recognized implicitly rather
than explicitly in smaller entities.

 Auditor will often see management involvement as only a partial substitute for ‘normal’
control system.
  The following problems may arise when control system rely excessively on the
involvement of the senior management:

 Lack of evidence as to how systems are supposed to operate.

 Rely more on enquiry than on review of documentation.

 Lack of evidence of controls

 Existence and application of controls

 Management may override other controls that are in place.

Because most internal controls are directed at lower-level employees, management

override can occur. For example, it is often possible for management to override controls
by force of authority (i.e., if the CEO says to do something, most employees will).
Fraudulent financial reporting often involves management override that could occur, in
which management show control by that operations are working effectively.

 Management may lack the expertise necessary to control the entity effectively.

 Lower chances to have an independent person within the management team.

 Lower tests of control and higher substantive testing.

The auditor needs to obtain the same degree of assurance in order to give an unqualified opinion
on the financial statements of both small and large entities. However, many controls which
would be relevant to large entities are not practical in the small business. For example, in small
business accounting work may be performed by only a few persons. These persons may have
both operating and custodial responsibilities, and segregation of functions may be missing or
severely limited. Inadequate segregation of duties may, in some cases, be offset by
owner/manager supervisory controls which may exist because of direct personal knowledge of
the business and involvement in the business transactions. In circumstances where segregation of
duties is limited or evidence of supervisory controls is lacking, the evidence necessary to support
the auditor’s opinion on the financial information may have to be obtained largely through the
performance of substantive procedures
4. EVALUATION OF CONTROLS AND AUDIT RISK
ASSESSMENT

4.1 The purpose of evaluating controls

 2 stage process

 Whether controls are effective ‘on paper’.

 Obtain a general picture of the effectiveness of control established by

management.

 Whether the controls are applied properly, and so whether they are actually working and
operating effectively.

4.2 The evaluation process

 If ‘paper’ review shows major weaknesses, the audit approach will have to focus on tests
of transactions (substantive tests) rather than on tests of control (a system-based
approach)

 Good for high level of control risk

 If the controls appear to be acceptable on paper, the auditor has to perform tests of
control.

 If tests indicate that the controls are operating effectively, audit can be system based with
lower substantive testing.

 ISA 330 requires that the substantive procedures are carried out for each material class of
transactions, account balances and disclosures.
4.3 Management Letter

 A report typically presented in columnar fashion detailing weaknesses observed in the

client’s system of internal controls.

 Control weaknesses is a by-product of external audit not an objective.

Internal control System( not plagiarized)

Internal control, as defined by accounting and auditing, is a process for assuring of an

organization's objectives in operational effectiveness and efficiency, reliable financial reporting,
and compliance with laws, regulations and policies. The internal control structure of a company
consists of the policies and procedures established to provide reasonable assurance that specific
entity objectives will be achieved. o achieve the objective of a business proper execution of
business activities in the light of prevailing laws and socio-economic conditions of the country is
called an internal control system or structure.The internal control system is introduced to avoid
errors and frauds and for systematic control of business activities.

American Institute of Certified Public Accountants (AlCPA) says; the plan of organization and
all of the coordinate methods and measures adopted within a business safeguard its assets, check
the accuracy and reliability of its accounting data, promote operational efficiency and encourage
adherence to preserved managerial policies.

Example where internal control system is needed

For example;

In small business organizations, generally, the owner-manager controls the total activities of his
business by his personal supervision and direct participation. The owner generally purchases
required business materials and other properties. He himself gives the appointment of employees,
completes the contract with them through discussion and also keeps, constant watch over their
activities. He himself signs cheques for payments in different heads. Since the signs all the
cheques, he can easily have an idea of what commodities, assets, and services he is signing for.
But with the expansion of business, the appointment of additional employees and officers is
needed and the scope of business also widens. Under such conditions, it becomes almost
impossible on the part of the manager to perform all the activities of the business alone for which
he is to delegate authority and so his overall control tends to decrease. The owner needs an
internal control system to ensure that his overall control remains same.

