CHAPTER 13

OVERVIEW OF INTERNAL CONTROL

NATURE AND PURPOSE OF INTERNAL CONTROL

Internal control is the process designed and effected by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of the
entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations. It follows that internal control is
designed and implemented to address identified business risks that threaten the achievement of
any of these objectives.

Those objectives fall into three categories:

 Reliability of the entity’s financial reporting

 Effectiveness and efficiency of operation

 Compliance with applicable laws and regulations

Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity’s control. However, achieving its objectives relating to
operations will depend not only on management’s decisions but also on competitor’s action and
other factors outside the entity.

INTERNAL CONTROL SYSTEM DEFINED

Internal control system means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management’s objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence to management
policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy
and completeness of the accounting records, and the timely preparation of reliable financial
information.

ELEMENTS OF INTERNAL CONTROL

Internal control structures vary significantly from one company to the next. Factors such as size
of the business, nature of operations, the geographical dispersion of its activities, and objectives
of the organization affect the specific control features of an organization. However, certain
elements or features must be present to have a satisfactory system of control in almost any large
scale organization.

The internal control system extends beyond these matters which relate directly to the functions of
the accounting system and consists of the following components:
 a. the control environment;

b. the entity’s risk assessment process;

c. the information system, including the related business processes, relevant to financial
reporting, and communication;

d. control activities;

e. monitoring of controls.

A. Control Environment

The control environment which means the overall attitude, awareness and actions of directors
and management regarding the internal control system and it importance in the entity. The
control environment has an effect on the effectiveness of the specific control procedures. A
strong control environment, for example, one with tight budgetary controls and an effective
internal audit function, can significantly complement specific control procedures. However, a
strong environment does not, by itself, ensure the effectiveness of the internal control system.
Factors reflected in the control environment include:

 The function of the board of directors and its committees;

 Management’s philosophy and operating style;
 The entity’s organizational structure and methods of assigning authority and
responsibility;
 Management’s control system including the internal audit function, personnel policies
and procedures and segregation of duties.

The environment in which internal control operates has an impact on the effectiveness of the
specific control procedures. Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Value

Integrity and ethical values are essential elements of the internal control environment.
They affect the design, administration and monitoring of other components of internal
control. An entity’s ethical and behavioral standards and the manner in which it
communicates and reinforces them determine the entity’s integrity and ethical behavior.
Integrity and ethical values include management’s actions to remove or reduce incentives
and temptations that might prompt personnel to engage in dishonest, illegal, or unethical
acts. They also include the communication of entity values and behavioral standards to
personnel through policy statements, a code of conduct, and management’s example of
appropriate behavior.

2. Commitment to Competence
 Competence is the knowledge and skills necessary to accomplish tasks that define an
employee’s job. Commitment to competence means that management considers the
competence levels of particular jobs in determining the skills and knowledge required of
each employee and that it hires employees competent to perform the tasks.

3. Participation by those Charged with Governance

An entity’s control consciousness is influenced significantly by those charged with

governance. Attributes of those charged with governance include independence from
management, their experience and stature, the extent of their involvement and scrutiny of
activities, the appropriateness of their actions, the information they receive, the degree to
which difficult questions are raised and pursued with management, and their interaction
with internal and external auditors. The importance of responsibilities of those charged
with governance is recognized in codes of practice and other regulations or guidance
produced for the benefit of those charged with governance. Other responsibilities of those
charged with governance include oversight of the design and effective operation of
whistle blower procedures and the process for reviewing the effectiveness of the entity’s
internal control.

4. Management’s Philosophy and Operating Style

This refers to management’s attitude toward (a) business risk, (b) financial reporting, (c)
meeting budget, profit and other established goals which all have impact on the reliability
of the financial statements. Management’s approach to taking and monitoring business
risks, its conservstive or aggressive election from alternative accounting principles, its
conscientiousness and conservatism in developing accounting estimates, and its attitude
toward information processing and the accounting function and personnel are factors that
affect the control environment.

5. Organizational Structure

The responsibilities and authorities of the various personnel within the organization
should be established in such a manner as to (1) assist the entity in meeting its goals and
objectives and (2) ensure that transactions are processed, recorded, summarized and
reported in an accurate and timely manner. Organizational structure provides the overall
framework fro planning, directing and controlling operations.

6. Assignment of Authority and Responsibility

Personnel within an organization need to have a clear understanding of their

responsibilities and the rules and regulations that govern their actions. Management may
develop job descriptions, computer system documentation. It may also establish policies
regarding acceptable business practice, conflicts of interest and code of conduct.

