Definition and Purposes of Internal Control
Definition and Purposes of Internal Control
The purpose of this article is to provide an overview of internal control, with particular
emphasis on topics relevant to Part C of the F1/FAB syllabus. The article will focus on
the following learning objectives, as set out in section C6 of the study guide:
The article will also describe the roles of internal audit and internal audit testing,
relevant to section C2(e) and (f) of the study guide.
The Turnbull Report, first published in 1999, defined internal control and its scope as
follows:
‘The policies, processes, tasks, behaviours and other aspects of an organisation that
taken together:
Ensure the quality of internal and external reporting, which in turn requires the
maintenance of proper records and processes that generate a flow of timely, relevant
and reliable information from both internal and external sources.
Ensure compliance with applicable laws and regulations and also with internal policies.’
Turnbull’s explanation focuses on the positive role that internal control has to play in an
organisation. Facilitating efficient operations implies improvement, and, properly
applied, internal control processes add value to an organisation by considering
outcomes against original plans and then proposing ways in which they might be
addressed.
At the same time, Turnbull also conceded that there is no such thing as a perfect
internal control system, as all organisations operate in a dynamic environment: just as
some risks recede into insignificance, new risks will emerge, some of which will be
difficult or impossible to anticipate. The purpose of any control system should therefore
be to provide reasonable assurance that the organisation can meet its objectives.
Safeguarding assets:
Controls should be in place to ensure that assets are deployed for their proper
purposes, and are not vulnerable to misuse or theft. A comprehensive approach to his
objective should consider all assets, including both tangible and intangible assets.
As organisations grow, the need for internal controls increases, as the degree of
specialisation increases and it becomes impossible to remain fully aware of what is
going on in every part of the business.
The directors must pay due attention to the control environment. If internal controls
are to be effective, it is necessary to create an appropriate culture and embed a
commitment to robust controls throughout the organisation.
Controls and be categorised in many different ways. Figure 1 described five categories
that are often used.
Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances.
These are widely used to prevent breached of laws or policy, as well as to minimise
risks relating to health and safety. Voluntary controls are applied according to the
judgement of the organisation and its managers.
Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of
risks in given circumstances. Non-discretionary controls must be applied.
Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are
programmed into the systems of the organisation. Some systems combine the two: for
example, when deciding on whether a customer should be permitted days on hand for
payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’
or below a specified credit rating, and an intermediate range in which a manager may
be able to override the automated system.
Physical controls:
These controls include restrictions on access to buildings, specified office or factory
areas or equipment, such as turnstiles at the entrance to the premises, swipe cards and
passwords. They also include physical restraints, such as fixing non-current assets to
prevent removal.
Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often
segregated. For example, in the post room of a company that received cash by post, the
employee recording the cash will be a different person to the one who opens the post.
Segregation is also relevant to other functions. At executive level, it is now best practice
to segregate the roles of chairman and chief executive officer, and as an independent
assurance function, internal audit should be totally segregated from the finance
department, with a reporting line direct to the board of directors or the audit committee.
Management controls:
These controls are operated by managers themselves. An example is variance analysis,
through which a manager may be required as part of their job to consider differences
between planned outcomes and actual performance. Performance management of
subordinates is also an integral part of many managerial positions. Further down the
chain of command, supervision controlsare exercised in respect of day-to-day
transactions. Organisation controls operate according to the configuration of the
organisation chart and line/staff responsibilities.
Internal check
By allocating duties in this way, no one person has exclusive control over any
transaction.
Internal audit
Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within
an organisation to examine and evaluate its activities as a service to the organisation.
The formal objectives of internal audit may include some or all of the following:
The importance of internal audit was highlighted by the Turnbull Report. It states that
listed public companies that do not have an internal audit function should review the
need to have such a function at least annually. Turnbull goes on to state that listed
public companies that do have an internal audit function should review the scope,
authority and resources of this function at least annually.
