TOPIC 2

INTERNAL CONTROL

Topic overview

In topic 1 you learnt about corporate governance and statutory matters. The
aim of this topic is to explain and apply the theory of internal control as an
important aspect of corporate governance. We will explain this according to the
objectives and the components of internal control in chapter 5 of Auditing notes.
We will also explain and apply general and application controls in a
computerised environment as part of control activities in chapter 8 of Auditing
notes.

We will cover the need for the external auditor to understand a client's internal
control in order to identify significant risks.

This topic is divided into the following lessons:

Lesson and Title

section

2.1 Internal control

2.1.1 Definition of internal control
2.1.2 Limitations of internal control
2.2 Components of internal control
2.2.1 Control environment
2.2.2 Risk assessment
2.2.3 Monitoring of controls
2.2.4 Information system
2.2.5 Control activities

2.2.6 Designing a system of internal control

2.3 Controls in a computerised environment
2.3.1 General controls
2.3.2 Application controls
2.4 Internal control from the perspective of the external
auditor
2.4.1 Obtaining an understanding of internal control
2.4.2 Significant risks

1
Learning outcomes

Lesson In this topic we focus on the Level

following learning outcomes:
2.1 Internal control • Define and explain internal control. 2
• Explain the limitations of internal 2
control.
2.2 Components of • Describe, explain and apply the five 2
internal control components of internal control.

2.3 Controls in a • Describe, explain and apply general 2

computerised controls in a computerised
environment environment.
2.4 Internal control • Explain and apply application controls 2
from the in a computerised environment.
perspective of the • Explain the need for the external auditor
external auditor to understand a client’s internal control
in order to identify significant risks. 2

2
LESSON 2.1

INTERNAL CONTROL

INTRODUCTION

You learnt about the importance of good corporate governance to a business

and its stakeholders in topic 1. Principle 15.40 of King IV states that the
governing body should assume responsibility for assurance by setting the
direction concerning the arrangements for assurance services and functions.
The audit committee, if in place, is responsible for ensuring that those
arrangements achieve the objective of enabling an effective internal control
environment.

2.1.1 DEFINITION OF INTERNAL CONTROL

As stated in your prescribed book by Richard, Roets, Adams and West

(2021:5/2-5/3), internal control is designed to address and limit potential risks.

STUDY
● Richard et al (2021:5/2–5/3), section 1

Do you think that the same system of internal control will be

appropriate and adequate for different entities?

The way in which the system of internal control is designed and maintained
varies with the size and complexity of the entity concerned, as well as with
the risks faced by the particular entity.

ACTIVITY 1
Identify and explain six key characteristics of internal control that you have
learnt.

From the above aspects of internal control it is clear that although the board of
directors is responsible overall for the governance of risk, everyone in the

3
business carries responsibility for the implementation and execution of internal
controls.

The board of directors has the overall responsibility and accountability.

Management identifies risks and designs and implements policies and
procedures to address risks, whereas the employees execute internal control
procedures. Therefore, it is clear that success depends on all parties involved.

STUDY
• Richard et al (2021:5/4), section 3

ISA 315.4(c) defines internal control as the system designed, implemented

and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an
entity’s objectives with regard to

• the reliability of the entity’s financial reporting

• the effectiveness and efficiency of its operations
• its compliance with applicable laws and regulations

2.1.2 LIMITATIONS OF INTERNAL CONTROL

Your prescribed textbook by Richard et al (2021:5/3) correctly indicates that

internal control does not provide absolute assurance that the risks threatening
the achievement of the objectives of the business will be adequately responded
to. This is due to the inherent limitations of internal controls.

STUDY
• Richard et al (2021:5/3–5/4), section 2

ACTIVITY 2
Management designs an internal control system, which theoretically
addresses risk. List four inherent limitations of internal control and 2
circumventions of internal controls and provide an example of each.

Now that you are familiar with how you should study, remember to always
compare your answers with those provided in the feedback after you have
attempted them on your own first.

4
SUMMARY
In this lesson we explained the definition and limitations of internal control. We
also explained that internal control is a response to risk and that the entity’s
objectives are achieved by implementing internal controls.

