LESSON SEVEN

ACCOUNTING AND INTERNAL CONTROL SYSTEMS: THEORY AND PRACTICE

THE ACCOUNTING SYSTEM

ISA 315 Understanding the entity and its assessing the risk of material misstatement accounting
system is the series of tasks and records of an entity by which transactions are processed as a means
of maintaining financial records. Such systems identify, assemble, analyze, calculate, classify,
record, summarize and report transactions and other events.

ISA 315 Risk Assessments and Internal Controls states that the auditor should obtain an
understanding of the accounting and internal control systems sufficient to plan the audit and
develop an effective audit approach. The auditor should use professional judgment to assess audit
risk and to design audit procedures to ensure it is reduced to an acceptably low level.

The Companies Act Cap 486 places a duty upon the auditor in preparing his report to carry out
investigations that will enable him form an opinion on the financial statements in accordance with
the seventh schedule to the Companies Act Cap 486

The objective of the accounting system is to ensure that all transactions are completely and
accurately processed and recorded and that the resulting accounting entries are valid.

Managements interest in the accounting system

Management needs complete and accurate books of accounts because:

i. There is no other way the business can be controlled;

ii. Records of debtors and creditors are indispensable;
iii. The best way to safeguard assets is to have a proper record of them;
iv. Accounts can only be prepared if proper primary books exist;
v. The Companies Act has specific requirements on keeping of proper books of accounts;
vi. vi. The various acts covering NSSF, NHIF, PAYE, VAT, and LEVY require proper
books.

What constitutes an adequate system of accounting depends on the circumstances. The important
thing is that the system should provide for the orderly assembly of accounting information to
enable accounts to be prepared. A system of accounting cannot succeed in completely and
accurately processing and recording all transactions, unless internal arrangements set up by the
management known as Internal Controls are built into the system.

INTERNAL CONTROL SYSTEMS

ISA 315: “Internal control system” means all the policies and procedures (internal controls)
adopted by the management of an entity to assist in achieving management’s objective of ensuring,
as far as practicable, the orderly and efficient conduct of its business, including adherence to
management policies, the safeguarding of assets, the prevention and detection of fraud and error,
the accuracy and completeness of the accounting records, and the timely preparation of reliable
financial information. The internal control system extends beyond those matters which relate
directly to the functions of the accounting system and comprises:

a. The control environment”

This means the overall attitude, awareness and actions of directors and management regarding the
internal control system and its importance in the entity. The control environment has an effect on
the effectiveness of the specific control procedures. A strong control environment, for example,
one with tight budgetary controls and an effective internal audit function, can significantly
complement specific control procedures. However, a strong environment does not, by itself, ensure
the effectiveness of the internal control system. Factors reflected in the control environment
include:

• The function of the board of directors and its committees.

• Management’s philosophy and operating style.

• The entity’s organizational structure and methods of assigning authority and responsibility.

• Management’s control system including the internal audit function, personnel policies and
procedures and segregation of duties.

(b) “Control procedures”

“Control procedures” means those policies and procedures in addition to the control environment
which management has established to achieve the entity’s specific objectives. Specific control
procedures include:

 Reporting, reviewing and approving reconciliations.

 Checking the arithmetical accuracy of the records.
 Controlling applications and environment of computer information systems, for example,
by establishing controls over changes to computer programs
 Access to data files.
 Maintaining and reviewing control accounts and trial balances.
 Approving and controlling of documents.
 Comparing internal data with external sources of information.
 Comparing the results of cash, security and inventory counts with accounting records.
 Limiting direct physical access to assets and records.
 Comparing and analyzing the financial results with budgeted amounts.

FRAUD AND ERROR

ISA 240: The Auditor’s Responsibility to Consider Fraud and Error states that when planning and
performing audit procedures and evaluating and reporting the results thereof, the auditor should
consider the risk of Material misstatements in the financial statements resulting from fraud or error.
Misstatements in the financial statements can arise from fraud or error. The term “error” refers to
an unintentional misstatement in financial statements, including the omission of an amount or a
disclosure, such as the following:

• A mistake in gathering or processing data from which financial statements are prepared.

• An incorrect accounting estimate arising from oversight or misinterpretation of facts.

• A mistake in the application of accounting principles relating to measurement, recognition,

classification, presentation, or disclosure.

The term “fraud” refers to an intentional act by one or more individuals among management, those
charged with governance, employees, or third parties, involving the use of deception to obtain an
unjust or illegal advantage.
Although fraud is a broad legal concept, the auditor is concerned with fraudulent acts that cause a
material misstatement in the financial statements. Misstatement of the financial statements may
not be the objective of some frauds. Auditors do not make legal determinations of whether fraud
has actually occurred. Fraud involving one or more members of management or those charged
with governance is referred to as management fraud;” fraud involving only employees of the entity
is referred to as “employee fraud.” In either case, there may be collusion with third parties outside
the entity.

