Internal Controls

Objectives of Internal Control

The internal control system comprises policies, practices, and procedures employed by the organization
to achieve four (4) broad objectives:
1. To safeguard assets of the firm
2. To ensure accuracy and reliability of accounting records and information
3. To promote efficiency in the firm’s operations
4. To measure compliance with management’s prescribed policies and procedures

Modifying Assumptions
Inherent in the Objectives:
1. Management Responsibility
o Holds that the establishment and maintenance of a system of internal control is a
management responsibility
2. Methods of Data Processing
o The 4 objectives should be achieved regardless of the data processing method used
(whether manual or computer-based)
3. Limitations
o Include:
▪ Possibility of Error – no system is perfect
▪ Circumvention – personnel may circumvent the system through collusion or other
means
▪ Management Override – management is in a position to override control
procedures by personally distorting transactions or by directing a subordinate to
do so
▪ Changing Conditions – conditions may change over time so that existing effective
controls may become ineffectual
4. Reasonable Assurance
o There should be reasonable assurance that the 4 objectives are met
o Cost of achieving improved control should not outweigh its benefits

5 Components of Internal Control

1. Control Environment – foundation of the other 4 components; sets the tone for the organization
and influences the control awareness of its management and employees
2. Risk Assessment – identify, analyze, and manage risks relevant to financial reporting
3. Information and Communication – quality of information generated by accounting information
system impacts the management’s ability to take actions and make decisions in connection with
the organization’s operations, and to prepare reliable financial statements
4. Monitoring – process by which the quality of internal control design and operation are assessed;
use of management reports in ongoing monitoring
5. Control Activities – policies and procedures used to ensure that appropriate actions are taken to
deal with the organization’s identified risks or exposure
a. Computer Controls
b. Physical Controls
i. Transaction Authorization
● Ensure that all material transactions processed by the information
system are valid and in accordance with management’s objectives
o General Authority – day-to-day activities (ex. sale on credit)
o Specific Authority – deal with case-by-case decisions associated
with nonroutine transactions; requires management intervention
ii. Segregation Activities
● Done to minimize incompatible functions in order to avoid risks of fraud,
theft, and data manipulation
iii. Supervision
iv. Accounting Records
 v. Access Controls
● Ensure that only authorized personnel have access to the firm’s assets;
safeguarding assets
vi. Independent Verification
● Verification procedures which are independent checks of the accounting
system to identify errors and misrepresentations

Testing Computer Application Controls

- Control testing techniques provide information about the accuracy and completeness of an
application’s processes.
- 2 General Approaches:
o Black Box Approach
▪ Also called Auditing Around the Computer
▪ Reconciling production input transactions processed by the application with
output results
▪ The output results are analyzed to verify the application’s compliance with its
functional requirements
▪ Auditor do not rely on detailed knowledge on the application’s internal logic
▪ Advantages:
● The application need not be removed from service and tested directly
● Feasible for testing applications that are relatively simple
▪ Disadvantages:
● Internal software of the computer is not documented or audited by the
auditor, thereby increasing audit risk
● Actual computer files and programs are not tested, therefore, there is no
direct evidence that the programs are working as documented
● When errors are found, it may difficult or impossible to determine why
those errors have occurred
o White Box Approach
▪ Also called Auditing Through the Computer
▪ Relies on in-depth understanding of the internal logic of the application being
tested
▪ Several techniques for testing application logic directly are included
▪ Uses small numbers of specially created test transactions to verify specific
aspects of an application’s logic and controls
▪ Auditors are able to conduct precise tests with known variables and obtain
results that they can compare against objectively calculated results
▪ Somehow address the disadvantages of the Black Box Approach

Test of Controls
Common Types:
1. Authenticity Tests
o Verify that an individual or a programmed procedure or a message attempting to access
a system is authentic
▪ Includes:
● User IDs
● Passwords
● Valid rendered codes
● Authority table
2. Accuracy Tests
o Ensure that the data process only data values that conform with specified tolerances
▪ Includes:
● Range tests
● Field tests
● Limit tests
3. Completeness Tests
 o Identify missing data with a single record and the entire record
4. Access Tests
o Ensure that the application prevents [un]authorized users from authorized access to data
▪ Passwords
▪ User-defined procedures
▪ Data encryption
▪ Infrared controls
5. Audit Trail Tests
o Ensure that the application creates adequate audit trail
6. Rounding Error Tests
o Verify the correctness of rounding procedures