Conditions under which ICS differs

The internal control system differs from one business organization to another depending on the
nature and size of the business.

How is risk assessed? Internal Audit System is made up of 5 steps.

1. Control Environment
This step ensures that an environment is buildup in which whatever operation is done by the
organization is automatically monitored and controlled by the environment.
The control environment is arguably the most important component because it sets the tone
for the organization. Factors of the control environment include employees' integrity, the
organization's commitment to competence, management's philosophy and operating style,
and the attention and direction of the board of directors and its audit committee. The control
environment provides discipline and structure for the other components.
The core of any organization is its people – their individual attributes, including integrity,
ethical values and competence – and the environment in which they operate. They are the
engine that drives the organization and the foundation on which everything rests. Effectively
controlled organizations set a positive "tone at the top" and strive to:
 Train staff to understand and use appropriate management controls in all areas.
 Provide structure and process for implementing these controls.
Internal controls are likely to function well if management believes that those controls are
important and communicates that view to employees at all levels. If management views controls
as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be
communicated. Despite policies to the contrary, employees will then view internal controls as
"red tape" to be "cut through" to get the job done. An effective internal control environment:

 Sets the tone of an organization influencing the control consciousness of its people
 Is an intangible factor that is the foundation for all other components of internal control,
providing discipline and structure
 Describes "organizational culture"
 Includes a commitment to hire, train, and retain qualified staff
 Encompasses both technical competence and ethical commitment
2. Entity’s Risk Assessment Process.
After setting up the objective of business, external and internal risks are to be assessed. The
management determines risk controlling means after examining the risks related to every
objective.
Risk assessment refers to the identification, analysis, and management of uncertainty facing
the organization. Risk assessment focuses on the uncertainties in meeting the organization's
financial, compliance, and operational objectives. Changes in personnel, new product lines,
or rapid expansion could affect an organization's risks.
A risk is anything that endangers the achievement of an objective. Always ask: What can go
wrong? What assets do we need to protect?
• Risk assessment is the process used to identify, analyze, and manage the potential risks
that could hinder or prevent an agency from achieving its objectives.
• Risk increases during a time of change, for example, turnover in personnel, rapid growth,
or establishment of new services.
• Other potential high risk factors include complex programs or activities, cash receipts,
direct third party beneficiaries, and prior problems.
Management must be aware of and deal with the risks the organization faces. It must set
objectives, integrated with other activities so that the organization is operating in concert.

Management must also establish mechanisms to identify, analyze and manage the related risks
It has 4 steps in it which include:

1) Identify business risks

It needs to be identified in which department is the risk. The risk can be in any department
for example poor advertising due to marketing department, operational, cash flow volatility
due to purchasing, poor logistics due to supply and chain management, finance department,
HR department hire unqualified employees reducing efficiency of the business. Identify
Potential Problems. Review goals and objectives. Determine potential problem areas - for
example, areas that receive complaints or have had problems in the past, Areas that have
undergone recent changes in staff or structure and Complex activities.
2) Estimate its Significance
Significance of risk is determined in amounts i.e. at level. The risk that causes most damage
to business is identified. Determine severity of risks by asking both, Where do we face the
greatest possible harm? What types of losses are most likely to occur? A moderate loss that is
likely to occur presents as much danger as a more serious loss that is less likely to occur. Use
this evaluation to prioritize your efforts.
3) Assess likelihood of its significance
The chances of the risk occurring. Chances is multiplied with significance to identify the risk
that causes most damage or expense for the company.
4) Actions to reduce risk
Information system is used to reduce risk.

Prepare a written narrative or flow chart explaining how the problem is supposed to be handled
by describing each activity or transaction within the cycle. Describe in the narrative: Who is
performing each step? What is involved in the step? Any resulting documentation, for example,
reports. Review the information available in policy and procedure manuals. Also, use written
materials such as organizational charts, job descriptions, reviews, checklists, department records,
and reports. Supplement written sources through conversations with and observations of
appropriate staff. Finally, "walk through" the process to be sure every item is understood.

