FINALS

UNIT 3 INTERNAL CONTROL: A VITAL TOOL IN MANAGING RISK

Chapter 3: Overview of Internal Control

Learning Objectives:

1. Explain what internal control is.

2. Describe the nature and purpose of internal control
3. Define internal control system.
4. Explain the elements of internal control namely:
a. Control environment
b. Entity’s risk assessment process
c. Information system
d. Control actions
e. Monitoring of controls

Topics:

1.1 Nature and Purpose of Internal Control

1.2 Internal Control System Designed
1.3 Elements of Internal Control
a)Control Environment
b)Entity’s Risk Assessment Process
c) Information System including the Business Processes, Relevant to Financial Reporting and
Communication
d)Control activities
e)Monitoring of Controls.

1. Nature and Purpose of Internal Control

 Internal Control is the process designed and effected by those charged with governance, management and
other personnel to provide reasonable assurance about the achievement of the entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations.
 It follows that internal control is designed and implemented to address identified business risks that
threaten the achievement of any of these objectives.
 These objectives fall into three categories:
o Reliability of the entity’s financial reporting
o Effectiveness and efficiency of operations
o Compliance with applicable laws and regulations
 Whether an entity achieves its objectives relating to financial reporting and compliance is determined by
activities within the entity’s control.
 However, achieving it objectives relating to operations will depend not only on management’s decisions but
also on competitor’s actions and other factors outside the entity.

2. Internal Control System Designed

 Internal control system means all the policies and procedures (internal control) adopted
by the management of an entity to assist in achieving management’s objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business,
including adherence to management policies, the safeguarding of assets, the
 prevention and detection of fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable financial information.
3. Elements of Internal Control
 Internal control structures vary significantly from one company to the next.
 Factors such as size of the business, nature of operations, the geographical dispersion of its activities and
objectives of the organization affect the specific control features of an organization.
 However, certain elements of features must be present to have a satisfactory system of control in almost
any large scale organization.
 The internal control system extends beyond these matters which relate directly to the functions of the
accounting system and consists of the following component.
a. The control environment;
b. The entity’s risk assessment process’
c. The information system, including the related business processes, relevant to financial reporting, and
communication;
d. Control activities’
e. Monitoring of control.

a. The control environment;

