10.

UNDERSTANDING INTERNAL CONTROL

Gloria Ivana - 211526334

The importance of internal control :

- The scope and size of the business entity have become so complex and widespread
that management must rely on numerous reports and analyses to effectively control
operations.intern
- The check and review inherent in a good system of internal control affords protection
against human weaknesses and reduces the possibility that errors or irregularities
will occur.
- It is impracticable for auditors to make audits of most companies within economic fee
limitations without relying on the client’s system of internal control.
Introduction
Internal control is a process, effected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
 Reliability of financial reporting
 Compliance with applicable laws and regulations
 Effectiveness and efficiency of operations
Fundamental concept :
1. Process integrated with an entity’s infrastructure
2. People implement internal control
3. Can only provide reasonable assurance, not absolute assurance, because of its
inherent limitations.
4. geared to the achievement of objectives in the overlapping categories of financial
reporting, compliance, and operations.

The goal of internal control :

 Strategic and high level goals
  Financia reporting
 Operational
 compliance
five interrelated components of internal control:
 Control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of
internal control, providing discipline and structure.
 Risk assessment is the entity’s identification and analysis of relevant risks to
achievement of its objectives, forming a basis for determining how the risks should
be managed.
 Control activities are the policies and procedures that help ensure that
management directives are carried out.
 Information and communication are the identification, capture, and exchange of
information in a form and time frame that enable people to carry out their
responsibilities.
 Monitoring is a process that assesses the quality of internal control performance
over time.
ENTITY OBJECTIVES AND RELATED INTERNAL CONTROL RELEVANT TO AN AUDIT
management adopts internal control to provide reasonable assurance of achieving three
categories of objectives:
(1) reliability of financial information
(2) compliance with applicable laws and regulations
(3) effectiveness and efficiency of operations.

LIMITATION OF AN ENTITY’S SYSTEM OF INTERNAL CONTROL

 Mistakes in judgment
 Breakdowns.
 Collusion.
 Management override.
 Cost versus benefits
ROLES AND RESPONSIBILITIES
 Management: establish effective internal control. The CEO and CFO of public
companies must also make an assessment of the adequacy of internal controls over
financial reporting.
 Board of directors and audit committee : determine that management meets its
responsibilities for establishing and maintaining internal control. The audit
committee (or in its absence, the board itself) has an important oversight role in
the financial reporting process.
 Internal auditors : periodically examine and evaluate the adequacy of an entity’s
internal control and make recommendations for improvements.
 Other entity personnel : communicate any problems with noncompliance with
controls or illegal acts of which they become aware to a higher level in the
organization.
 Independent auditors. When performing risk assessment procedures, an
independent auditor may discover deficiencies in internal control that he or she
 communicates to management and the audit committee, together with
recommendations for improvements.
 Other external parties. Legislators and regulators set minimum statutory and
regulatory requirements for establishing internal controls by certain entities.

COMPONENTS OF INTERNAL CONTROL

1. Control Environment : the tone set by management of an organization that

influences the control consciousness of its people. It is the foundation for all
other components of internal control, providing discipline and structure.
 Integrity and ethical values : CEO has to set the tone by example
 Commitment to competence
 Board of directors and audit committee
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies and practices
The control environment is critical because it has a pervasive effect on the
other four components of internal control. For example, if senior
management does not hire competent individuals and fails to underscore
the importance of ethics and competence in the performance of work that
supports the accounting system, employees may not perform other control
procedures with adequate professional care.
2. Risk assessment : an entity’s identification, analysis, and management of
risk relevant to the preparation of financial statements that are fairly
presented in conformity with generally accepted accounting principles.
In a strong risk assessment system, management should also include special
consideration of the risks that can arise from changed circumstances :
 Changes in operating environment
  New personnel
 New or revamped information systems
 Rapid growth
 New technology
 New lines, products, or activities
 Corporate restructurings
 Foreign operations
 New accounting pronouncements
Internal control should be effective mitigate the risks. It can be seen on the
design and operation
3. Information and Communication : relevant to financial reporting objectives,
which includes the accounting system, consists of the methods and
records established to identify, assemble, analyze, classify, record, and
report entity transactions (as well as events and conditions) and to
maintain accountability for the related assets and
liabilities. Communication involves providing a clear understanding of
individual roles and responsibilities pertaining to internal control over
financial reporting.
4. Control Activities : policies and procedures that help ensure that
management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity’s objectives.
Control activities have various objectives and are applied at various
organization and functional levels.
1) Authorization Controls : Each transaction entry should be properly
authorized and approved in accordance with management’s general
or specific authorization. General authorization relates to the general
conditions under which transactions are authorized, such as
standard price lists for products and credit policies for charge sales.