3. Information System
Relevant information for taking decision are to be collected and reported in proper time. The
events that yield data may originate from internal or external sources. Communication is very
 important for achieving management goals. The employees are to realize what is expected of
them and how their responsibilities are related to the activities of others. Communication of
the owners with outside parties’ like’s suppliers is also very important.
Information and communication encompasses the identification, capture, and exchange of
financial, operational, and compliance information in a timely manner. People within an
organization who have timely, reliable information are better able to conduct, manage, and
control the organization's operations.
Control activities are surrounded by information and communication systems. These systems
enable the organization’s people to capture and exchange the information needed to conduct,
manage and control its operations.
 Obtain external and internal information, and provide management with necessary
reports on the organization’s performance relative to established objectives.
 Provide information to the right people in sufficient detail and on time to enable them
to carry out their responsibilities efficiently and effectively.
 Develop or revise information systems based on a strategic plan, linked to the
organization’s overall strategy, and responsive to achieving the entity-wide and
activity-level objectives.
 Demonstrate support for developing necessary information systems by committing
adequate human and financial resources.
4. Control activities
The management establishes a controlling activities system to prevent risk associated with
every objective. These controlling activities include all those measures that are to be
followed by the employees.
Control activities include the policies and procedures maintained by an organization to
address risk-prone areas. An example of a control activity is a policy requiring approval by
the board of directors for all purchases exceeding a predetermined amount. Control activities
were once thought to be the most important element of internal control, but COSO suggests
that the control environment is more critical since the control environment fosters the best
actions, while control activities provide safeguards to prevent wrong actions from occurring.
Control policies and procedures must be established and executed to help ensure that
management directives are carried out. They help ensure that necessary actions are taken to
 address risks to achievement of the organization’s objectives. Control activities occur
throughout the organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
 Review each cycle to determine whether existing controls are sufficient to avoid
potential problems.
 Identify any outside policies or procedures in place to offset potential risks.
 If controls do not exist or appear ineffective, establish new controls.
 Identify any controls that are excessive or unnecessary and modify or eliminate them.
 Remember that a good control environment is the first step toward establishing
effective controls.

Organizations establish policies and procedures so that identified risks do not prevent the
organization from reaching its objectives.

 Clearly identified activities minimize risk and enhance effectiveness.

 Internal control activities are nothing more than the policies, procedures, and
organizational structure of an entity.
 Controls can be either preventive, for example, requiring supervisory approval, or
detective, for example, reconciling reports.
 Avoid excessive controls, which are as harmful as excessive risk and result in increased
Bureaucracy and reduced productivity.

5. Monitoring Of Controls
When the internal control system is in practice, the organization monitors its effectiveness so
that necessary changes can be brought if any serious problem arises.
Monitoring refers to the assessment of the quality of internal control. Monitoring activities
provide information about potential and actual breakdowns in a control system that could
make it difficult for an organization to accomplish its goals. Informal monitoring activities
might include management's checking with subordinates to see if objectives are being met. A
 more formal monitoring activity would be an assessment of the internal control system by the
organization's internal auditors.

The entire process must be monitored, and modifications made as necessary. This way, the
system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the
course of operations. It includes regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.

 Schedule monitoring on a regular basis. 

 Test controls at least annually to determine whether they continue to be adequate and are
still functioning as intended. 
 Use program monitors, auditors and reviewers as a resource in monitoring controls. 
 Select a sample. Review all documentation. Visit outside sites, if appropriate.
Supplement sample with special tests of sensitive items and problem areas. 
 Always follow up to insure that any identified problems are corrected.

After implementing internal controls, organizations must monitor their effectiveness periodically
to ensure that controls continue to be adequate and continue to function properly. Management
must also revisit previously identified problems to ensure that they are corrected.

IMPORTANT WITH EXAMPLES EXPLANATIONS

The COSO model is just one representation that can be used, and at its heart it
guides management through the implementation of a control framework that’s
measurable and targeted at reducing risk.

