Internal Control Evaluation Manual

Internal Control :- safeguards that are put in place by management to address risks
and to provide reasonable assurance that its operations are proceeding as planned.

Features of Internal Control

● An integral process
○ Pervasive & inherent
○ Built in rather than built on
○ Built in helps in cost control
● Effected by management and other personnel
● Provides reasonable assurance and not absolute assurance
● Achievement of objectives
○ executing orderly, ethical, economical, efficient and effective operations
○ fulfilling accountability obligations
○ complying with applicable laws and regulations
○ safeguarding resources against loss, misuse and damage.

Components of Internal Control

● Control environment
● Risk assessment
● Control activities
● Information and Communication
● Monitoring
* these are inter-related components.
* there is direct relation between objectives and components of internal control
* this relationship is depicted in a 3-d matrix in the form of a cube i.e.
4 objectives represented by vertical columns
5 components represented by horizontal rows
organisation/entity depicted by third dimension
Control environment
➔ Represent overall attitude, awareness and actions of management
➔ Foundation for entire internal control system
➔ Provides structure and discipline
➔ Sets the tone of the organisation

Elements of Control Environment

● the personal and professional values of management
● commitment to competence
● the “tone at the top”
● organisational structure
● human resource policies and practices.

Risk Assessment
➔ Process of identifying and analysing relevant risks
➔ Plays key role in selection of appropriate control activities
➔ Setting objectives is a pre-condition to risk assessment

Elements of risk assessment

● Risk identification(ongoing and iterative process)
● Risk evaluation
● Risk profile (high, medium, low)
● Development of reponses( 4 type of responses are considered- transfer,
tolerance, treatment, termination)

Control Activities
➔ Preventive and detective in nature
➔ Policies and procedures to address risk and to achieve objectives
➔ should be appropriate, consistent, comprehensive, reasonable and cost effective
(i.e. cost of implementing the control should not exceed the benefits derived)
Examples of Control Activities
(i) authorization and approval procedures
(ii) segregation of duties (authorizing, processing, recording, reviewing)
(iii) controls over access to resources and records
(iv) verifications
(v) reconciliations
(vi) reviews of operating performance
(vii) reviews of operations, processes and activities
(viii) supervision (assigning, reviewing and approving, guidance and training)

IT Control Activities
● General Controls
● Application Controls

General Controls
Apply to all or a large segment of organisation’s information system
Example:
➔ entity-wide security program planning and management
➔ access controls
➔ controls on the development, maintenance and change of the application
software
➔ system software controls
➔ segregation of duties, and
➔ service continuity

Application Controls
Apply to separate, individual application system i.e. related to individual
applications
Example:
➔ Input control
➔ Processing control
➔ Output control
 ➔ master/standing data file control

Information & Communication

● Information is needed at all levels of an organisation in order to have effective
internal
control and achieve the entity’s objectives
● Quality of information
(i) Appropriate (ii) Timely (iii) Latest (iv) Accurate and (v) Accessible
● Effective communication should occur in all directions
Monitoring
➔ Management of organisation is primarily responsible for establishing and
maintaining internal controls
➔ The system of internal control must be under continuing supervision by
management
to determine that it is functioning as prescribed

Internal Control Audit includes-

● Internal Audit(by internal audit unit of organisation)
● External Audit(by external auditor i.e. CAG)
Internal audit units in Government Department are confined mainly to accounting
work
Internal auditors examine the effectiveness of internal control and recommend
improvements, but they do not have primary responsibility for establishing or
monitoring It.
objective of internal auditing is to assist members of the organisation in the
effective discharge of their responsibilities.
CAG as an external auditor, encourages and supports the establishment of effective
internal control in the government
The external auditor should study the internal audit reports, working papers, compliance
to and settlement of internal audit findings.
The external auditors need to develop a good working relationship with the internal audit
unit
so that experience and knowledge can be shared and work mutually so that the benefits
to be gained can be maximized
Internal and external auditors have different roles

Note: Auditing standards of CAG state that study and evaluation of internal control is
carried out according to the type of audit.