2) Segregation of Duties : Strong segregation of duties involves

segregating
(1) transaction authorization
 (2) maintaining custody of assets
(3) maintaining recorded accountability in the accounting records.
Proper segregation of duties, should also be maintained within the IT
department and between IT and user departments. Several functions
within IT—systems development, operations, data controls, and
securities administration—should be segregated

3) Information Processing Controls : Information processing

controls address risks related to the authorization, completeness,
and accuracy of transactions.
3a. General Controls : to control program development, program
changes, and computer operations, and to secure access to programs
and data. five types of general controls are widely recognized:
- Organization and operation controls address the segregation
of duties within the IT department and between IT and user
departments.
- Systems development and documentation controls relate to
(1) review, testing, and approval of new systems and program
changes, and (2) controls over documentation.
- Hardware and systems software controls are an important
factor that contributes to the high degree of reliability of today’s
information technology.
- Access controls are designed to prevent unauthorized use of IT
equipment, data files, and computer programs.
- Data and procedural controls provide a framework for
controlling daily computer operations, minimizing the likelihood
of processing errors, and assuring the continuity of operations in
the event of a physical disaster or computer failure through
adequate file backup and other controls.
3b. Computer Application Controls : The purpose of application
controls is to use the power of information technology to control
transactions in individual transaction cycles. Hence, applications
controls will differ for each transaction cycle (e.g., sale vs. cash
receipts). The following three groups of application controls are
widely recognized:
  Input controls : detect and report errors in data that are
input for processing (follow up on the rejection,
correction, and resubmission of data that were initially
incorrect.) -> verification controls and computer editing
 Processing controls : provide reasonable assurance that
the computer processing has been performed as intended
for the particular application. Thus, these controls
should preclude data from being lost, added, duplicated,
or altered during processing. Forms : control totals, file
identification labels, limit and reasonableness checks,
before and after report, sequence tests, process tracing
data.
 Output controls : ensure that the processing results are
correct and that only authorized personnel receive the
output. The accuracy of the processing results includes
both updated machine-sensible files and printed output.
This objective is met by the following:
a. Reconciliation of totals. Output totals that are
generated by the computer programs are
reconciled to input and processing totals by the
data control group or user departments.
b. Comparison to source documents. Output data are
subject to detailed comparison with source
documents.
c. Visual scanning. The output is reviewed for
completeness and apparent reasonableness.
Actual results may be compared with estimated
results.
3c. Controls over the financial reporting process : When the time
comes to prepare financial statements, a structured query
language (SQL) is used to access the database and download
information into a spreadsheet