 The control environment which means the overall attitude, awareness and actions of directors and
management regarding the internal control system and its importance in the entity.
 The control environment has an effect on the effectiveness of the specific control procedures.
 A strong control environment, for example, one with tight budgetary controls and an effective internal
audit function, can significantly complement specific control procedures.
 However, a strong environment does not, by itself, ensure the effectiveness of the internal control
system.
 Factors reflected in the control environment include:
o The function of the board of directors and its committees;
o Management’s philosophy and operating style;
o The entity’s organizational structure and methods of assigning authority and responsibility;
o Management’s control system including the internal audit function, personnel policies and
procedures and segregation of duties.
 The environment in which internal control operates has an impact on the effectiveness of the specific
control procedures.
 Several factors comprise the control environment, including:
1. Communication and Enforcement of Integrity and Ethical Values
 Integrity and ethical values are essential elements of the internal control environment.
 They affect the design, administration, and monitoring of other components of internal
control.
 An entity’s ethical and behavioral standards and the manner in which communicates and
reinforces them determine the entity’s integrity and ethical behavior.
 Integrity and ethical values include management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in dishonest, illegal, or
unethical acts.
 They also include the communication of entity values and behavioral standards to
personnel through policy statements, a code of conduct, and management’s example of
appropriate behavior.
2. Commitment to Competence
 Competence is the knowledge and skills necessary to accomplish tasks that define an
employee’s job.
 Commitment to competence means that management considers the competence level
for a particular job in determining the skills and knowledge required of each employee
and that it hires employees competent to perform the tasks.
3. Participation by those charged with Governance
 An entity’s control consciousness is influenced significantly by those charges with
governance.
 Attributes of those charged with governance include independence from management,
 their experience and stature, the extent of their involvement and scrutiny of activities, the
appropriateness of their actions, the information they receive, the degree to which difficult
questions are raised and pursued with management, and their interaction with internal
and external auditors.
 The importance of responsibilities of those charged with governance is recognized in
codes of practice and other regulations or guidance produced for the benefit of those
charged with governance.
 Other responsibilities of those charged with governance include oversight of the design
and effective operation of whistle blower procedures and the process for reviewing the
effectiveness of the entity’s internal control.
4. Management’s Philosophy and Operating Style
 This refers to management’s attitude towards a) business risk, b) financial reporting, c)
meeting budget, profit and other established goals which all have impact on the reliability
of the financial statements.
 Management’s approach to taking and monitoring business risks, its conservative or
aggressive selection from alternative accounting principle, its conscientiousness and
conservatism in developing accounting estimates, and its attitude toward information
processing and the accounting function and personnel are factors that affect the control
environment.
5. Organization Structure
 The responsibilities and authorities of the various personnel within the organization
should be established in such a manner as to:
o Assist the entity in meeting its goals and objectives
o Ensure that the transactions are processed, recorded, summarized and
reported in an accurate and timely manner.
 Organizational structure provides the overall framework for planning, directing and
controlling operations.
6. Assignment of Authority and Responsibility
 Personnel within an organization need to have a clear understanding of their
responsibilities and the rules and regulations that govern their actions.
 Management may develop job descriptions, computer system documentation.
 It may also establish policies regarding acceptable business practice, conflicts of interest
and code of conduct.
7. Human Resources Policies and Procedures
 Perhaps the most important element of an internal accounting control system is the
people who perform and execute the established policies and procedures.
 Personnel policies should be adopted by the client to reasonably endure that only
capable and honest persons are hired and retained.
 Policies with respect to employee selection, training and supervision should be adopted
and implemented by the client.
 The selection of competent and honest personnel does not automatically assure that
errors or irregularities will not occur.
 However, adequate personnel policies, coupled with the design concepts suggested
earlier in this sections, enhance the likelihood that the client’s policies and procedures
will be followed.

b. Entity’s Risk Assessment Process

 Risk assessment is the “identification, analysis, and management of risks pertaining to the preparation
of financial statements”
 For example, risk assessment may focus on how the entity considers the possibility of transactions
not being recorded or identifies and assesses significant estimates recorded in the financial
statements.
 An entity’s risk assessment process is its process for identifying and responding to business risks and
the results thereof.
 For financial reporting purposes, the entity’s risk assessment process includes how management
identifies risks relevant to the preparation of financial statements that are presented fairly, in all
material respects in accordance with the entity’s applicable financial reporting framework, estimates
their significance, assesses the likelihood of their occurrence, and decides upon actions to manage
 them.
 For example, the entity’s risk assessment process may address how the entity considers the
possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the
financial statements.
 Risk relevant to reliable financial reporting also relate to specific events or transactions.
 Risk relevant to financial reporting include external and internal events and circumstances that may
occur and adversely affect and entity’s ability to initiate, record, process, and report financial data
consistent with the assertions of management in the financial statements.
 Once risks are identified, management considers their significance, the likelihood of their occurrence,
and how they should be managed.
 Management may initiate plans, programs, or actions to address specific risks or it may decide to
accept a risk because of cost or other considerations.
 Risks can arise or change due to circumstances such as the following:
 Changes in operating environment.
o Changes in the regulatory or operating environment can result in changes in competitive
pressures and significantly different risks.
 New personnel.
o New personnel may have a different focus on or understanding of internal control.
 New or revamped information systems.
o Significant and rapid changes in information systems can change the risk relating to
internal control.
 Rapid growth
o Significant and rapid expansion of operations can strain controls and increase the risk of
a breakdown in controls.
 New technology
o Incorporating new technologies into production processes or information systems may
change the risk associated with internal control.
 New business models, products, or activities
o Entering into business areas or transactions with which an entity has little experience
may introduce new risks associated with internal control.
 Corporate restructurings
o Restructuring maybe accompanied by staff reductions and changes in supervision and
segregation of duties that may change the risk associated with internal control.
 Expanded foreign operations
o The expansion or acquisition of foreign operations carries new and often unique risks
that may affect internal control, for example, additional or changed risks from foreign
currency transactions.
 New accounting pronouncements
o Adoption of new accounting principles or changing accounting principles may affect risks
in preparing financial statements.
 The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of
size, but the risk assessment process is likely to be less formal and less structured in small entities
than in larger ones.
 All entities should have established financial reporting objectives, but they may be recognized
implicitly rather than explicitly in small entities.
 Management maybe aware of risks related to these objectives without the use of a formal process but
through direct personal involvement with employees and outside parties.
 Considerations Specific to Smaller Entities
o Many small entities are carried out entirely by the engagement partner (who may be a sole
 practitioner).
o In such situations, it is the engagement partner who, having personally conducted the
planning of the audit, would be responsible for considering the susceptibility of the entity’s
financial statements to material misstatement due to fraud and error.