Here are the five components of internal controls:

 Control environment: This term refers to the attitude of the company,

management, and staff regarding internal controls. Do they take internal
controls seriously, or do they ignore them? Your client’s environment isn’t
very good if, during your interviews with management and staff, you see a
lack of effective controls or notice that previous audits show many errors.
  Risk assessment: In a nutshell, you should evaluate whether
management has identified its riskiest areas and implemented controls to
prevent or detect errors or fraud that could result in material
misstatements (errors that cause net income to change significantly). For
example, has management considered the risk of unrecorded revenue or
expense transactions?
 Control activities: These are the policies and procedures that help ensure
management’s directives are carried out. One example is a policy that all
company checks for amounts more than $5,000 require two signatures.
 Information and communication: You have to understand
management’s information technology, accounting, and communication
systems and processes. This includes internal controls to safeguard
assets, maintain accounting records, and back up data.

For example, to safeguard assets, does the client tag all computers with
identifying stickers and periodically take a count to make sure all
computers are present? Regarding the accounting system, is it
computerized or manual? If it’s computerized, are authorization levels set
for employees so they can access only their piece of the accounting
puzzle? For data, are backups done frequently and kept offsite in case of
fire or theft?

 Monitoring: This component involves understanding how management

monitors its controls and how effectively. The best internal controls are
worthless if the company doesn’t monitor them and make changes when
they aren’t working. For example, if management discovers that tagged
computers are missing, it has to put better controls in place. The client may
need to establish a policy that no computer gear leaves the facility without
managerial approval.
2.2. Understanding the accounting and Internal control system:
The primary responsibility for the development and maintenance of internal control rests with an
organization's management. Top management at a publicly owned organization is responsible for
the organization's annual financial report to the shareholders. Financial statement is a statement
indicating that management has established a system of internal control that holds the belief that
it is effective. The statement may also provide specific details about the organization's internal
control system.

Internal control must be evaluated in order to provide management with some assurance
regarding its effectiveness. Internal control evaluation involves everything management does to
control the organization in the effort to achieve its objectives. Internal control would be judged
as effective if its components are present and function effectively for operations, financial
reporting, and compliance. The board of directors and its audit committee have responsibility for
making sure the internal control system within the organization is adequate. This responsibility
includes determining the extent to which internal controls are evaluated. Two parties involved in
the evaluation of internal control are the organization's internal auditors and their external
auditors. The auditors evaluate the effectiveness of the internal control structure of a business
organization and determine whether the business policies and activities are followed properly.
The communication network helps an effective internal control structure in execution. And all
officers and employees are part of this communication network.

An Auditor should ensure that certain rules and procedures are followed by the business unit he
is working on, in spite of the fact that a sound system of internal control is as sole responsibility
of the management. The Auditor can simply guide or help the management if he is asked to do
so, because he has no authority to prescribe such rules and procedures. He should consider:

 His previous knowledge of the client company

Past references should be used.
 Any recent changes
 Any known problems in the internal controls of the client
 The effect of any new auditing or accounting requirements.
Interim Auditors check how strong company’s internal control system is. The internal control
system is efficiently, effectively and independently evaluating the company according to
accounting standards. If this is happening, this means that the chances of error, fraud or
malfunction is less. Internal control system can be used for evaluation of the company by the
external auditor.

ISA 315 emphasizes that establishing communications with the appropriate individuals within an
entity’s internal audit function early in the engagement, and maintaining such communications
throughout the engagement, can facilitate effective sharing of information. Internal control
system tells how the organization should work and ensure standardization in the company.

To be useful, information must be reliable and it must be communicated to those who need it.
For example, supervisors must communicate duties and responsibilities to the employees that
report to them and employees must be able to alert management to potential problems.

• Information must be communicated both within the organization and to those outside, for
example, vendors, recipients, and other constituents

• Communication must be ongoing both within and between various levels and activities of
the organization.
Conclusion of Ch : 3 and 5