Professional Documents
Culture Documents
Ass CH05
Ass CH05
Introduction to internal
control
Contents
Introduction
Examination context
Topic List
1 What is internal control?
2 Components of internal control
3 Information about controls
Summary and Self-test
Technical reference
Answers to Self-test
Answers to Interactive questions
Introduction
Understand how the auditor obtains and records information about internal controls
Practical significance
Every company has internal controls. Auditing standards require auditors to consider whether to rely on
the entity’s controls as part of their audit. This will be the case in two instances:
(1) Where the auditors' risk assessment includes an expectation of the operating effectiveness of internal
controls (so controls testing must be carried out to support the risk assessment)
(2) Where substantive procedures alone do not provide sufficient evidence
A company’s internal controls will be important in the majority of audits, regardless of the size of the
company being audited and the sector it is in.
Working context
If you work in practice you are likely to be involved with the audit department in some way. You may be
involved in a wide range of different types of audit, or you may have specialised in a particular sector.
However, all companies have internal controls and many audits involve controls testing, so this is an area
you will have or will gain practical experience in. If so, think about an example of controls testing you have
been involved in. Remember the controls you were testing and try to think back to what the objectives of
the control were and how you tested them. It is this skill of recognising the purpose of controls and
therefore how to test them that will be important both in practice and in your assessment.
If you work in a finance department in industry you are likely to be involved in the operation of a number of
controls relating to the financial statements. Think through the controls you regularly implement and
consider the objectives behind them.
Syllabus links
You will have studied the basic components of an information system when studying for your Accounting
paper and should therefore know the basic set up of initial documents, books of prime entry, ledgers,
journals, trial balances and financial statements.
You will learn more about a business’s risk management and control in your Business and Finance paper.
Examination context
Exam requirements
Internal control is an important practical area in auditing. It is therefore 25% of the syllabus and you should
expect that to be reflected in your assessment. In the sample paper there are 15 questions on internal
control related issues. This is the first chapter of four in this area.
In the assessment candidates may be required to:
Section overview
Internal control is the process designed to mitigate risks to the business and ensure that the business
operates efficiently and effectively.
Key limitations to internal controls include the fact that they may be expensive, the fact that they
generally rely on humans to operate them and the fact that they are generally only designed for
routine, normal transactions.
Small companies in particular may have difficulties implementing effective internal control systems due
to employing fewer staff to implement internal controls than larger companies.
1.1 Definition
BSA 315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement contains
the following definition of internal control.
Definition
Internal control: ‘Internal control is the process designed and effected by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement of the entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and
compliance with applicable laws and regulations. It follows that internal control is designed and implemented
to address identified business risks that threaten the achievement of any of these objectives.’
'Those charged with governance,' a phrase used in the definition above, are the people who direct the
operations of the company. Remember that in Bangladesh, those charged with governance and management
are often one and the same thing – the directors of a company, although a distinction may be made
between executive directors (who work in the operations of a business) and non-executive directors who
are more involved at board level.
Step 1
Identify risks to these objectives not being fulfilled, for example, in terms of reporting financial position, the
directors might identify that a risk of not being able to report correctly is computer failure and consequent
destruction of the financial records.
Step 2
Implement internal controls to mitigate this risk. The controls to mitigate the above risk could be many and
varied, for example, ensuring that all users have passwords to limit unauthorised access to the computer
and therefore the risk of it being infected, or, at the other end of the scale, detailed back up and emergency
procedures, including a reconstruction plan, to kick into action in the event of computer failure.
Limitation Explanation
Expense A key limitation of controls is that they are expensive, and therefore may not be
worth putting into place, as the continual use of the control is more expensive than
the cost of the risk arising. This is a matter of judgement for the directors and often
determines the structure and level of controls that are put into place in a business.
Human Another important limitation of controls is the human element. Most controls
element can only function as well as the people that are implementing them. Controls are
not necessarily fool-proof. If a human being makes a mistake implementing a control,
then that control might be ineffective. Another problem for companies associated
with the human element of controls is that of the intention of the people using
them. Controls, such as keeping your computer password secret, rely on the
integrity of the people being asked to implement them. If people do not understand
the importance or relevance of the control they may be less inclined to adhere to it.
At the more sinister end of this scale for companies is the situation where staff
members want to override or avoid controls in order to defraud the company.
Controls may be bypassed very effectively and secretly by two or more people
working together, that is, colluding in fraud.