7. Human Resources Policies and Procedures

 Perhaps the most important element of an internal accounting control system is the
people who perform and execute the established policies and procedures. Personnel
policies should be adopted by the client to reasonably ensure that only capable and honest
persons are hired and retained. Policies with respect to employee selection, training, and
supervision should be adopted and implemented by the client. The selection of competent
and honest personnel does not automatically assure the errors or irregularities will not
occur. However, adequate personnel policies, coupled with the design concepts suggested
earlier in this section, enhance the likelihood that the client’s policies and procedures will
be followed.

B. Entity’s Risk Assessment Process

Risk assessment is the “identification, analysis, and management of risks pertaining to the
preparation of financial statements”. For example risk assessment may focus on how the
entity considers the possibility of transactions not being recorded or identifies and assesses
significant estimates recorded in the financial statements.
An entity’s risk assessment process is its process for identifying and responding to business
risks and the results thereof. For financial reporting purposes, the entity’s risk assessment
process includes how management identifies risk relevant to the preparation of financial
statements that are presented fairly, in all material respects in accordance with the entity’s
applicable financial reporting framework, estimates their significance, assesses the likelihood
of their occurrence, and decides upon action to manage them. For example, the entity’s risk
assessment process may address how the entity considers the possibility of unrecorded
transactions or identifies and analyzes significant estimates recorded in the financial
statements. Risks relevant to reliable financial reporting also relate to specific events or
transactions.

Risks relevant to financial reporting include external and internal events and circumstances
that may occur and adversely affect an entity’s ability to initiate, record, process, and report
financial data consistent with the assertions of management in the financial statements. Once
risks are identified, management considers their significance, the likelihood of their
occurrence, and how they should be managed. Management may initiate plans, programs, or
actions to address specific risks or it may decide to accept a risk because of cost or other
considerations. Risks can arise or change due to circumstances such as the following:

 Change in operating environment. Changes in the regulatory or operating

environment can result in changes in competitive pressures and significantly different
risks.

 New personnel. New personnel may have a different focus on or understanding of

internal control.

 New or revamped information systems. Significant and rapid changes in information

systems can change the risk relating to internal control.
  Rapid Growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.

 New technology. Incorporating new technologies into production processes or

information systems may change the risk associated with internal control.

 New business models, products, or activities. Entering into business areas or

transactions with which an entity has little experience may introduce new risks
associated with internal control.

 Corporate restructurings. Restructurings may be accompanied by staff reductions and

changes in supervision and segregation of duties that may change the risk associated
with internal control.

 Expanded foreign operation. The expansion or acquisition of foreign operations

carries new and other unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transaction.

 New accounting pronouncements. Adoption of new accounting principles or changing

accounting principles may affect risks in preparing financial statements.

The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless
of size, but the risk assessment process is likely to be less formal and less structured in small
entities than in larger ones. All entities should have established financial reporting objectives, but
they may be recognized implicitly rather than explicitly in small entities. Management may be
aware of risks related to these objectives without the use of a formal process but through direct
personal involvement with employees and outside parties.

Considerations Specific for Smaller Entities

Many small entities are carried out entirely by the engagement partner (who may be a sole
practitioner.) In such situations, it is the engagement partner who, having personally conducted
the planning of the audit, would be responsible for considering the susceptibility of the entity’s
financial statements to material misstatement due to fraud and error.

C. Information System, including the Business Processes, Relevant to Financial Reporting

and Communication

An information system consists of infrastructure (physical and hardware components),

software, people, procedures, and data. Infrastructure and software will be absent, or have
less significance, in systems that are exclusively or primarily manual. Many information
systems make extensive use of IT.

The Information System, Including Related Business Processes, Relevant to Financial Reporting
  Initiate, record, process, and report entity transactions (as well as events and conditions)
and to maintain accountability for the related assets, liabilities, and equity;

 Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis;

 Process and account for system overrides or bypasses to controls;

 Transfer information from transaction processing systems to the general ledger;

 Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and

 Ensure information required to be disclosed by the applicable financial reporting

framework is accumulated, recorded, processed, summarized and appropriately reported
in the financial statements.

Journal Entries

An entity’s information system typically includes the use of standard journal entries that are
required on a recurring basis to record transactions. Examples might be journal entries to record
sales, purchases, and cash disbursements in the general ledger, or to record accounting estimates
that are periodically made by management, such as changes in the estimate of uncollectible
accounts receivable.

An entity’s financial reporting process also includes the use of non-standard journal entries to
record non-recurring, unusual transactions or adjustments. Examples of such entries include
consolidating adjustments and entries for a business combination or disposal or nonrecurring
estimates such as the impairment of an asset. In manual general ledger systems, non-standard
journal entries may be identified through inspection of ledgers, journals, and supporting
documentation. When automated procedures are used to maintain the general ledger and prepare
financial statements, such entries may exist only in electronic form and may therefore be more
easily identified through the use of computer-assisted audit techniques.