After you have worked through the lessons and study material, you
should be able to

• explain and apply the theory of internal control and internal control
objectives with reference to management assertions
• explain the limitations of internal control

5
LESSON 2.2

COMPONENTS OF INTERNAL CONTROL

INTRODUCTION

Internal control consists of the following five components (Richard et al

2021:5/5):

1. control environment
2. risk assessment process
3. information system and communication
4. control activities
5. monitoring of controls

How are you going to remember this? It will be a CRIME if a company

Sometimes you will come up with innovative does not have internal controls:
ways to remember data, e.g. use a mnemonic Control activities
to remember the control components. Risk assessment process
Information system and
communication
Monitoring of controls
Control Environment

Internal controls in a computerised environment are part of the system of

internal control of an entity. It is important to keep this in mind when studying
the components of internal control. We will explain general and application
controls in a computerised environment in detail in lesson 2.3.

STUDY
• Richard et al (2021:5/5), section 4
• Richard et al (2021:8/4–8/10), section 2

Watch this 3-minute video on internal controls. It will give you an

overall summary before you start in detail with the different components of
internal controls. Remember to answer the questions at the end of the video.

https://web.microsoftstream.com/video/7a82e27a-7771-48cf-9f2a-
c910510c3a71

Let’s look at the five components of internal control now in more detail.

6
2.2.1 CONTROL ENVIRONMENT

STUDY
• Richard et al (2021:5/5–5/6), section 5.1.4.1

As stated in Richard et al (2021:5/5), the control environment sets the tone of

the entity and creates the atmosphere in which employees go about their
duties. The desirable mindset is one of “doing things the right way”.

2.2.2 RISK ASSESSMENT

Principle 11 of King IV deals with risk management, which includes the
identification and evaluation of risks pertaining to the organisation. This is
followed by the adequate response to the risks identified and evaluated.

Risk assessment is referred to as the overall process of risk identification, risk

quantification and risk evaluation.

For financial reporting purposes, the entity’s risk assessment process includes
how management identifies business risks relevant to the preparation of
financial statements in accordance with the entity’s applicable financial
reporting framework, estimates their significance, assesses the likelihood of
their occurrence and decides on actions to manage them and their results
(IFAC 2019:88). For example, the entity’s risk assessment process may
address how the entity considers the possibility of unrecorded transactions or
identifies and analyses significant estimates recorded in the financial
statements (IFAC 2019:88).

STUDY
• Richard et al (2021:5/7–5/8), section 5.1.4.2

Why is risk assessment important?

Risk assessment is important because internal controls are designed and

implemented as a response to assessed risks. It is therefore critical that the
risk assessment process be comprehensive, accurate, thorough and complete.

2.2.3 MONITORING OF CONTROLS

As stated in Richard et al (2021:5/8), the monitoring of controls involves the
assessment of internal control performance over time. If controls are not
monitored, the board or management will not know if the entity’s financial
reporting is reliable and whether the laws, regulations and company policies
are being complied with.

7
STUDY
• Richard et al (2021:5/8–5/9), section 5.1.4.3

2.2.4 INFORMATION SYSTEM

Your prescribed textbook by Richard et al (2021:5/9) explains the objective of
the information system and its subpart, the accounting system, to produce
information that is valid (the transactions and events underlying the information
actually occurred and were authorised), accurate and complete and
produced in good time.

Each day numerous transactions with financial implications occur and are
processed, for example transactions when the entity sells food, buys materials
or even pays salaries. The accounting system documents the path that each
transaction follows in the entity from where the transaction is initiated to the
inclusion of an amount or disclosure in the financial statements.

Initiate

Record

Process

Report
Figure 2.2.1: Typical four stages of every transaction

From the initiation to the reporting of transactions and the inclusion in the
financial statements, transactions flow through various business processes,
also referred to as transaction cycles. The following transaction cycles are
identified. We will discuss the processes in more detail in topics 3-8.

8
 Revenue
and
receipts
cycle

Finance Acquisitions
and and
investment payments
cycle Transaction cycle
cycles

Inventory
Payroll and
and
personnel
production
cycle
cycle

Figure 2.2.2: Transaction cycles (business processes) of a business

STUDY
• Richard et al (2021:5/9–5/11), section 5.1.4.4

2.2.5 CONTROL ACTIVITIES

The entity's objective relating to financial reporting to record and process only
transactions (and events) which have occurred and pertain to the entity and
which are recorded and processed accurately and completely can only be
realised in the information system with the implementation of control activities.
What do we mean by this?

General principles
Control activities are the actions which are carried out to manage or reduce
risks (Richard et al 2021:5/11) and to achieve the entity’s objectives of
providing reliable financial reporting, have effective and efficient operations and
comply with the laws and regulations.

