Department of Finance & Banking

(5th Batch)
Assignment on:
Internal Control and Review Theory
SUBMITTED TO:
Sutapa Chowdury
Assistant Professor
Dept. of Finance & Banking, Comilla University
SUBMITTED BY:

Name: ID:

Rabeya Basri(Leader) 11817051

Tisha Saha 11817034
Imtias Uddin 11817009
Priya Saha 11817013
Sumi Khandakar 11817045
Tumpa Akter 11817011

Table of Content

1
1.Introduction...................................................................................................03
2.Objectives of the study..................................................................................03
3.Methodology..................................................................................................03
4.Limitations of the study.................................................................................03
5.Client and Auditor concerns..........................................................................03
7.Components of Internal Control....................................................................05
6.Procedures to obtain understanding of internal control.................................08
7.Assess control risk..........................................................................................10
8.Recommendation............................................................................................12
9.Conclusion.......................................................................................................12
10.Reference.......................................................................................................13

Internal Control and Review Theory

Introduction

2
Internal controls system includes a set of rules, policies, and procedures an organization
implements to provide direction, increase efficiency and strengthen adherence to policies. IN
other sense, Internal controls are the mechanisms, rules, and procedures implemented by a
company to ensure the integrity of financial and accounting information, promote
accountability and prevent fraud. Besides complying with laws and regulations, and
preventing employees from stealing assets or committing fraud, internal controls can help
improve operational efficiency by improving the accuracy and timeliness of financial
reporting.

Objectives of the study

This study helps to know about the importance of internal control in auditing. In this study,
we came to know about client and auditor concerns, procedures to obtain understanding of
internal control, assess control risk.

Methodology
This research is executed based on secondary data was collected from different sources,
websites, reports, prospectus, journals etc.

Limitation of the study

We are lucky to get a chance to prepare a report on “Consumer Protection Law of
Bangladesh”. We tried hart and soul to prepare a well informed report. But unfortunately, we
face some difficulties when preparing this assignment. We tried to overcome the difficulties.
In spite of trying our level best, some difficulties that hamper our schedule report work:
• The major problem we have faced is lack of understanding.
• As the data is collected from secondary sources, there was very little opportunity to
analysis data.
• Time constraint is one of the problems, for which it has been difficult for us to gather
enough knowledge.

Client and Auditor concerns

Client concerns:
A system of internal control consists of policies and procedures designed to provide
management with reasonable assurance that the company achieves its objectives and goals.
These policies and procedures are often called controls, and collectively they comprise the
entity's internal control. An understanding of internal control, especially those controls
related to the reliability of financial reporting, are important to the auditor's purposes.
Reliability of Financial Reporting: Management is responsible for preparing financial
statements for investors, creditors, and other users. Management has both a legal and