Related Business Processes

An entity’s business processes are the activities designed to:

 Develop, purchase, produce, sell and distribute an entity’s products and services;

 Ensure compliance with laws and regulations; and

 Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the
information system. Obtaining an understanding of the entity’s business processes, which
include how transactions are originated, assists the auditor obtain an understanding of the entity’s
information system relevant to financial reporting in a manner that is appropriate to the entity’s
circumstances.

Accordingly, an information system encompasses methods and records that:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper

classification of transactions for financial reporting.

 Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.

 Determine the time period in which transactions occurred to permit recording of

transactions in the proper accounting period.

 Present properly the transaction and the related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities

pertaining to internal control over financial reporting. It includes the extent to which personnel
understand how their activities in the financial reporting information system relate to the work of
others and the means of reporting exceptions to an appropriate higher level within the entity.
Open communication channels help ensure that exceptions are reported and acted on.

Communication takes such forms as policy manuals, accounting and financial reporting manuals,
and memoranda. Communication also can be mad electronically, orally, and through the actions
of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small
entities are likely to be less formal than in larger entities but their role is just as significant. Small
entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies. Communication may be less
formal and easier to achieve in a small entity due to the small entity’s size and fewer levels as
well as management’s greater visibility and availability.

D. Control activities

Control activities are the policies and procedures that help ensure the management directives
are carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives. Control activities, whether within IT or manual
 systems, have various objectives and are applied at various organizational and functional
levels.

The major categories of control procedures are:

A. Performance Review
B. Information Processing Controls
1.) Proper authorization of transactions and activities
2.) Segregation of duties
3.) Adequate documents and records
4.) Safeguards over access to assets; and
5.) Independent checks on performance
C. Physical controls

A brief discussion of these control procedures follows:

A. Performance Review

In a performance review management uses accounting and operating data to assess

performance, and it then takes corrective action. Such reviews include:

 comparing actual performance (or operating results) with budgets, forecasts, prior
period performance, or competitor’s data or tracking major initiatives such as
cost-containment or cost-reduction programs to measure the extent to which
targets are being met.
 investigating performance indicators based on operating or financial data, such as
quantity or purchase price variances or the percentage of returns to total orders.
 reviewing functional or activity performance, such as relating the performance of
a manager responsible for a bank’s consumer loans with some standard, such as
economic statistics or targets.

Personnel at various levels in an organization may make performance reviews.

Performance reviews may be used by managers for the sole purpose of making operating
decisions. For example, managers may analyze performance data and base operating
decisions on them because the data are consistent with their expectations. This type of
review improves the reliability of the data. However, when managers follow up on
unexpected results determined by a financial reporting system, performance reviews
become a useful control over financial reporting.

B. Information Processing Controls

Information processing controls are policies and procedures designed to require

authorization of transactions and to ensure the accuracy and completeness of transaction
processing. Control activities may be classified according to the scope of the system they
affect. General controls are control activities that prevent or detect errors or irregularities
for all accounting systems. General controls affect all transaction cycles and apply to
information processing as a center, hardware and systems software acquisition and
maintenance, and backup and recovery procedures. Application controls are controls that
pertain to the processing of a specific type of transaction, such a payroll, or sales and
collections. These controls help ensure that transactions occurred, are authorized, and are
completely and accurately recorded and processed. Examples of application controls
include checking and arithmetical accuracy of records, maintaining and reviewing
accounts and trial balances, automated controls such as input data and numerical
sequence checks, and manual follow-up of exception reports. General IT-controls are
policies and procedures that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of
information systems. General IT-controls commonly include controls over data center
and network operations; system software acquisition, change and maintenance; access
security; and application system acquisition, development, and maintenance. These
controls apply to mainframe, miniframe, and end-user environments. Examples of such
general IT-controls are program change controls, controls that restrict access to programs
or data, controls over the implementation of new releases of packaged software
applications, and controls over system software that restrict access to or monitor the use
of system utilities that could change financial data or records without leaving an audit
trail.

Internal controls relating to the accounting system are concerned with achieving
objectives such as:

 Transactions are executed in accordance with management’s general or specific

authorization.
 All transactions and other events are promptly recoded in the correct amount, in
the appropriate amounts and in the proper accounting period so as to permit
preparation of financial statements in accordance with an identified financial
reporting framework.
 Access to assets and records is permitted only in accordance with management’s
authorization.
 Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.

Control activities related to the processing of transactions may be grouped as follows: (1)
proper authorization, (2) design and use of adequate documents and records, and (3)
independent checks on performance.