STUDY
• Richard et al (2021:5/11–5/16), section 5.1.4.5

Note the following types of control activities:

• approval, authorisation
• segregation (division) of duties
• isolation of responsibility

9
• physical or logical controls
• reconciliation
• verification

Also note that the control activities can be preventive, detective or corrective
in nature.

ACTIVITY 3

Twinkles Groceries (Pty) Ltd

Twinkles Groceries (Pty) Ltd is a large local grocery store. At the start of a
cashier’s shift, the cashier must use a username and password to log onto
his/her till. If the cashier accidentally makes a mistake, for example scans an
item twice, he/she has to call the manager to authorise a correction. The
manager will first ask what happened and determine if the information provided
is true, before entering a password. When all the items have been scanned,
the total amount due is automatically calculated and shown on the screen. At
the door to the store, a security guard will check the customer’s bag of
groceries against the customer's till slip.

REQUIRED
Identify the internal controls implemented by Twinkles and link each of them to
a type of control activity.

ACTIVITY 4
1. For each of the six types of control activities, give an example of what
could go wrong (risks) in the absence of the effective working of the
control activity.

2. Clearly indicate the difference between segregation of duties and

isolation of responsibilities.

ACTIVITY 5
Internal control

You have been assigned to the task of completing SoftWorld (Pty) Ltd’s internal
control questionnaire. The following policies and procedures implemented
have been noted regarding the internal control of the firm:

10
a) Regular meetings are held at divisional and departmental levels to consider
the risks at specific levels within the organisation.

b) Weekly reports on invoicing and debt collection are produced by the online
system and are reviewed by management.

c) When goods are delivered by a supplier, the receiving clerk counts the
goods and then signs the delivery note as proof that he was responsible
for receiving the delivery.

d) From inspection of the minutes of the board of directors’ meetings it

appears as though all directors are involved in the decision-making
process.

e) Procedures are in place to resolve incorrect processing of transactions.

f) The entity operates within specific operating guidelines and time is taken
by management to create and implement systems and procedures.

REQUIRED
Based on the information given regarding the entity's internal control, do the
following:

1. List the five (5) components of internal control.

2. For each of the policies and/or procedures described in (a) to (f) in the
scenario, identify the relevant component of internal control it relates to.

2.2.6 DESIGNING A SYSTEM OF INTERNAL CONTROL

How is a system of internal control designed? Refer to your textbook by Richard
et al (2021:5/7-5/8).

11
 • Identify the risks associated with a particular transaction or
class of transactions (things that could go wrong).
1. Identify risk

Formulate the control objectives for the particular transaction

or class of transactions (what the system is required to
2. Formulate ensure or achieve in respect of the particular transaction).
control objective

• Use the five components of a system of internal control to

design a proper system of internal control to address the
risks for that particular transaction or class of transactions.
3. Design proper
• Implement, maintain and monitor the system of internal
system of internal
control control as designed.

Figure 2.2.3: Steps to design a system of internal control (adapted from

Richard et al 2021:5/5-5/16)

Let’s do an example together.

Step 1: Identify the risks

Determine the risks associated with each class of transactions flowing through
the accounting system.

To formulate a properly described risk, both the indicator and consequence of

the risk for the entity should be included.

Examples of risks relating to credit sale transactions:

• Sales are made to customers who are not creditworthy (indicator) and
cannot pay their debt, resulting in irrecoverable debts and financial
losses (consequence).
• Orders placed and authorised are not all executed and the goods are
not all delivered to the customer (indicator), leading to dissatisfied
customers (consequence).
• The goods delivered to the customer do not agree with what was
originally ordered by the customer (indicator), resulting in dissatisfied
customers, problems with invoicing, unsettled debts and financial losses
to the entity (consequence).

12
Step 2: Formulate the control objectives

Control objective Generic definition of meaning

Validity • All transactions and events that are executed
were properly authorised in accordance with
management’s policy.
• All transactions and events that are recorded
• occurred
• in a timely manner and
• are supported by sufficient documentation

Completeness • All transactions and events that occurred during

the period
• are recorded
• in a timely manner, and
• no transactions or events are omitted

Accuracy • Transactions and events are recorded

• at the correct amounts (correct quantity, prices
and calculations)
• are correctly classified in terms of the entity’s
chart of accounts
• are correctly summarised and posted to the
entity’s accounting records

Note: It is vital that you understand the generic meaning of the three
control objectives, as they are the foundation on which entities, business
cycles and the accompanying accounting systems are built.