Unusual Finally, a limitation of internal controls is that they are generally designed to deal
transactions with what normally or routinely happens in a business. However, it may be the
case that an unusual transaction may occur which does not fit into the normal
routines, in which case standard controls may not be relevant to the unusual
transaction, and hence mistakes may be made in relation to that unusual transaction.
Small companies may have particular problems in implementing effective internal control systems. This is
largely because of the human element discussed above. Small companies generally have fewer
employees than larger companies, meaning that there are fewer people to involve in the internal control
system.
Involving a large number of people in internal control systems helps to limit the risk of the human element
in internal control systems because if a lot of people are involved, there is a greater chance that people’s
errors or, worse, frauds, will be uncovered by the next person in the control chain. The control of using a
number of people in a single system is called segregation of duties, and we will look at it in more detail
later. In a small company, if its staff capacity is not such to ensure that lots of people are involved in the
internal control system, then the control system will be weaker.
Large Co is a large company with sophisticated controls systems. In respect of purchase ordering, an order
is raised by a member of the purchase team (who all have pre-set limits of the price they are allowed to
order up to) on the basis of a requisition note from the relevant department, signed by the department
manager. Before the order is despatched to the approved supplier, the purchase manager approves the
order. If the order is in excess of CU30 million, the purchasing director approves the order.
Small Co is a small company with limited controls systems. When the stores manager needs the stores
replacing he rings the approved supplier and orders the goods. The annual cost of purchases is CU7 million.
You can see that in the second scenario there are far fewer people, indeed just one, compared with a
minimum of four at Large Co, involved in the transaction. If one of the people at Large Co made a mistake
with the order, then another member of the team might pick it up. If the stores manager makes a mistake
at Small Co, there is not another team member to correct the mistake. Small Co has a control, in that it
uses an approved supplier, who might query an unusual order, but the internal control in relation to
purchasing is weak due to lack of staff members.
Bear in mind also that although the sums of money discussed in the two scenarios are very different, the
materiality of those sums to the businesses themselves might be comparable. A mistake in a CU30,000
order may not seem as important as a mistake in a CU30 million order, but it might be enough to put Small
Co into financial difficulties.
Section overview
Internal control comprises five components.
The control environment is the context of the internal control system, influenced by management.
The risk assessment process is the process by which the company determines what control policies
and procedures to implement.
The information system is the system which captures information about transactions and events for
financial reporting purposes.
Control activities are the heart of the internal control system, comprising policies and procedures
which may prevent, or detect and correct errors.
BSA 315 sets out that there are five components of internal control, each of which may impact on the audit
process differently. We shall look at each of them in more detail below. An internal control may fall into a
particular category.
Each particular internal control may also prevent an error occurring (preventative control, or may
identify that an error has occurred and correct it (detective control). It is an important part of
understanding internal controls to be able to identify what it is that each specific control actually does.
Some controls may be relevant to audit while others are not. The auditor will not waste time looking at
company controls that are not relevant to whether the financial statements are true and fair, however
important those controls might be to the overall operating of the business, for example, control processes
over asset utilisation.
The extent of reliance on internal controls in an assurance engagement will depend on the nature of the
engagement and the assurance provider's expectation of the effectiveness of controls. In some engagements,
very few controls will be relied on and the assurance provider will carry out more tests of detail instead.
Definition
Control environment: The control environment includes the governance and management functions and
the attitudes, awareness and actions of those charged with governance and management concerning the
entity’s internal control and its importance in the entity.
The attitude of those people in charge of the business to internal control is very important in determining
the quality of internal controls throughout the business for various reasons. The key issue is that the
attitude of those in charge will influence staff understanding of controls, both implicitly and explicitly.
Where directors feel that internal controls are very important, staff members are likely to be better educated
about what the controls are and why they are important, so the human element risk associated with internal
controls is reduced. Also, if directors set the tone by taking controls seriously and rigorously applying them, even
when they seem silly or unnecessary then other staff members will be encouraged to do the same.
The control environment is therefore very important to the auditors and they will evaluate it as part of
their risk assessment process. If the control environment is strong, then auditors will be more inclined to
rely on the controls system in the entity than if it is weak.
However, it is important to understand that the control environment is only one component of the overall
internal control system. Equally important are the other aspects of controls, because if other control
components are weak, it will not matter as much to the auditors that the directors think that controls are
important, because the auditor will not be happy to rely on well-intentioned, but weak, control systems.
Definition
Audit committee: A subsection of the board of directors which has a particular interest in the finance
and accounting activities of the company.