c. Information System including the Business Processes, Relevant to Financial Reporting and
Communication
 An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data.
 Infrastructure and software will be absent, or have less significance, in systems that are exclusively or
primarily manual.
 Many information systems make extensive use of IT.

Information System including the Business Processes, Relevant to Financial Reporting

 The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the procedures and records designed and established to:
o Initiate, record, process, and report entity transactions (as well as events and conditions)
and to maintain accountability for the related assets, liabilities, and equity.
o Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis,
o Process and account for system overrides or bypasses to controls.
o Transfer information from transaction processing systems to the general ledger.
o Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and
o Ensure information required to be disclosed by the applicable financial reporting
framework is accumulated, recorded, processed, summarized and appropriately reported
in the financial statements.
Journal Entries
 An entity’s information system typically includes the use of standard journal entries that are
required on a recurring basis to record transactions.
 Examples might be journal entries to record sales, purchases, and cash disbursements in the
general ledger, or to record accounting estimates that are periodically made by management,
such as changes in the estimate of uncollectible accounts receivable.
 An entity’s financial reporting process also includes the use of non-standard journal entries to
record non-recurring, unusual transactions or adjustments.
 Examples of such entries include consolidating adjustments and entries for a business
combination or disposal or nonrecurring estimates such as the impairment of an asset.
 In manual general ledger systems, non-standard journal entries may be identified through
inspection of ledgers, journals, and supporting documentation.
 When automated procedures are used to maintain the general ledger and prepare financial
statements, such entries may exist only in electronic form and may therefore be more easily
identified through the use of computer assisted audit techniques.

Related Business Processes

 An entity’s business processes are the activities designed to:
 Develop, purchase, produce, sell and distribute an entity’s products and services;
 Ensure compliance with laws and regulations; and
 Record information, including accounting and financial reporting information.
  Business processes result in the transactions that are recorded, processed and reported by the
information system.
 Obtaining an understanding of an entity’s business process, which include how transactions are
originated assists the auditor obtain an understanding of the entity’s information system relevant to
financial reporting in a manner that is appropriated to the entity’s circumstances.
 Accordingly, an information system encompasses methods and records that:
 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions
in the proper accounting period.
 Present properly the transactions and related disclosures in the financial statements.
 Communication involves providing an understanding of individual roles and responsibilities pertaining
to internal control over financial reporting.
 It includes the extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to an
appropriate higher level within the entity.
 Open communication channels help ensure that exceptions ae reported and acted on.

 Communication takes such forms as policy manuals, accounting and financial reporting manuals, and
memoranda.
 Communication also can be made electronically, orally, and through the actions of management.