3
professional responsibility to be sure that the information is fairly prepared in accordance
with reporting requirements such as GAAP.
Efficiency and Effectiveness of Operations: Controls within an organization are meant to
encourage efficient and effective use of its resources, including personnel, to optimize the
company's goals. An important part of these controls is accurate information for internal
decision making. A variety of information is used for making critical business decisions.
Another important part of effectiveness and efficiency is safeguarding assets and records. The
physical assets of a company can be stolen, misused, or accidentally destroyed unless they are
protected by adequate controls. The same is true of nonphysical assets such as accounts
receivable, important documents (confidential government contracts), and records (general
ledger and journals),. Safeguarding certain assets and records has become increasingly
important since the advent of computer systems. Large amounts of information stored on
computer media can be destroyed if care is not taken to protect them. Safeguarding of
accounting records also affects the reliability of financial reporting.
Compliance with Applicable Laws and Regulations : Organizations are required to follow
many laws and regulations. Some are only indirectly related to accounting. Examples include
environmental protection and civil rights laws. Others are closely related to accounting, such
as income tax regulations and fraud. One important law affecting all companies subject to the
Securities and Exchange Act of 1934 is the Foreign Corrupt Practices Act of 1977. This law,
which amended the securities acts, requires that a company maintain proper record-keeping
systems. A proper record-keeping system is one that allows the preparation of reliable
external financial statements and prevents off-the-books slush funds and payment of bribes.
Auditor Concerns:
Controls Related to the Reliability of Financial Reporting : To comply with the second
standard of field work, the auditor is interested primarily in controls that relate to the first of
management's internal control concerns: reliability of financial reporting, This is the fairness
of the financial statements. Internal controls, if properly designed and implemented survey by
KPMG (seep. 291) indicate that about half of the typical frauds are detected by internal
controls It has already been stated that auditors should emphasize controls concerned with the
reliability of data for external reporting purposes, but controls affecting internal management
information, such as budgets and internal performance reports, should not be completely
ignored .These types of information are often important sources of evidence in helping the
auditor decide whether the financial statements are fairly presented. If the controls over these
internal reports are considered inadequate, the value of the reports as evidence diminishes.
Controls over Classes of Transactions: The primary emphasis by auditors is on internal
control over classes of transactions rather than account balances: The reason is that the
accuracy of the output of the accounting system (account balances) is heavily dependent on
the accuracy of the inputs and processing (transactions). When gaining an understanding of
internal control and assessing control risk, auditors are primarily concerned with the
transaction-related audit objectives. While gaining an understanding of internal control and

4
assessing control risk, the auditor does not, however, ignore internal control over account
balances.

Components of Internal Control

Control Environment:
The control environment consists of the actions, policies and procedures that reflect the
overall attitudes of top management director and owner of an entity about internal control and
its importance to the entity. The control environment, as established by the organization's
administration, sets the tone of an institution and influences the control consciousness of its
people. Leaders of each department, area or activity establish a local control environment.
This is the foundation for all other components of internal control, providing discipline and
structure. Control environment factors include:
1)Integrity and ethical values
2)Commitment of competence
3)Bard of director participation
4)Organization structure
5)Assignment of authority and responsibility
6)Human resource policy and practices
7)Mana philosophy and operating style
Risk assessment:
The process of identifying and analysing risk is an ongoing process and is a critical
component of an effective internal control system. Attention must be focused on risks at all
levels and necessary actions must be taken to manage. Risks can pertain to internal and
external factors. After risks have been identified they must be evaluated. Managing change
requires a constant assessment of risk and the impact on internal controls. Economic, industry
and regulatory environments change and entities' activities evolve. Mechanisms are needed to
identify and react to changing conditions.
1)Risk assessment process
 Identify factor affecting risks.
 Asses significance of risks and likelihood of occurrence
 Determine action necessary to manage risk
2)Management assertions that must be satisfied:
 completeness

5
 Valuation
 Right and obligation
 Presentation and disclosure

Control activities:
Control activities are the policies and procedures, in addition to those included in the other
four control components that help ensure that necessary actions are taken to address risks to
the achievement of the entity’s objectives. There are potentially many such control activities
in any entity, including both manual and automated controls. The control activities generally
fall into the following five types, which are discussed next:
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
Adequate Separation of Duties Four general guidelines for adequate separation of duties to
prevent both fraud and errors are especially significant for auditors.
Separation of the Custody of Assets from accounting to protect a company from
embezzlement, a person who has temporary or permanent custody of an asset should not
account for that asset.
Separation of the Authorization of Transactions from the Custody of Related Assets It is
desirable to prevent persons who authorize transactions from having control over the related
asset, to reduce the likelihood of embezzlement.
Separation of Operational Responsibility from Record-Keeping Responsibility If each
department or division in an organization were responsible for preparing its own records and
reports, there would be a tendency to bias the results to improve its reported performance. To
ensure unbiased information, record keeping is typically included in a separate department
under the controller.
Separation of IT Duties from User Departments of key users Outside IT The use of
computers to process and manage information is call information technology (IT). As the
level of complexity of IT systems increases, often the segregation of authorization, record
keeping, and custody is blurred. For example, sales agents may enter customer orders online.
The computer authorizes those sales based on its comparison of customer credit limits to the
master file and posts all approved sales in the sales cycle journals. Therefore, the computer
plays a significant role in the authorization and record keeping of sales transactions.
Proper Authorization of Transactions and Activities every transaction must be properly
authorized if controls are to be satisfactory. If any person in an organization could acquire or
expend assets at will, complete chaos would result. Authorization can be either general or
specific. Under general authorization, management establishes policies and subordinates are
instructed to implement these general authorizations by approving all transactions within the
limits set by the policy. General authorization decisions include the issuance of fixed price