Turnbull suggests that the need for the internal audit function will depend on several
factors. These include:
Internal audit testing is the internal assessment of internal controls and as such is a
management control to ensure compliance and conformity of internal controls to pre-
determined standards.
Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting
the organisation. The objective here should be to test the extent to which the controls
will control the risk if it crystallises. The conclusions of these reports should enable
management to reconsider the controls and modify or redesign them if appropriate.
Compliance:
Increasingly, organisations have to implement performance standards in relation to
compliance. This may be to satisfy the demands of external regulators, or to operate to
pre-determined internal standards. Internal audit should review operations for
compliance with such standards. In this respect, the work of internal auditors in
broadening, as organisations increasingly pursue compliance not only with industry
standards for products and service provision, but also with criteria relevant to
environmental standards.
Types of audit
In the course of their duties, internal auditors may carry out various types of audit.
These include the following:
Systems audits are used to test and evaluate controls as described in the last section.
They test whether the controls can be relied upon to ensure that resources are allocated
and managed effectively. They also test whether the information provided by the
organisation’s systems is accurate. Compliance tests verify whether internal controls
are being applied in a proper manner. Substantive tests verify the accuracy of figures,
and can be used to identify errors and omissions.
A transactions or probity audit is concerned with detecting fraud and other types of
criminal or unlawful behaviour. However, it can also be extended to matters relating to
fairness of dealings, impartiality, accountability and transparency, sometimes
considered to be within the scope of social audit. Generally, social audit may be
concerned with any matters relating to governance.
A client’s internal control is a process designed to provide reasonable, but not absolute, assurance
that the following entity objectives will be achieved: reliable financial reporting, effective and
efficient operations, compliance with laws and regulations. A client’s internal control consists of five
interrelated components: control environment, risk assessment, control activities, information and
communication systems support, monitoring. This post provides a brief overview about internal
control, its interrelated core components, its relationship to the auditors and IT people in “questions
and answers” form. Enjoy!
Answer: The control environment, which is the foundation for the other components of internal
control, provides discipline and structure by setting the tone of an organization and influencing
control consciousness. Factors to consider in assessing the client’s control environment include:
Integrity and ethical values, including (1) management’s actions to eliminate or mitigate
incentives and temptations on the part of personnel to commit dishonest, illegal, or unethical
acts, (2) policy statements, and (3) codes of conduct
Commitment to competence, including management’s consideration of competence levels for
specific tasks and how those levels translate into necessary skills and knowledge.
Board of directors or audit committee participation, including interaction with internal and
external (independent) auditors
Management’s philosophy and operating style, such as management’s attitude and actions
regarding financial reporting, as well as management’s approach to taking and monitoring risks
Human resource policies and practices, including those relating to hiring, orientation, training,
evaluating, counseling, promoting, and compensating employees
Answer: An entity’s risk assessment for financial reporting purposes is its identification, analysis, and
management of risks pertaining to financial statement preparation. Accordingly, risk assessment may
consider the possibility of executed transactions that remain unrecorded.
The following internal and external events and circumstances may be relevant to the risk of preparing
financial statements that are not in conformity with generally accepted accounting principles [or
another comprehensive basis of accounting]:
Corporate restructuring that might result in changes in supervision and segregation of job
functions
Foreign operations
Answer: Control activities are the policies and procedures management has implemented in order to
ensure that directives are carried out. Control activities that may be relevant to a financial statement
audit may be classified into the following categories:
Performance reviews, including comparisons of actual performance with budgets, forecasts, and
prior period results.
Physical controls, which involve adequate safeguards over the access to assets and records,
include authorization for access to computer programs and files and periodic counting and
comparison with amounts shown on control records.
Segregation of duties, which is designed to reduce opportunities that allow any person to be in a
position to both perpetrate and conceal errors or fraud in the normal course of his or her duties,
involves assigning different people the responsibilities of authorizing transactions, recording
transactions, and maintaining custody of assets.
Question: What knowledge about the “information and communication systems support” component
should an auditor obtain?