Two types of intentional misstatements are relevant to the auditor’s consideration of fraud:

 Misstatements resulting from fraudulent financial reporting

 Misstatements resulting from misappropriation of assets.

Fraudulent financial reporting involves intentional misstatements or omissions of amounts or

disclosures in financial statements to deceive financial statement users.

Fraudulent financial reporting may involve the following:

•Deception such as manipulation, falsification, or alteration of accounting records or supporting

documents from which the financial statements are prepared.

•Misrepresentation in, or intentional omission from, the financial statements of events, transactions
or other significant information.

•Intentional misapplication of accounting principles relating to measurement, recognition,

classification, presentation, or disclosure.

The distinguishing factor between fraud and error is whether the underlying action that results in
the misstatement in the financial statements is intentional or unintentional. Unlike error, fraud is
intentional and usually involves deliberate concealment of the facts.

While the auditor may be able to identify potential opportunities for fraud to be perpetrated, it is
difficult, if not impossible, for the auditor to determine intent, particularly in matters involving
management judgment, such as accounting estimates and the appropriate application of accounting
principles.
Responsibility of Those Charged With Governance and of Management

The primary responsibility for the prevention and detection of fraud and error rests with both those
charged with the governance and the management of an entity. The respective responsibilities of
those charged with governance and management may vary by entity and from country to country.

Management, with the oversight of those charged with governance, needs to set the proper tone,
create and maintain a culture of honesty and high ethics, and establish appropriate controls to
prevent and detect fraud and error within the entity. This responsibility arise out of the contractual
relationship between the directors, managers and the company

Recent Pronouncements on corporate governance have reinforced this responsibility

Responsibilities of the Auditor

The Auditor has no responsibility for the prevention and detection of fraud and error although the
annual audit may act as a deterrent.

As described in ISA 200, “Objective and General Principles Governing an Audit of Financial
Statements,” the objective of an audit of financial statements is to enable the auditor to express an
opinion whether the financial statements are prepared, in all material respects, in accordance with
an identified financial reporting framework.

An audit conducted in accordance with ISAs is designed to provide reasonable assurance that the
financial statements taken as a whole are free from material misstatement, whether caused by fraud
or error. The fact that an audit is carried out may act as a deterrent, but the auditor is not and cannot
be held responsible for the prevention of fraud and error.

An audit does not guarantee all material misstatements will be detected because of such factors as
the use of judgment, the use of testing, the inherent limitations of internal control and the fact that
much of the evidence available to the auditor is persuasive rather than conclusive in nature. For
these reasons, the auditor is able to obtain only reasonable assurance that material misstatements
in the financial statements will be detected.

In planning the audit, the auditor should discuss with other members of the audit team the
susceptibility of the entity to material misstatements in the financial statements resulting from
fraud or error. The auditor should make inquiries of management:
(a) To obtain an understanding of:

(i) Management’s assessment of the risk that the financial statements may be materially
misstated as a result of fraud; and

(ii) The accounting and internal control systems management has put in place to address such
risk;

(b) To obtain knowledge of management’s understanding regarding the accounting and internal
control systems in place to prevent and detect error;

(c) To determine whether management is aware of any known fraud that has affected the entity or
suspected fraud that the entity is investigating; and

(d) To determine whether management has discovered any material errors.

Procedures when Fraud is suspected

When the auditor encounters circumstances that may indicate that there is a material misstatement
in the financial statements resulting from fraud or error, the auditor should perform procedures to
determine whether the financial statements are materially misstated.

When the auditor identifies a misstatement, the auditor should consider whether such a
misstatement may be indicative of fraud and if there is such an indication, the auditor should
consider the implications of the misstatement in relation to other aspects of the audit, particularly
the reliability of management representations.

Evaluation and Disposition of Misstatements, and the Effect on the Auditor’s Report When the
auditor confirms that, or is unable to conclude whether, the financial statements are materially
misstated as a result of fraud or error, the auditor should consider the implications for the audit.

Documentation

The auditor should document fraud risk factors identified as being present during the auditor’s
assessment process and document the auditor’s response to any such factors. If during the
performance of the audit, fraud risk factors are identified that cause the auditor to believe that
additional audit procedures are necessary, the auditor should document the presence of such risk
factors and the auditor’s response to them.
Communication

when the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or error, the
auditor should consider the auditor’s responsibility to communicate that information to
management, those charged with governance and, in some circumstances, to regulatory and
enforcement authorities.