➔ In the case of regularity (financial audit), mainly such controls are evaluated that
assist in safeguarding assets and resources, and assure the accuracy and
completeness of accounting records
➔ In the case of regularity (compliance audit), such assessment is mainly of
controls
that assist management in complying with laws and regulations
➔ In the case of performance audit, such controls are evaluated that assist in
conducting the business of the audited entity in an economic, efficient and
effective manner.

Audit Risk - risk of a material misstatement of financial statement included in the

audited financial statement

● Audit risk varies from 0 to 1

● Practically, audit risk is always greater than 0
(due to limitations in both accounting and auditing)

Audit Risk = Inherent risk * Control Risk * Detection Risk

i.e. AR= IR * CR * DR
Or Audit Risk = RMM * {1 – Pr(Do)}
Where,
IR -> risk that material misstatement may occur in unaudited financial statement
CR -> risk that material misstatement will not be detected/corrected by the entity
DR -> risk that material misstatement will not be detected by the auditor

the risk of a material misstatement of a financial statement item in the unaudited

financial statements [RMM]
the risk that the misstatement will not be detected by the auditor (equal to one
minus the probability of detection by the auditor {1 – Pr(Do)}

Concept of audit risk

(i) Acceptable level of audit risk
( the risk of material misstatement in financial statements that is acceptable to the
auditor)

(ii) Achievable level of audit risk

( the risk the audited financial statements will contain a material misstatement)
For eg:- if there is --
80% inherent risk
30% probability that it would be detected by entity
40% probability that it would be detected by auditor
then, Audit risk = ??

Audit Methodology
It includes:-
● Evaluation of the adequacy of existing internal control arrangements
● Testing the actual operation of Internal Controls
Evaluation of the adequacy of existing internal control arrangements
➔ start with higher level controls„ for example, strategic planning, which affect the
whole system, and work down to the lower level controls such as those over
individual transactions
 ➔ There is no absolute measure of what constitutes adequate control. Auditors
must use their judgement in determining which level of control is appropriate in
the light of their evaluation of the risk and materiality involved
➔ The auditors should use professional judgement in determining whether
controls are adequate or not.
➔ most common tools used in evaluation of the internal control are
FLOWCHARTING and QUESTIONNAIRE

Flowcharting
A diagrammatic method of recording and describing a system which can show the flow
of documents, information or processes and the related controls within that system.
Questionnaire
A series of questions which the auditor may wish to ask to understand and evaluate an
internal control system

Testing the actual operation of Internal Controls

➔ Understanding the works
➔ May be undertaken at different stages in an audit depending upon the purpose
of the test
Types of test
● Walk through test
● Compliance Testing
Walk Through Test
➔ By this test, the auditor looks primarily for evidence of the existence of controls.
➔ Tests are designed to confirm the auditor's understanding of how a system
operates which is derived from a combination of observation, interviews, and
examination of management's documentation of the system..
➔ This may involve examining a number of different transactions at each stage of
the process or following the same transaction from start to finish

Compliance Testing
 ➔ This is used to obtain assurance that controls established by management are
operating as intended and are effective.
➔ Errors found in compliance testing may indicate control weakness but they do not
demonstrate positively that the system is failing to achieve its objectives.

Testing Strategy & Process

(i) Planning
(ii) Period of Testing
(iii) Level of Testing

Techniques for testing controls

● Observation
used when there is no permanent record of activities

● Interviewing
used when evidence is absent or unclear

● Analysis
Where a transaction or process comprises a set of interrelated parts, the
auditor
may need to analyze and verify each part before forming a judgement about
the whole

● Verification
used for confirming the truth, accuracy or validity of transactions.
It involves-
➔ Comparison(with some ascertainable facts or set standards)
➔ Confirmation(checking with third parties)
➔ Vouching(checking a transaction against supporting
documentation)
 ● Re-performance
used where calculations or measurements have been checked as a control

● Test data
used for testing computerized systems, but may also be used in manual system

1. Who is responsible for establishing and maintaining the system of internal control?
a) Auditor
b) Government
c) Creditor
d) management