These controls are meant to offer reasonable assurance that the

recording, processing, and reporting of data by IT are appropriately
conducted for specified applications. Thus, the auditor must analyze
these controls independently for each key accounting application,
such as charging clients or preparing payroll checks.
In IT context, application controls execute the function of
independent checks by
(1) employing programmed application controls to identify
transactions that contain possible misstatements
 (2) having personnel follow up and remedy things mentioned on
exception reports.
4) Physical Control : Physical controls are concerned with limiting the
following two types of access to assets and important records:
(1) direct physical access
(2) indirect access through the preparation or processing of documents
such as sales orders and disbursement vouchers that authorize the use or
disposition of assets.
Physical control activities include periodic counts of assets and comparison
with amounts shown on control records. Examples include petty cash
counts and physical inventories. These activities may be relevant in
assessing existence or occurrence, completeness, and valuation or allocation
assertions.
5) Performance Reviews : examples : management review and analysis of
 Reports that summarize the detail of account balances such as an aged
trial balance of accounts, reports of cash disbursements by
department, or reports of sales activity and gross profit by customer
or region, salesperson, or product line.
 Actual performance versus budgets, forecasts, or prior-period
amounts.
 The relationship of different sets of data such as nonfinancial
operating data and financial data (for example, comparison of hotel
occupancy statistics with revenue data).
6) Controls over Management Discretion in financial reporting :
An Audit of Internal Control over Financial Reporting Performed in
Conjunction with an Audit of Financial Statements, expects public companies
to establish internal controls in the three following areas:
1. Controls over significant nonroutine and nonsystematic transactions,
such as assertions involving judgments and estimates.
2. Controls over the selection and application of GAAP.
3. Controls over disclosures.

4. Monitoring : Effective monitoring activities usually involve

(1) ongoing monitoring programs
(2) separate evaluations,
(3) an element of reporting deficiencies to the audit committee.
Monitoring also occurs through separate periodic evaluations. Managements of
public companies must perform periodic evaluations of internal controls in
order to support an assertion about the effectiveness of the system of internal
control.
The final element of sound monitoring controls involves the reporting of
deficiencies to the audit committee (or full board of directors).

5. Antifraud Programs and Control : Antifraud programs and controls are

policies and procedures put in place to help ensure that management’s
antifraud directives are carried out. An effective antifraud program should
impact every aspect of the system of internal control.
UNDERSTANDING INTERNAL CONTROLS
Obtaining an understanding involves performing procedures to:
 Understand the design of policies and procedures related to each component of
internal control.
 Determine whether the policies and procedures have been placed in operation.
The auditor uses this knowledge in three ways. The auditor should know enough to
 1. Identify the types of potential misstatements that may occur.
 2. Understand the factors that affect the risk of material misstatement.
 3. Design further audit procedures.
Each of these three steps is discussed below.
Identifying the types of potential misstatements that may occur :
Understanding mistake and fraud points is crucial to estimating material misstatement
risk. Some internal control flaws affect financial statements broadly. Poor control
environment or computer general controls may increase the risk of material
misrepresentation for most or all financial statement assertions. Assertion-specific
vulnerabilities. Information may change or be added during transaction recording. An
entity may report sales when a customer orders rather than when things are supplied,
leading in cutoff errors. Perhaps a corporation has good computer controls, but due to
staff changes, it has hired someone who doesn't understand how to follow up on
exception reports. This ignorance and improper manual followup may lead to error or
fraud. Thus, auditors evaluate how each financial statement assertion may contain
inaccuracies. The auditor will identify procedures to prevent or detect assertion
misstatements after understanding this potential.

Understanding the factor that affect the risk of material misstatement :

Once the auditor understands the types of potential misstatements that may occur, the
auditor must assess the risk of material misstatement. When considering the factors that
affect the risk of material misstatement, the auditor usually considers:
 The magnitude of the misstatement that might occur.
 The likelihood of misstatements in the financial statements.

Designing further audit procedures :

First, the auditor needs to consider whether these procedures are adequate to allow the
auditor to assess the risk of material misstatement for each significant financial statement
assertion. If the auditor does not have adequate information, the auditor should perform
additional risk assessment procedures.
Second, the auditor uses this knowledge to plan tests of controls. Finally, the auditor
needs to know the system of internal control in order to design substantive tests.