Step 3: Design a system of appropriate internal control

Once the risks have been identified and the control objectives for every class
of transaction have been formulated, the next step is to design a system of
internal control. The control objective indicates what management wants to
achieve to address the risk, and the internal control is how management
intends to achieve the control objective.

DIFFERENCE BETWEEN FINANCIAL OBJECTIVES,

OPERATIONAL OBJECTIVES AND COMPLIANCE
OBJECTIVES

Some of the internal controls that an entity implements will be more important
from a financial reporting perspective than others. As discussed in lesson 2.1,
the objectives of internal control include

13
• reliability of the entity’s financial reporting (financial objectives)
• effectiveness and efficiency of its operations (operational objectives)
• compliance with applicable laws and regulations (compliance
objectives)

An example of an operational objective is access to sensitive information. The

operational controls that you put into place have to be designed with the
achievement of your control objectives in mind, so they would be things such
as locked doors, video monitoring, security guards, logical access controls,
visitor badges and sign-ins.

Remember to do the activities dealing with the content of this topic before
continuing with the rest of your studies. Keep your answers and notes in a
notebook that you know won't get lost so that you are able to refer to
them again when you do your revision.

SUMMARY
In this lesson we explained the five components of internal control.

After you have worked through the lessons and study material, you
should be able to

• explain the theory of internal control and internal control objectives with
reference to management assertions
• describe the five components of internal control
• describe the process that should be followed to ensure that proper risk
management takes place
• list and briefly explain the various risk responses available to
management to address risk
• identify and describe the various control activities (internal control
measures) that can be implemented to ensure that risk is mitigated
appropriately
• explain why a system of internal control can only provide reasonable
assurance about the achievement of the entity’s control objectives
• list, explain and identify the generic control objectives
• describe the relationship between control objectives and assertions
• explain and illustrate the process that should be followed to design a
proper system of internal control
• match risks to control objectives
• describe the relationship between control objectives and internal control

14
LESSON 2.3

CONTROLS IN A COMPUTERISED ENVIRONMENT

INTRODUCTION
General and application controls in a computerised environment are an integral
part of the total system of internal control of an entity and touch on all
components of internal control.

Although the information system component is not evident under general and
application controls, the information system underlies internal controls in a
computerised environment, as this is where the controls are implemented.

General and application controls can be manual (physical) or computerised

(logical).

STUDY

• Richard et al (2021:8/3–8/10)

Let’s look at general and application controls in more detail.

2.3.1 GENERAL CONTROLS

General controls are defined as those controls which establish an overall
framework of control for computer activities, and they span across all
applications (Richard et al 2021:8/10). General controls are very important. As
general controls operate “around” the application controls, if your general
controls are not adequate, the application controls might not be of much use.

The IT general controls can be categorised as follows:

15
 Physical access controls
Access controls
Logical access controls

Change management Risk assessment performed

Social media

Continuity of operations Environmental controls

Disaster recovery
System development and
implementation controls Backup strategy

In-house development

Packaged software
System software and operating
controls
Retiring application

End-user computing Interface management

Figure 2.3.1: IT general controls (adapted from Richard et al 2021)

Note the following:

• The term “computerised environment” refers to any particular and unique

combination of hardware, software and personnel (Richard et al
2021:8/3).

Before you turn to your textbook, watch the following video by clicking
on the link below.

https://web.microsoftstream.com/video/7237c3ba-0b3a-4bd1-a813-
57bb91f8a54e

This video is part 1 of 3 that discusses the application and general controls.

16
The following topics are discussed in this video:
• difference between application and general controls
• summarised overview of general controls
• introduction to application controls

STUDY
• Richard et al (2021:8/10–8/40)

Do you use the same password for all your accounts? Have you
changed your passwords recently and what password controls were present?

ACTIVITY 6
Access controls in a computerised environment are important as the
consequences of unauthorised access to a system can be disastrous for a
company.

REQUIRED
1. Describe the physical access controls that should be present to ensure
proper internal control in a computerised environment.
2. Give examples of preventive logical access controls in a computerised
environment.
3. Explain what control over passwords entails as part of logical access
controls.

2.3.2 AUTOMATED APPLICATION CONTROLS

Richard et al (2021:8/40) define application controls as any control within an
application which contributes to the accurate and complete recording and
processing of transactions that have actually occurred and that have been
authorised (occurred, accurate and complete information).