Communication of Misstatements Resulting From Error to Management and to Those Charged

With Governance If the auditor has identified a material misstatement resulting from error, the
auditor should communicate the misstatement to the appropriate level of management on a timely
basis, and consider the need to report it to those charged with governance in accordance with ISA
260,

Communication of Audit Matters With Those Charged With Governance The auditor should
inform those charged with governance of those uncorrected misstatements aggregated by the
auditor during the audit that were determined by management to be immaterial, both individually
and in the aggregate, to the financial statements taken as a whole.

Communication of Misstatements Resulting from Fraud to Management and to Those Charged

with Governance If the auditor has:

(a) Identified a fraud, whether or not it results in a material misstatement in the financial
statements; or

(b) Obtained evidence that indicates that fraud may exist (even if the potential effect on the
financial statements would not be material); the auditor should communicate these matters to the
appropriate level of management on a timely basis, and consider the need to report such matters to
those charged with governance in accordance with ISA 260.

Communications to Regulatory and Enforcement Authorities

The auditor’s professional duty to maintain the confidentiality of client information ordinarily
precludes reporting fraud and error to a party outside the client entity. The auditor considers
seeking legal advice in such circumstances.
Errors can be described as an intentional mistake and they can occur at any stage in a business
transaction and they can be of any type. Auditors would primarily be interested in the prevention,
detection and disclosure of errors for the following reasons:

(a) Existence of errors may indicate that accounting records are unreliable and are therefore not a
satisfactory basis from which to prepare financial statements. The auditor could therefore
conclude that proper books of accounts have not been kept where there are too many material
errors. This is a ground for qualification of an auditor’s report.

(b) Too many errors may also indicate that the system of internal control is not reliable, and
therefore the auditor wishing to place any reliance on a system of internal control may not be able
to do so.

(c) If errors are of sufficient magnitude, they may be sufficient to affect the true and fair view
given by the accounts.

Irregularities

Irregularities can be described as intentional distortions of financial statements for whatever

purpose and also as misappropriation of assets whether or not a company by distortions of financial
statements. The auditor’s responsibility towards fraud and other irregularities is exactly the same
as that of errors

Materiality

If the auditor knows or suspects that an error or irregularity has occurred or exists, then he cannot
apply materiality consideration until he has sufficient evidence of the extent of the error or
irregularity

TYPES OF INTERNAL CONTROL

1. Organization: Enterprises should have a plan of their organization defining and allocating
responsibilities and identifies lines of reporting for all aspects of the enterprises’ operation,
including the controls. The delegation of authority and responsibility should be clearly specified.

2. Segregation of duties: One of the prime means of control is the separation of those
responsibilities or duties which would if combined enable one individual to record and process a
complete transaction. Segregation reduces the risk of intentional manipulation and error and
increases the element of checking. Functions which should be separated include those of
authorization, execution, custody, and recording and in the case of a computer based accounting
system, systems development and daily operations.

3. Physical: These are concerned mainly with the custody of assets and involve procedures and
security measures designed to ensure that access to assets is limited to authorized personnel. This
includes both direct access and indirect access through documentation. These controls assume
importance in the case of valuable, portable, exchangeable or desirable assets.

4. Authorization and approval: All transactions should require authorization or approval by an

appropriate responsible person. The limits for this authorization should be specified

5. Arithmetical and accounting: These are the controls within the recording function which
check that the transactions to be recorded and processed have been authorized, that they are all
included and that they are correctly recorded and accurately processed. Such controls include: the
checking of the arithmetical accuracy of the records, the maintenance and checking of totals,
reconciliations, control accounts and trial balances and accounting for documents.

6. Personnel: There should be procedures to ensure that personnel have capabilities commensurate
with their responsibilities. Inevitably, the proper functioning of any system depends on the
competence and integrity of those operating it. The qualifications, selection and training as well
as the innate personal characteristics of the personnel involved are important features to be
considered in setting up any control system.

7. Supervision: Any system of internal control should include the supervision by responsible
officials of day to day transactions and the recording thereof.

8. Management controls: These are the controls exercised by the management outside the day to
day routine of the system. They include: the overall supervisory controls, exercised by
management, the review of management accounts, and comparison thereof with budgets, the
internal audit functions and any special review procedures.

THE PRACTICE OF INTERNAL CONTROL

The traditional classification of operation for internal control purposes was:

a) Cash and cheques received including cash and bank balances;

b) Cash and cheque payments;

c) Salaries and wages;

d) Purchases and trade creditors;

e) Sales and trade debtors;

f) Stocks including work-in-progress;

g) Fixed assets and investments.

However, it is more usual now to classify transactions in accordance with their related cycles.
These cycles are recognized in a typical manufacturing organization as: sales cycles, purchases
cycle, wages cycle and conversion cycle.