The key issue for the audit committee is the financial statements, so the audit committee itself can be seen
as a control in relation to the information system and the way in which the company produces its
financial statements. Note that the committee also has responsibilities with regard to supervising the
identification of risks and monitoring controls (these are all discussed later in this chapter).
Definitions
Entity's risk assessment process: The process by which management in a business identifies business
risks relevant to financial reporting objectives and decides what actions to take to address those risks (for
example, implementing internal controls).
Business risk: The risk inherent to the company in its operations. It is risks at all levels of the business.
Decide upon actions (internal controls, insurances, changes in operations) to manage them
Definition
Information system relevant to financial reporting objectives includes the procedures and records
designed to initiate, record, process and report entity transactions and to maintain accountability for the
related assets, liabilities and equity.
How the information system captures events other than transactions that are relevant to the financial
statements
Definition
Control activities: The policies and procedures that help ensure that management directives are carried
out.
Control activities are the most tangible internal controls that the auditor will concentrate on to a large
degree. The auditor will be concerned with understanding whether a control prevents an error or detects
and corrects an error. Control activities may be manual or, if relevant, where processes are computerised,
then they may also have specific IT control activities.
Information Checking the For example, checking to see if individual invoices have
processing arithmetical accuracy been added up correctly.
of records
Physical control Comparing the results For example, a physical count of petty cash.
of cash, security and
The balance shown in the cash book should be the
inventory counts with
same amount as is in the petty cash box.
accounting records
Limiting physical Only authorised personnel should have access to
access to assets and certain assets (particularly valuable or portable ones).
records
For example, ensuring that the inventories store is only
open when the store personnel are there and is
otherwise locked.
This can be a particular problem in computerised systems.
Segregation of duties
Segregation implies a number of people being involved in the accounting process. This makes it more
difficult for fraudulent transactions to be processed (since a number of people would have to collude in the
fraud), and it is also more difficult for accidental errors to be processed (since the more people are
involved, the more checking there can be). Segregation should take place in various ways:
Segregation of function. The key functions that should be segregated are the carrying out of a
transaction, recording that transaction in the accounting records and maintaining custody of
assets that arise from the transaction.
The various steps in carrying out the transaction should also be segregated. We shall see how this
works in practice when we look at the major control cycles in the following chapters.
The carrying out of various accounting operations should be segregated. For example, the same
staff should not record transactions and carry out the related reconciliations at the period-end.
2.4.2 IT controls
The internal controls in a computerised environment includes both manual procedures and procedures
designed into computer programs. Such manual and computer control procedures comprise two types of
control.
Definitions
Application controls: Are manual or automated procedures that apply to the processing of individual
applications to ensure that transactions occurred, are authorised and are completely and accurately
recorded and processed.
General controls: Are policies and procedures that relate to many applications and support the effective
function of application controls by helping to ensure the continued proper operation of information
systems.
Controls to prevent Such as passwords to prevent unauthorised entry, built in controls to permit
unauthorised changes
amendments to data
files
Controls to ensure Storing extra copies of programs and data files off-site
continuity of
Protection of equipment against fire and other hazards
operations
Back-up power sources
Emergency procedures
The auditors will wish to test some or all of the above general controls, having considered how they affect
the computer applications significant to the audit.
General controls that relate to some or all applications are usually interdependent controls, i.e. their
operation is often essential to the effectiveness of application controls. As application controls may be
useless when general controls are ineffective, it will be more efficient to review the design of general
controls first, before reviewing the application controls.
The purpose of application controls is to establish specific control activities over the accounting
applications in order to provide reasonable assurance that all transactions are authorised and recorded, and
are processed completely, accurately and on a timely basis. Application controls include the following.
Controls over input: Programs to check data fields (for example value, reference number, date)
accuracy on input transactions for plausibility:
Digit verification (e.g. reference numbers are as expected)
Reasonableness test (e.g. VAT to total value)
Existence checks (e.g. customer name)
Character checks (no unexpected characters used in reference)
Necessary information (no transaction passed with missing
information)
Permitted range (no transaction processed over a certain value)
Manual scrutiny of output and reconciliation to source
Controls over master One to one checking of master files to source documents (such as payroll
files and standing data master files to individual employee personal files)
Cyclical reviews of all master files and standing data
Control over input, processing, data files and output may be carried out by IT personnel, users of the
system, a separate control group and may be programmed into application software. The auditors may wish
to test the following application controls.