6
lists for the sale of products, credit limits for customers, and fixed reorder points for making
acquisitions.
Adequate Documents and Records Documents and records are the physical objects upon
which transactions are entered and summarized. They include such diverse items as sales
invoices, purchase orders, subsidiary records, sales journals, and employee time cards. Many
of these documents and records are maintained in the form of computer files until they are
printed out for specific purpose. Both documents of original entry and records upon which
transaction are entered are important, but the inadequacy of documents typically causes
greater control problems. Documents perform the function of transmitting information
throughout the client's organization and between different organizations. The documents must
be adequate to provide reasonable assurance that all assets are properly controlled and all
transaction are correctly recorded. For example, if the receiving department completes an
electronic receiving report when material is received, the accounts payable computer
application can verify the quantity and description on the vendor’s invoice by comparing it
with the information on the receiving report, with exceptions resolved by the accounts
payable department.
Physical Control over Assets and Records to maintain adequate internal
Control, assets and records must be protected. If assets are left unprotected, they can be
stolen. If records are not adequately protected, they can be stolen, damaged, altered, or lost,
which can seriously disrupt the accounting process and business operations. When a company
is highly computerized, its computer equipment, programs, and data files must be protected.
The data files are the records of the company and, if damaged, could be costly or even
impossible to reconstruct.
Independent Checks on Performance the last category of control activities is the careful
and continuous review of the other four, often called independent checks or internal
verification. The need for independent checks arises because internal controls tend to change
over time, unless there is frequent review. Personnel are likely to forget or intentionally fail
to follow procedures, or they may become careless unless someone observes and evaluates
their performance. Regardless of the quality of the controls, personnel can make errors or
commit fraud.
Information and Communication System The purpose of an entity’s accounting
information and communication system is to initiate, record, process, and report the entity’s
transactions and to maintain account-ability for the related assets. An accounting information
and communication system has several subcomponents, typically made up of classes of
transactions such as sales, sales returns, cash receipts, acquisitions, and so on. For each class
of transactions, the accounting system must satisfy all of the six transaction-related audit
objectives identified earlier. For example, the sales accounting system should be designed to
ensure that all shipments of goods are correctly recorded as sales (complete-ness and
accuracy objectives) and are reflected in the financial statements in the proper period (timing
objective). The system must also avoid duplicate recording of sales and recording a sale if a
shipment did not occur (occurrence objective).

Monitoring:

7
Monitoring activities deal with ongoing or periodic assessment of the quality of internal
control by management to determine that controls are operating as intended and that they are
modified as appropriate for changes in conditions. The information being assessed comes
from a variety of sources, including studies of existing internal controls, internal auditor
reports, exception reporting on control activities, reports by regulators such as bank
regulatory agencies, feedback from operating personnel, and complaints from customers
about billing charges.

