ACCA AA Draft

Internal control systems

Internal control is:
The process designed, implemented and maintained by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement
of an entity's objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations, and compliance with applicable laws and regulations.

(ISA 315 (Revised): para. 4(c)

Internal control has five components:

The control environment

Lecture support notes by Alan Biju Palak

The entity's risk assessment process

The information system relevant to financial reporting

Control activities

Monitoring of controls 


Control environment
Control environment includes the governance and management functions and the
attitudes, awareness and actions of those charged with governance and management
concerning the entity's internal control and its importance in the entity (ISA 315
(Revised): para. A76).

ISA 315 ((Revised): para. 14), states that auditors shall have an understanding of the
control environment. As part of this understanding, the auditor shall evaluate whether:

• (a)  Management has created and maintained a culture of honesty and ethical
behaviour. 


• (b)  The strengths in the control environment provide an appropriate foundation for
the other components of internal control and whether those components are not
undermined by deficiencies in the control environment. 


For any queries - alanbiju31@gmail.com Page 1

ACCA AA Draft

The auditor shall assess whether these elements of the control environment have been
implemented using a combination of enquiries of management and observation and
inspection

Entity's risk assessment process

ISA 315 ((Revised): para. 15), says the auditor shall obtain an understanding of whether
the entity has a process for:

Identifying business risks relevant to financial reporting objectives

Estimating the significance of the risks

Lecture support notes by Alan Biju Palak

Assessing the likelihood of their occurrence

Deciding on actions to address those risks 


Information system relevant to financial

reporting 

The information system relevant to financial reporting is a component of internal control
that includes the financial reporting system, and consists of the procedures and records
established to initiate, record, process and report entity transactions (as well as events and
conditions) and to maintain accountability for the related assets, liabilities and equity (ISA
315 (Revised): para A89).

Control activities 

Control activities are those policies and procedures that help ensure that management
directives are carried out (ISA 315 (Revised): para. A96).

For any queries - alanbiju31@gmail.com Page 2

ACCA AA Draft

Control activities include those activities designed to prevent or to detect and correct
errors. 


๏  Authorisation.

๏  Comparison.

๏  Computer controls.

๏  Arithmetic controls.

๏  Maintaining trial balances and control accounts.

Lecture support notes by Alan Biju Palak

๏  Accounting reconciliations.

๏  Physical control.

๏ Segregation of duties.

Monitoring of controls
Monitoring of controls is 'a process to assess the effectiveness of internal control
performance over time. It involves assessing the effectiveness of controls on a timely
basis and taking necessary remedial actions' (ISA 315 (Revised): para. A106)

For any queries - alanbiju31@gmail.com Page 3

ACCA AA Draft

The evaluation of internal control

components
Tests of control

Tests of control are tests performed to obtain audit evidence about the effectiveness of
the:

Design of the accounting and internal control systems, ie whether they are suitably
designed to prevent, or detect and correct, material misstatement at the assertion level;

Lecture support notes by Alan Biju Palak

and

Operation of the internal controls throughout the period.

(ISA 330: para. 4(b)

Tests of control may include the following:

(a)  Inspection of documents supporting controls or events to gain audit
evidence that internal controls have operated properly, eg verifying that a
transaction has been authorised 


(b)  Enquiries about internal controls which leave no audit trail, eg determining
who actually performs each function, not merely who is supposed to perform it 


(c)  Reperformance of control procedures, eg reconciliation of bank accounts,

to ensure they were correctly performed by the entity 


(d)  Examination of evidence of management views, eg minutes of

management meetings 


(e)  Testing of internal controls operating on computerised systems or over the

overall IT function, eg access controls



For any queries - alanbiju31@gmail.com Page 4

ACCA AA Draft
(f)  Observation of controls to consider the manner in which the control is being
operated 


Auditors should consider:

How controls were applied

The consistency with which they were applied during the period

By whom they were applied 


(ISA 330: para. 10) 


The inherent limitations of internal

Lecture support notes by Alan Biju Palak

controls
• Cost v benefit.
• Human error
• Collusion.
• Bypass of controls.
• Non-routine transactions.

Internal controls in a computerised

environment
General IT controls are:

Policies and procedures that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of
information systems. General IT controls commonly include controls over data centre and
network operations; system software acquisition, change and maintenance; access
security; and application system acquisition, development and maintenance.

(IFAC, 2016(b))

For any queries - alanbiju31@gmail.com Page 5

ACCA AA Draft
Application controls are:

Manual or automated procedures that typically operate at a business process level.

Application controls can be preventative or detective in nature and are designed to ensure
the integrity of the accounting records. Accordingly, application controls relate to
procedures used to initiate, record, process and report transactions or other financial data.

(IFAC, 2016(b))

General controls
• Development of computer applications

Lecture support notes by Alan Biju Palak

• Prevention or detection of unauthorised changes to programs
• Testing and documentation of program changes
• Controls to prevent wrong programs or files being used
• Controls to prevent unauthorised amendments to data files
• Controls to ensure continuity of operation

Application controls
• Controls over input: completeness
• Controls over input: accuracy
• Controls over input: authorisation
• Controls over processing
• Controls over master files and standing data

Testing of application controls

Manual controls exercised by the user
Controls over system output
Programmed control procedures

For any queries - alanbiju31@gmail.com Page 6