Risks for which substantive tests alone will not reduce audit risk to a sufficiently low level
:
Substantial tests may not lower audit risk if the client's accounting system is automated.
Phone-ordered businesses rarely leave a paper trace. Many airlines take phone
reservations (or online reservations) and issue electronic tickets. In a business-to-
business e-commerce system, some organizations never print a purchase order and only
send the vendor an electronic one. In these instances, the auditor can only assess
computer general controls, computer application controls, and manual followup
processes to ensure transaction cycle completeness and accuracy. Without checking cash
receipts internal processes, many charities cannot verify donations. Understanding
internal controls may lead to a lower control risk audit method.
EFFECTS OF PRELIMINARY AUDIT STRATEGIES
An important issue in a private company audit is understanding the minimum level of
understanding of internal control that the auditor needs when performing primarily
substantive approach. An auditor cannot assess control risk at the maximum without
support. Following is a brief summary of the minimum knowledge that the auditor needs
in order to understand the risk of misstatement and to plan a primarily substantive
approach.
 Control Environment. Because the control environment has such a pervasive
influence on other aspects of internal control, as well as the risk of misstatement in
the financial statements, the auditor should answer the questions about the control
environment. In every audit, the auditor needs to understand the control
environment’s collective effect on other aspects of internal control.
 Risk Assessment. The auditor should understand how management has designed
controls to offset business risks, inherent risks, and the risk of fraud.
 Information and Communication. Regardless of audit strategy, AU 319.36 indicates
that the auditor should obtain sufficient knowledge of the information systems
relevant to financial reporting to understand:
o The classes of transactions in the entity’s operations that are significant to
the financial statements.
o How those transactions are initiated.
o The accounting records, supporting documents, and specific accounts in the
financial statements involved in the processing and reporting of
transactions.
o The accounting processing involved from the initiation of a transaction to its
inclusion in the financial statements, including electronic means (such as
computer and electronic data interchange) used to transmit, process,
maintain, and access information.
o The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures.
The auditor needs to understand the information and communication system in sufficient
detail to identify the points at which misstatements may occur in the accounting system
and to be able to design effective substantive tests.
 Control Activities. Control activities are essential to reducing the opportunity for
fraud. At a minimum, auditors should understand how transactions are authorized
and the adequacy of segregation of duties. The degree to which auditors
understand control activities is related to the extent to which the auditor plans to
test those controls and change the nature, timing, or extent of substantive tests.
 Monitoring. It is important to understand the types of activities used by the entity,
top management, accounting management, and internal auditors to monitor the
effectiveness of internal control in meeting financial reporting objectives.
Knowledge should also be obtained as to how corrective actions are initiated based
on information gleaned from monitoring activities.

several other factors that should be considered in reaching a judgment about the required
level of understanding, as follows:
 Knowledge of the client from previous audits.
 Preliminary assessments of materiality and inherent risk
 An understanding of the entity and its environment
 The complexity and sophistication of the entity’s operations and systems, including
whether the method of controlling information processing is based on manual
procedures independent of the computer or is highly dependent on computerized
controls.
In addition, when significant inherent risks are identified, the auditor must understand
the design of internal controls relevant to those assertions and whether the controls have
been placed in operation.

PROCEDURES TO OBTAIN AN UNDERSTANDING

procedures to obtain an understanding consist of:
 Reviewing previous experience with the client.
 Inquiring of appropriate management, supervisory, and staff personnel.
 Inspecting documents and records.
 Observing entity activities and operations.
 Tracing transactions through the information and communication system.

DOCUMENTING THE UNDERSTANDING

Documentation in the working papers may take the form of completed questionnaires,
flowcharts, decision tables (in a computerized accounting system), and narrative
memoranda.

The following discussion explains four forms of documentation commonly used by

auditors: questionnaires, flowcharts, decision tables, and narrative memoranda.
1. Questionnaires : consists of a series of questions about internal control that the
auditor considers necessary to prevent material misstatements in the financial
statements.
2. Flowcharts : schematic diagram using standardized symbols, interconnecting flow
lines, and annotations that portray the steps involved in processing information
through the accounting system.
3. A decision table : matrix used to document the logic of a computer program.
Decision tables usually have three key components,
(1) conditions related to accounting transactions
(2) actions taken by the computer program
(3) decision rules that are used to like conditions with subsequent actions.
4. A narrative memorandum : written comments concerning the auditor’s
consideration of internal controls.