Manual controls If manual controls exercised by the user of the application system are capable
exercised by the user of providing reasonable assurance that the system's output is complete,
accurate and authorised, the auditors may decide to limit tests of control to
these manual controls.
Controls over system If, in addition to manual controls exercised by the user, the controls to be
output tested use information produced by the computer or are contained within
computer programs, such controls may be tested by examining the system's
output using either manual procedures or computer assisted audit techniques
(CAATs which will be described in more detail in Chapter 11. Such output
may be in the form of magnetic media, microfilm or printouts. Alternatively,
the auditor may test the control by performing it with the use of CAATs.
Programmed control In the case of certain computer systems, the auditor may find that it is not
procedures possible or, in some cases, not practical to test controls by examining only
user controls or the system's output. The auditor may consider performing
tests of control by using CAATs, such as test data, reprocessing transaction
data or, in unusual situations, examining the coding of the application
program.
As we have already noted, general IT controls may have a pervasive effect on the processing of transactions
in application systems. If these general controls are not effective, there may be a risk that misstatements
occur and go undetected in the application systems. Although weaknesses in general IT controls may
preclude testing certain IT application controls, it is possible that manual procedures exercised by users
may provide effective control at the application level.
Bear in mind that most companies have computerised accounting systems so these controls are important
in practice as well as in your assessment.
Section overview
Auditors will obtain information about internal controls from a variety of sources, including company
internal control manuals and observing controls in operation.
Auditors will record information about internal controls in a variety of ways in their files, including
notes, flowcharts and questionnaires.
The company may have manuals of internal controls and copies of internal controls policies, or minutes of
meetings of the risk assessment group. These will be useful documents for the auditors to read. In addition,
in recurring audits, the auditors should have a record of what the controls were in previous years and
therefore will only be looking for new policies in the current year.
The auditors will also obtain knowledge by talking to the people involved with internal control at all stages
and asking them what the controls are and why they have been implemented. Again, where auditors have a
record of what the controls were last year, inquiry will be useful in updating the picture to what they are
now.
Lastly, an important tool for auditors in determining what internal controls exist in an organisation or
whether controls in use in an operation are the same as those stated to be in operation is observation. The
auditor will watch operations at a company to identify the control activities being put into action.
There are broadly three types of document which are used for recording the understanding of the business:
Narrative notes
Questionnaires/checklists and
Diagrams
Narrative notes
These are good for things like:
Short notes on simple systems
Background information
They are less good when things get more complex when diagrams tend to take over.
Good as aide memoires to ensure you have all the bases covered
but
Can lead to a mechanical approach so that an important extra question is never asked
Tick boxes often get ticked whether the brain is engaged or not
Diagrams
Things like:
Flowcharts
Organisation charts
Family trees
Records of related parties
Organisation charts and family trees are without doubt the best way of recording relationships, reporting
lines, etc.
Flow charts of systems are an excellent and comprehensive way of recording systems, but they are time
consuming to construct and can be difficult for the reader to assimilate.
A Maximising profitability
B Maximising operating efficiency
C Reducing time required for the statutory audit
D Minimising audit risk
See Answer at the end of this chapter.
For each example, select the one type of control activity which it illustrates.
Document counts
Digit verification
Passwords
Virus checks
100 © The Institute of Chartered Accountants in England and Wales, March 2009
INTRODUCTION TO INTERNAL CONTROL 5
Summary
Monitoring
Control activities
Controls can be preventative or detective. Control Many control systems encompass IT systems
activities fall into the general categories: and therefore special IT controls may be
– Authorisation required.These are general controls and
– Performance reviews application controls
– Information processing
– Physical controls
– Segregation of duties
© The Institute of Chartered Accountants in England and Wales, March 2009 101
Assurance
Self-test
Answer the following questions.
1 ................................................................................
2 ................................................................................
3 For each of the following controls, state whether they are general or application:
Now go back to the Learning Objectives in the Introduction. If you are satisfied you have achieved these
objectives, please tick them off.
102 © The Institute of Chartered Accountants in England and Wales, March 2009
INTRODUCTION TO INTERNAL CONTROL 5
Technical reference
© The Institute of Chartered Accountants in England and Wales, March 2009 103
Assurance
Answers to Self-test
Training
Back-up copies
104 © The Institute of Chartered Accountants in England and Wales, March 2009
INTRODUCTION TO INTERNAL CONTROL 5
2 Performance review
© The Institute of Chartered Accountants in England and Wales, March 2009 105
Assurance
106 © The Institute of Chartered Accountants in England and Wales, March 2009