For many companies, especially larger ones, an internal audit department is essential for
effective monitoring of the operating performance of internal controls. To be effective, the
internal audit function must be performed by staff independent of both the operating and
accounting departments and report directly to a high level of authority within the
organization, either top management or the audit committee of the board of directors.
Procedures to obtain understanding of internal control :
Auditors obtain information about internal control and use that information as a basis for
audit planning. In obtaining an understanding of controls that are relevant to audit planning,
the auditor should perform procedures to obtain sufficient knowledge about the design of the
relevant controls pertaining to each of the five internal control components and determine
whether they have been placed in operation. The nature and extent of the procedures
performed generally vary from entity to entity and are influenced by the size and complexity
of the entity.
Process for Understanding Internal Control and Assessing Control Risk:
Phase 1:Obtain an understanding of internal control: design and operation.
Phase 2: Assess control risk.
Phase 3: Test of controls.
Phase 4:Decide planned detection risk and substantive tests.
The auditor considers internal control by first obtaining an understanding of internal control,
which is then used to initially assess control risk. When the auditors control risk assessment is
below maximum, the auditor performs tests of controls. Once the results of the tests of
controls are known, the auditor considers how those results affect planned detection risk and
substantive testing.
Phase 1:Obtain understanding of internal control:
The procedures used to gather evidence about design and placement in operation during the
understanding phase are called procedures to obtain an understanding.
For every audit & irrespective of intended reliance on internal control & an auditor must
obtain sufficient understanding of internal control to plan the audit and determine tests to be
performed. The extent of that understanding must, at a. minimum, be sufficient to adequately
plan the audit, in terms of four specific planning matters :

8
I. Auditability
ii.Potential material misstatements
iii.Detection risk
iv.Design of tests.
In obtaining understanding, the auditor should consider two aspects :
1.Design of the various controls within each component and
2.Whether they have been placed in operation.
The following are procedures to determine the design and placement in operation :
i.Update and evaluate auditors previous experience with the entity:
Most audits if a company are done annually by the same CPA firm.Except for initial
engagement, the auditor begins the audit with a great deal of information developed in prior
years about the clients internal control.
ii.Make inquiries of client personnel :
Inquiries of client personnel at the management, supervisory,and staff level will usually be
conducted as part of obtaining an understanding of internal control.
iii.Read clients policy and systems manuals :
Auditor must read and discussed with the company personnel to ensure that clients policy and
system manuals is properly interpreted and understood.
iv.Examine documents and records :
Examination of the documents and records provide evidence that the control policies and
procedures have been placed in operation. Examining this the auditor can bring the contents
of the manuals to life.
v.Observe entity activities and operations :
The auditor can observe client personnel in the process of preparing them and carrying out
their normal accounting and control activities.
Documentation of the understanding :
Three commonly used methods of documenting the understanding of internal control are
narratives, flowcharts and internal control questionnaires.
i.Narrative :A narrative is a written description of a client's internal controls.
ii.Flowchart :An internal control flowchart is a symbolic, diagrammatic representation of the
client's documents and their sequential flow in the organization.
iii.Internal control questionnaire :It is a asks a series of question about the controls in each
area as a means of indicating to the auditor aspects of internal control.

9
Phase 2: Assess control risk:The assessment of control risk is the process of evaluating the
likely effectiveness of an entity accounting and internal control systems in preventing or
detecting and correcting material misstatements.
After obtaining an understanding of the five components of internal control & the auditor
assesses control risk & at the assertion level & for each material account balance or class of
transactions.The auditor must decide whether to assess control risk for particular assertion as
high or as less than high.Once the auditor indentifies controls and weakness and relates them
to transaction related audit objectives, he or she can assess control risk.
Phase 3:Test of control :
A test of controls is a procedure to test the effectiveness of a control used by a client entity to
prevent or detect material misstatements. Depending on the results of this test, auditors may
choose to rely upon a client's system of controls as part of their auditing activities. However,
if the test reveals that controls are weak, the auditors will enhance their use of substantive
testing, which usually increases the cost of an audit. The following are general classifications
of tests of controls:
Reperformance. Auditors may initiate a new transaction, to see which controls are used by
the client and the effectiveness of those controls.
Observation. Auditors may observe a business process in action, and in particular the control
elements of the process.
Inspection. Auditors may examine business documents for approval signatures, stamps, or
review check marks, which indicate that controls have been performed.
Phase 4:Decide planned detection risk and design substantive tests:
The auditor uses the results of the control risk assessment process and tests of controls to
determine the planned detection risk and related substantive tests.The auditor links the
control risk assessments to the balance-related audit objectives.Control risk in the planning
form of the audit risk model directly affects planned detection risk for each audit objective
[PDR=AAR÷(IR.CR).Substantive tests are those designed to substantiate the validity,
accuracy and completeness of amounts appearing in the financial statements and related
notes.Information about internal control is used to assess control risk for each objective,
which affects planned detection risk and planned audit evidence.