Answer: The auditor should obtain sufficient knowledge about the information system relevant to
financial reporting. The information system generally consists of the methods and records established
to record, process, summarize, and report entity transactions and to maintain accountability of related
assets, liabilities, and equity. Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
Monitoring may involve: (1) separate evaluations, (2) the use of internal auditors, and (3) the use of
communications from outside parties (e.g., complaints from customers and regulator comments).
Answer: There is a direct relationship between objectives and components. This results from the fact
that objectives are what an entity strives to achieve, while components are what an entity needs to
achieve the objectives. It is also important to remember that internal control is relevant not only to the
entire entity, but also to an entity’s operating units and business functions.
Question: What Objectives and Controls are Relevant to a Financial Statement Audit?
Answer: In general, the auditor should consider the controls that pertain to the entity’s objective of
preparing financial statements for external use that are presented fairly in conformity with generally
accepted accounting principles (GAAP) or some other comprehensive basis of accounting other than
GAAP (OCBOA).
The controls relating to operations and compliance objectives may be relevant to a financial
statement audit if they pertain to data the auditor evaluates or uses. For example, the auditor may
consider the controls relevant to nonfinancial data (such as production statistics) used in analytical
procedures.
Caution: Not all of the objectives and related controls are relevant to a financial statement audit.
Furthermore, an understanding of internal control relevant to each operating unit and business function
may not be essential.
Question: What is the auditor’s primary consideration with respect to the components of internal
control?
Answer: The auditor’s primary consideration is whether a specific control affects the financial
statement assertions rather than its classification into any particular component. Although the five
components are applicable to every audit, they should be considered in the context of the following:
Entity size
Organization and ownership characteristics
Answer:
An entity’s use of IT may affect any of the five interrelated components of internal control.
Controls in systems that use IT consist of a combination of automated controls (e.g., controls
embedded in computer programs) and manual controls.
Answer: IT provides potential benefits of effectiveness and efficiency for internal control because it
enables the entity to:
Consistently apply predefined rules and perform complex calculations in processing large
volumes of transactions or data.
Enhance the ability to monitor the performance of the entity’s activities and its policies and
procedures.
Enhance the ability to achieve effective segregation of duties by implementing security controls
in applications, databases, and operating systems.
Question: What risks does IT pose to internal control?
Unauthorized access to data that may result in destruction of data or improper alterations to
data.
Note: The extent and nature of these risks to internal control depend on the nature and characteristics
of the entity’s information system.
Answer: The practitioner must obtain a sufficient understanding of internal control to enable the
proper planning of the audit. Whether controls have been placed in operations is of prime
importance. Operating effectiveness is not to be judged by the practitioner. The understanding of the
internal control should: (1) provide a basis for identifying types of potential misstatements, (2) enable
the assessment of the risk that such misstatements will occur, and (3) enable the auditor to design
substantive tests.
Question: What are the procedures used to obtain an understanding of internal control?
Answer: The auditor must exercise professional judgment in determining the methods and extent of
documentation. The most frequently used methods of documentation are:
Flowcharts
Questionnaires
Answer: The assessment of control risk is a process of evaluating the effectiveness of a client’s
internal controls in preventing or detecting material misstatements in the financial statements.
Answer: If the auditor concludes, based on his or her understanding of internal control, that controls are
likely to be ineffective or that evaluation of their effectiveness would be inefficient, then the auditor
may assess control risk at the maximum level for some or all financial statement assertions.
If specific controls are likely to prevent or detect material misstatements and the auditor performs tests
of controls in order to evaluate the effectiveness of the controls identified, then assessment of control
risk below the maximum level is permissible.
Answer: SAS 55 defines tests of controls as tests directed toward the design or operation of an
internal control to assess its effectiveness in preventing or detecting material misstatements in a
financial statement assertion. Inquiry of company personnel, inspection of client documents and
records, observation of client activities, and re-performance of controls represent some of the
procedures used in performing tests of controls.