1. Proper authorization of transactions and activities

As suggested earlier, authorization for the execution of transactions flows from

the stockholders for management and its subordinates. Before a transaction is
entered into with another party, certain conditions must usually be met. As part of
the evaluation of the potential transaction, documentation will be created. The
auditor uses this documentation to determine whether business transactions are
properly authorized. For example, the purchase of inventory may create a
 purchase order, a receiving report, and a vendor invoice. By inspecting these
documents and comparing them with company policy, the auditor may be
reasonably satisfied that a business transaction was authorized and executed in a
manner consistent with company policy.

2. Segregation of duties

An important element in designing an internal accounting control system that

safeguards assets and reasonably ensures the reliability of the accounting records
is the concept of segregation of responsibilities. No one person should be assigned
duties that would allow that person to commit an error or perpetuate fraud and to
conceal the error or fraud. For example, the same person should not be
responsible for recording the cash received on account and for posting the receipts
to the accounting records.

3. Adequate documents and records

The use of adequate documents and records allow the company to obtain
reasonable assurance that all valid transactions gave been recorded.

4. Assess to assets

The resources of a client can be protected by the establishment of physical

barriers and appropriate policies. For example, inventories may be kept in a
storeroom, or negotiable instruments may be placed in a safe deposit box.
Appropriate company policies are adopted so that only authorized persons have
access to company resources. Safeguarding of assets is more than establishing
physical barriers. A client should design its internal accounting control system o
that documents authorizing the movement of assets into an organization or out of
an organization are adequately controlled.

5. Independent checks on performance

The objective of a well-designed internal accounting control system is the

adoption of procedures that periodically compare the actual asset with its recorded
balance. Regardless of the effectiveness of an internal control system, some assets
may be misappropriated. An important part of an internal accounting control
system is to determine the effectiveness of recording policies and asset access
policies. This is accomplished by periodic counts of assets by the client and
comparing the counts to the balances in the general ledger account. Examples are
the count of inventory and the preparation of monthly bank reconciliation.

C. Physical Controls

Controls that encompass:

  The physical security of assets, including adequate safeguards such as secured
facilities over access to assets and records.
 The authorization for access to computer programs and data files
 The periodic counting and comparison with amounts shown on control records
(for example, comparing the results of cash, security and inventory counts with
accounting records.)

The extent to which physical controls intended to prevent theft of assets are relevant
to the reliability of financial statement preparation, and therefore the audit, depends
on circumstances such as when assets are highly susceptible to misappropriation.

The concepts underlying control activities, in small entities are likely to be similar to
those in larger entities, but the formality with which they operate varies. Further,
small entities may find that certain types of control activities are not relevant because
of controls applied by management. For example, management’s retention of
authority for approving credit sales, significant purchases, and drawdown’s on lines
of credit can provide strong control over those activities, lessening or removing the
need for more detailed control activities. An appropriate segregation of duties often
appears to present difficulties in small entities. Even companies that have only a few
employees, however, may be able to assign their responsibilities to achieve
appropriate segregation or, if that is not possible, to use management oversight of the
incompatible activities to achieve control objectives.

E. Monitoring of Controls

Monitoring, the final component of internal control, is the process that an entity uses to
assess the quality of internal control over time. Monitoring involves assessing the design and
operation of controls on a timely basis bad taking corrective action as necessary.
Management monitors controls to consider whether they are operating as intended and to
modify them as appropriate for changes in conditions. In many entities, internal auditors
evaluate the design and operation of internal control and communicate information about
strengths and weaknesses and recommendations for improving internal control.

Some monitoring activities may include communications from external parties. For example,
customers implicitly corroborate sales data by paying their bills or raising questions. Also,
bank regulators, other regulators, and outside auditors may communicate about the design or
effectiveness of internal control.

Monitoring activities may include using information from communications from external
parties that may indicate problems are highlight areas in need of improvement. Customers
implicitly corroborate billing data by paying their invoices or complaining about their
charges. In addition, regulators may communicate with the entity concerning matter that
affect the functioning of internal control, for example, communications concerning
examinations by bank regulatory agencies. Also, management may consider communications
relating to internal control from external auditors in performing monitoring activities.
Application to Small Entities

Ongoing monitoring activities of small entities are more likely to be informal and are typically
performed as a part of the overall management of the entity’s operations. Management’s close
involvement in operations often will identify significant variances from expectations and
inaccuracies in financial data leading to corrective action to the control.

REVIEW QUESTIONS AND EXERCISES

Questions

1. What is meant by the control environment? What are the factors the auditor must evaluate
to understand it?

2. What is the relationship among the five components of internal control?

3. The separation of operational responsibility from record keeping is meant to prevent

different types of misstatements than the separation of the custody of assets from
accounting. Explain the difference in the purposes of these two types of separation of
duties.

4. For each of the following, give an example of a physical control the client can use to
protect the asset or record:

a. Petty cash
b. Cash received by retail clerks
c. Accounts receivable records
d. Raw material inventory
e. Perishable tools
f. Manufacturing equipment
g. Marketable securities