Assess control risk:

Once the auditor obtains an understanding of internal control sufficient for audit planning, the
auditor must make an intial assessment of control risk.
4 specific assessment s must be made to arrive at the initial assessment.
(1) Assess whether the financial statements are auditable::
The first assessment is a whether the entity is auditable.Two primary factors determine
auditability(1) The integrity of management. (2) The adequacy of accounting records.

10
The integrity of management : Many audit procedures rely to some extent on the
representations of management. It is difficult for the auditor to evaluate whether inventory is
obsolete without an honest assessment by management. If management lacks integrity,
management may provide false representations,causing the auditor to rely on unreliable
evidence.

The adequacy of accounting records : The accounting records serve as a direct source. If
clients has not kept duplicate sales invoice & vendors invoices, it would usually be
impractical to do an audit.Unless the auditor can identity an alternative source, the only
recourse may be to consider the entity unauditable & issues a disclaimer forms of audit
report.

(2) Determine assessed control risk supported by the understanding obtained ::

After obtaining an understanding of internal control, the auditor makes an initial assessment
of control risk.This assessment is a measure of the auditors expectation that internal controls
will neither material misstatements from occuring nor detect & correct them if they have
occurred.
There are different ways to express this expectation (1) subjective expectations (2) numerical
probabilities.
There are two important considerations about initial assessment ::
1)The auditor doesn't have to make the initial assessment in a formal detailed manner.
2) The auditor believes control risk is low,assessed control risk is limited to that level
supported by the evidence obtained.
(3) Assess whether it is likely that a lower assessed control risk could be supported::
When the auditor believes that actual control risk may be significantly lower than the initial
assessment, the auditor may decide to support a lower assessed control risk.
(4) Determine the appropriate assessed control risk ::
After the auditor completes the initial assessment & considers whether a lower assessed
control risk is likely, the auditor is in a position to decide which assessed control risk should
be used either a level already supported in the initial assessment or lower level.
The auditor typically assess control risk for transactions related audit objectives for each
major type of transactions in each transactions cycle.
1) Identify transaction related audit objectives.
2)Identify specific controls.

11
3) Identify& evaluate weakness :
A four step approach can be used for identifying significant weakness.
(1) Identify existing controls
(2) Identify the absence of key controls
(3) Determine potential misstatements that could result
(4) Consider the possibility of compensating controls.
4)The control risk matrix::
 it assist in the control risk assessment process.
 The auditor uses it to identify both controls orv weakness & to access control risk.

Recommendations :
Internal audits play a critical role in a company’s internal controls & mechanism. As
internal control plays an important role in detecting and preventing fraud and
protecting the organization's resources it's need monitoring very closely by the top
management.Internal audit and compliance functions; enhance communication with
external auditors; and improve the effectiveness and efficiency of their internal
controls.

Conclusion
Controls can be evaluated and improved to make a business operation run more effectively
and efficiently. For example, automating controls that are manual in nature can save costs and
improve transaction processing. If the internal control system is thought of by executives as
only a means of preventing fraud and complying with laws and regulations, an important
opportunity may be missed. Internal controls can also be used to systematically improve
businesses, particularly in regard to effectiveness and efficiency.

12
 Reference
1.Auditing – An integrated Approach-Arens & Loebbecke(Text Book)
2.https://www.academia.edu/12115629/AUDITING_-
_UNDERSTANDING_and_ASSESSING_INTERNAL_CONTROL
3. https://ludwig.guru/s/concern+for+clients
4.https://en.m.wikipedia.org/wiki/Internal_control
5.https://www.investopedia.com/terms/i/internalcontrols.asp

13