In performing tests of controls, the auditor seeks answers to the following questions:
Who performed the control?
What is the relationship between the assessed level of control risk and substantive testing?
Since the auditor’s determination of the nature, extent, and timing of substantive tests is dependent
on detection risk, the assessed level of control risk must be considered in conjunction with inherent
risk (see SAS 47). There is an inverse relationship between detection risk and the assurances to be.
March 1, 2010
Today many companies recognize the desirability as well as the requirement to have an effective system
of internal control. Yet, designing and implementing a cost-effective system of internal control is a
daunting, if not overwhelming, task.
One way to overcome resistance to internal control is to educate stakeholders at every level of the
organization about its advantages.
Try the following quiz to test your knowledge of internal control and consider using it as a teaching tool for
others in your organization.
1. Houston Helpers, a faith-based group that offers help to people in need, has hired Janet Wells, a local
CPA, to train its professional staff in the basics of internal control. As Wells begins her presentation, a
participant interrupts by saying, “We are not like other organizations. How can we talk about common
elements of internal control when we are a faith-based service provider?”
a. The participant is correct; there are no generally accepted frameworks for internal control.
b. The participant is incorrect; there are generally accepted frameworks for internal control, regardless of
industry.
2. Internal control is a process designed to provide reasonable assurance regarding the achievement of
which objective?
4. The directors of Evans Corp. are reevaluating their “tone at the top.” They realize the phrase “tone at
the top” is used to describe the example set by directors, officers and executives through their statements
and daily actions. The board members also realize written policies need to reinforce the tone, but are
unsure how to integrate written policies into the “tone at the top.” If you were advising the board, what
would you tell them is the cornerstone of these policies?
5. Your employer has asked you to develop controls to help prevent duplicate payments. Which of the
following steps would NOT be appropriate in developing such a policy?
a. Create a form for updates to the master vendor file, which should be completed by the person
requesting the change and signed off by someone at a higher level.
b. Purge inactive vendors.
c. Periodically run reports showing the daily changes to the master vendor file.
d. Prohibit the sharing of passwords for the master vendor file.
6. As part of a training exercise for a corporate controller’s staff, Jeri Lee breaks the group into teams and
asks each team to gain (and document) their understanding of a potential acquisition’s system of internal
control. When she returns to check on their progress, she discovers that one team is working on
integrating the use of narratives, flowcharts and internal control questionnaires. What should Lee tell this
team about using all three approaches simultaneously?
COSO FRAMEWORK
The COSO framework consists of five elements of control: the control environment, risk assessment,
control activities, information and communication, and monitoring. The remaining questions refer to these
elements.
7. The owner of Austin Marina has approached the managing partner of a CPA firm about conducting a
first-time independent audit. While discussing the nature and scope of the audit, the owner of Austin
Marina asks if it is really necessary for the auditor to gain an understanding of Austin Marina’s system of
internal control. Which of the following responses would NOT be correct?
a. The auditor needs to gain an understanding of the client’s internal control in order to assess risk.
b. An understanding of internal control is necessary to support the audit opinion.
c. Audit standards do not require the auditor to gain an understanding of the client’s system of internal
control since risk can be assessed by other means.
d. Independent auditors can no longer assess control risk at a maximum without having support for that
assessment.
a. External events
b. Internal events
c. Circumstances that might affect reliable financial reporting
d. All of the above
a. A means to an end
b. Authorized procedures
c. The particular category in which a control is placed
d. The actions of people to help ensure that management directives necessary to address risks are
carried out
10. Evans & Co. has been struggling to implement the monitoring component of the COSO Internal
Control—Integrated Framework.Which of the following is NOT correct in how the company can implement
the monitoring component?