2. A well designed and operated, internal control system can provide

a. only absolute assurance
b. only reasonable assurance
c. only complete assurance
d. partially absolute and partially reasonable assurance

3.If there was a 50% risk of a material misstatement in a financial statement item in the
unaudited financial statements and a probability of 80% that the misstatement would be
detected by the auditor, audit risk would be equal to
a. 0.10%. b. 0.20%
c. 0.50% d. 0.40%

4. IT Control Activities are of

a. two types-General and Application
b. two types-Normal and Specific
c. three types-General, Application and Targeted
d. three types-Normal, Specific and High End

5. In practice, audit risk is

 a. always greater than zero
b. always lesser than zero.
c. always equal to zero
d. All of the above

6. Assurance that recognizes that the cost of internal control should not exceed the
benefit derived is
a. Absolute assurance b. Reasonable assurance
c. Rational assurance d. Practical assurance

7. Two most common tools used in evaluation of the internal control are
a. Interview and Walk through Test
b. Flowcharting and Questionnaire
c. Survey and Interview
d. Organisational set-up and Survey

8. Components of Internal Control include

a. control environment, risk assessment, control activities and information and
communication
b. control environment, risk assessment, control activities, information and
communication and monitoring
c. control environment, risk assessment, control activities , information and
communication
monitoring and corrective measure
d. control environment, risk assessment, control activities , information and
communication
monitoring, corrective measure and feedback.

9. Pick the incorrect one regarding internal control

 a. The system of internal control must be under continuing supervision by
management to determine that it is functioning us prescribed
b. Regular receipt of government orders, rules, regulation etc. by field formations
denotes weak control
c. Regular reporting system for management control. Absence of reporting system
through periodical returns indicates weak control system
d. A system of communication with internal audit. Internal audit not informed timely
about the system breaches reflects a weak control.

10. Objectives of Internal Control are to ensure

i. executing orderly, ethical, economical, efficient and effective operations
ii. fulfilling accountability obligations
iii. assisting external auditor in course of evaluation of internal control
iv. complying with applicable laws and regulations
v. Safeguarding resources against loss, misuse and damage.
a. i, ii, iii and iv b. i, ii, iv and v
c. i, iii, iv and v d. All of the above

11. Four types of responses to risk must be considered

a. transfer, tolerance, treatment or termination
b. allocate, accept, action or alleviate
c. distribute, deliberate, design or dissolution
d. caution, care, cure or culmination.

12. The acceptable level of audit risk (AR) is the risk of a material misstatement in
financial
statements that is acceptable to
a. The head of the audit entity b. The auditor
c. The State Government d. The PAC/COPU

13. Pick the incorrect one

a. Quality of information should be Appropriate, Timely, Latest, Accurate and Accessible
b. Effective communication should occur in top to down direction
c. One of the most critical communication channels is that between the management
and its staff.Management must be kept up to date on performance, developments, risks
and tie functioning of internal control
d. None of the given

14. Checking a transaction against supporting documentation, for example, a payment

to a
supplier against the corresponding purchase order and stock entry is known as
a. comparison b. confirmation
c. vouching d. Verification

15. The formula for calculation of Audit Risk is

a. Audit Risk = Inherent Risk x Control Risk
b. Audit Risk = Inherent Risk x Detection Risk
c. Audit Risk =Inherent Risk x Performance Risk
d. Audit Risk = Inherent Risk x Control Risk x Detection Risk

16. The effectiveness of internal controls depends on

a. Adequacy of computer system
b. Proper implementation by management
c. ability of internal audit staff to maintain it
d. Competency and dependability of people using it

17. Tests of control are not concerned with

a. Existence of controls
b. Effectiveness of controls
c. Continuity of controls
d. Designing of controls
18. Which of the following is the principal purpose of evaluation of internal control
system by an auditor?
a. Checking efficiency of management
b. Issuance of letter of weakness of internal control
c. checking compliance with auditing standards
d. Determining nature, timing and extent of audit procedures

19. There is a relationship between Detection Risk and the combined level of Inherent
and control risk
a) Proportionate
b) Inverse
c) Direct
d) Positive