The stages through which a transaction flows through the system can be
described as input, processing and output, and application controls can be
described in terms of these activities, e.g. an application control relating to
input.

In addition to implementing controls over input, processing and output, controls

must be implemented over masterfiles. A masterfile is a file which is used to

17
store only standing information and balances, e.g. the debtors masterfile will
contain the debtor’s name, address, contact details, credit limit, etc. The
masterfile is a very important part of producing reliable information and must
be strictly controlled.

The objective of controls in a computerised accounting environment is

generally centred on the occurrence, authorisation, accuracy and
completeness of data and information processed by and stored on computer.

Occurrence and authorisation are concerned with ensuring that transactions

and data

• are not fictitious (they have occurred) or fraudulent in nature

• are in accordance with the activities of the business and have been
properly authorised by management

Accuracy is concerned with minimising errors by ensuring that data and

transactions are correctly captured, processed and allocated.

Completeness is concerned with ensuring that data and transactions are not
omitted or incomplete.

Before you turn to your textbook, watch the following video by clicking
on the link below.

https://web.microsoftstream.com/video/d66be3f6-b2fe-43bb-b99d-
ca586cfd80c1

This video is part 2 of 3 that discusses the application and general controls.
The following topics are discussed with examples in this video:
• different types of application controls
• access controls
• screen aids
• program controls

Part 3 of 3

https://web.microsoftstream.com/video/4709cb02-1f0a-490a-8c33-
fad8806cf006

This video is part 3 of 3 that discusses application and general controls.

18
The following topics are discussed in this video:
▪ batch controls
▪ process controls
• output controls
▪ objectives of application controls, being accuracy, completeness,
occurrence and authorisation
▪ examples of exam-type questions

STUDY
• Richard et al (2021:8/40–8/54), sections 8.3.1–8.3.5

ACTIVITY 7
The following control techniques and application controls, applicable to the
input stage through which a transaction flows through the system, are
mentioned in your textbook by Richard et al (2021:8/40–8/53):

• access control
• authorisation
• batching
• screen aids and related features
• program controls relating to input
• existence/validity checks

o validation checks
o matching checks
o data approval/authorisation checks
o reasonableness and limit checks
o dependency checks
o format checks
o check digits
o sequence checks
o logs and reports
o override reports
o activity reports
o access/access violation reports
o audit trails

REQUIRED
Link the control techniques and application controls mentioned to the objective
of the control, being either occurrence and authorisation, completeness or
accuracy.

ACTIVITY 8

19
Describe the application controls that the management of company X should
implement to ensure the completeness of amendments to a masterfile in the
computerised accounting system.

Remember to always compare your answers with those provided in the

feedback after you have attempted them on your own first.

SUMMARY
In this lesson we explained general and application controls in a computerised
environment as part of a system of internal control.

After you have worked through the lessons and study material, you should be
able to explain, describe, discuss and apply

• general controls in a computerised environment

• application controls in a computerised environment

20
LESSON 2.4

INTERNAL CONTROL FROM THE PERSPECTIVE OF

THE EXTERNAL AUDITOR

INTRODUCTION
The external auditor obtains an understanding of a client's system of internal
control as part of his/her external audit.

2.4.1 OBTAINING AN UNDERSTANDING OF

INTERNAL CONTROL
Richard et al (2021:7/13) state that an understanding of a client's internal
control assists the auditor in identifying types of potential misstatement and
factors that affect the risks of material misstatement, and in designing the
nature, timing and extent of further audit procedures.

STUDY
• Richard et al (2021:7/13–7/18)

2.4.2 SIGNIFICANT RISKS

Richard et al (2021:7/18) define significant risks as risks that require special
audit consideration. These risks relate to the auditor's risk of material
misstatement. The auditor assesses risk in order to determine the nature,
timing and extent of further audit procedures.

STUDY
• Richard et al (2021:7/18–7/19)

ACTIVITY 9
Name the six factors that the auditor should consider when assessing whether
a risk is a significant risk.

SUMMARY
In this lesson we explained the need for the external auditor to understand
internal control in order to identify significant risks.

21
After you have worked through the lessons and study material, you
should be able to discuss the need for the external auditor to obtain an
understanding of a client’s internal control in order to identify significant risks.

CONCLUSION

In this topic, Internal control, we explained and applied the theory of internal
control according to its five components. We explained that internal control is
designed to address and limit potential risks. We also discussed internal control
from the perspective of the external auditor.

22