ANSWERS
1. (b) While the staff at Houston Helpers may not be aware of it, there are frameworks available to
evaluate the effectiveness of internal control in any type of organization. The industry standard used by
most U.S. companies is Internal Control—Integrated Framework, which was issued in 1992 by the
Committee of Sponsoring Organizations (COSO), and is a blueprint for organizations to assess and
enhance internal control systems. COSO was formed in 1985. The sponsoring organizations are the
American Accounting Association, the AICPA, Financial Executives International, the Institute of
Management Accountants, and the Institute of Internal Auditors.
2. (d) Effectiveness relates to the ability of the entity to accomplish its goals. Efficiency is concerned with
maximizing the best use of resources. Reliability of financial reporting includes the accuracy of financial
statement balances and adequate and complete disclosure. Compliance with applicable laws and
regulations refers to all laws and regulations that apply to the entity.
3. (a) ERM provides “a process that provides a robust and holistic top-down view of key risks facing the
organization.” (Effective Enterprise Risk Oversight: The Role of the Board of Directors, COSO, 2009).
Thus ERM is significantly different from the more traditional risk management approaches. Board
members need to understand the entity’s strategy for managing risks to ensure that day-to-day operations
are aligned with stakeholder expectations. The other answers are true.
4. (a) “The code of conduct should be a source of guidance on daily behavior and set the minimum
standards for that behavior,” according to the AICPA On-Site Training course Financial Fraud, Forensics,
and the CPA. The “tone at the top” applies to everyone as they carry out their business and personal
responsibilities. The other answers (a conflict-of-interest policy, organization communications, and
protection of the organization’s assets) are normally considered for inclusion in the code of conduct.
5. (b) Accounts payable expert Mary Schaeffer recommends that inactive vendors be deactivated, not
purged. This allows vendor activity to be researched if needed. The other steps are appropriate. Using
forms for updates to the master vendor file allows accountability for changes. Schaeffer also recommends
executive review of reports, which show daily changes to the master vendor file. Passwords to the master
vendor file should never be shared. For more information, see “Fight Fraud and Duplicate Payments”
(Dec. 4, 2008), by Mary Schaeffer, available at tinyurl.com/yfc7jog.
6. (e) A narrative is a written description of a system of internal control. A flowchart is a diagram of the
documents and their sequential flow within an organization. A narrative and a flowchart present the same
information. While one well-executed approach can be sufficient to gaining an understanding of internal
control, a flowchart and an internal control questionnaire can be used together effectively, as the internal
control questionnaire offers checklists that include the many types of controls available.
7. (c) Current audit standards require the independent auditor to obtain an understanding of the entity and
its environment, including internal control. Moreover, the auditor is required to evaluate the design of
controls and whether or not they have been implemented. Also, the auditor must document significant
processes and their basis for assessing control risk.
8. (d) Risk assessment is the process of identifying and analyzing relevant risks in order to manage and
mitigate the risks. External and internal events, as well as any other circumstance that could affect
reliable financial reporting should play a part in risk assessment.
9. (d) The COSO definition of control activities recognizes that internal control is affected by people at
every level of the organization. Control activities are more than a means to an end, and are not limited to
authorized procedures. Control activities are often in overlapping categories.
10. (d) Management is responsible for establishing and maintaining the entity’s internal control, and an
independent auditor cannot perform management functions. Monitoring can be an ongoing process or be
conducted as a separate evaluation. For many larger entities, internal audit departments are essential for
effective monitoring. In fact, AU section 322 addresses the effect of internal auditors on the external
auditor’s evidence accumulation, provided the internal audit function is performed by staff independent of
both the operating and accounting departments and reports either to top management or the audit
committee.
SCORING
An effective system of internal control is one of the best ways to prevent the fraudulent misstatement of
financial statements. If you answered all 10 questions correctly, you are an internal control guru. If you
answered eight or nine questions correctly, your knowledge of internal control is competent.
If you answered seven or fewer questions correctly, you may want to build on your internal control skills.
Fortunately, no one needs to “reinvent the wheel” when implementing or upgrading a system of internal
controls. The resources listed on the previous page will help you stay competent in internal control.