Application to Small Entities

 Information systems and related business processes relevant to financial reporting in small entities are
likely to be less formal than in larger entities but their role is just as significant.
 Small entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies.
 Communication may be less formal and easier to achieve in a small entity than in a larger entity due to
the small entity’s size and fewer level as well as management’s greater visibility and availability.

d. Control activities
 Control activities are the policies and procedures that help ensure that management directives are
carried out, for example, the necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives.
 Control activities, whether within IT or manual systems, have various objectives and are applied at
various organizational and functional levels.
 The major categories of control procedures are:
a. Performance review
b. Information processing controls
1. Proper authorization of transactions and activities
2. Segregation of duties
3. Adequate documents and records
4. Safeguards over access to assets; and
5. Independent checks on performance
c. Physical controls
a. Performance review
 In a performance review management uses accounting and operating data to assess
performance, and then takes corrective action.
 Such reviews include:
o Comparing actual performance (or operating results) with budgets. Forecasts, prior
period performance, or competitors’ data or tracking major initiatives such as cost-
containment or cost-reduction programs to measure the extent to which targets are
being met.
o Investigating performance indicators based on operating or financial data, such as
quantity or purchase price variances or the percentage of returns to total orders.
o Reviewing functional or activity performance, such as relating the performance of a
manager responsible for a bank’s consumer loans with some standard, such as
economic statistics or targets.
 Personnel at various levels in an organization may make performance reviews.
 Performance reviews may be used by managers for the sole purpose of making operating
decisions.
 For example, managers may analyze performance data and base operating decisions on
them because the data are consistent with their expectations.
 This type of review improves the reliability of the data.
 However, when managers follow up on unexpected results determined by a financial
reporting system, performance reviews become a useful control over financial reporting.

b. Information processing controls

 Information processing controls are policies and procedures designed to require authorization
of transactions and to ensure the accuracy and completeness of transaction processing.
 Control activities may be classified according to the scope of the system they affect.
 General controls are control activities that prevent or detect errors or irregularities for all
accounting systems.
 General controls affect all transaction cycles and apply to information processing as a center,
hardware and systems software acquisitions and maintenance, and backup and recovery
procedures.
 Application controls are controls that pertain to the processing of specific type of transaction,
such as payroll, or sales and collections.
 These controls help ensure that transactions occurred, are authorized and are completely
and accurately recorded and processed.
 Examples of application controls include checking the arithmetical accuracy of records,
maintaining and reviewing of accounts and trial balances, automated controls such as input
data and numerical sequence checks, and manual follow-up of exception reports.
 General IT- controls are policies and procedures that relate to many applications and support
the effective functioning of application controls by helping to ensure the continued proper
operation of information system.
 General IT- controls commonly include controls over data center and network operations;
system software acquisitions, change and maintenance; access security; and application
system acquisition, development and maintenance.
 These controls apply to mainframe, mini frame, and end-user environments.
 Examples of such general IT-controls are program change controls, controls that restrict
access to programs or data, controls over the implementation of new releases of packaged
software application, and controls over system software that restrict access to or monitor the
 use of system utilities that could change financial data or records without leaving an audit
trail.
 Internal controls relating to the accounting system are concerned with achieving objectives
such as:
1. Transactions are executed in accordance with management’s general or specific
authorization.
2. All transactions and other events are promptly recorded in the correct amount, in the
appropriate accounts and in the proper accounting period so as to permit
preparation of financial statements in accordance with an identified financial
reporting framework.
3. Access to assets and records is permitted only in accordance with management’s
authorization.
4. Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.
 Control activities related to the processing of transactions may be grouped as follows:
1. Proper authorization
2. Design and use of adequate documents and records
3. Independent checks on performance.

1. Proper authorization of transactions and activities.

 As suggested earlier, authorization for the execution of transactions flows from the
stockholders to management and its subordinates.
 Before a transaction is entered into with another party, certain conditions must usually be
met.
 As part of the evaluation of the potential transaction, documentation will be created.
 The auditor uses this documentation to determine whether business transactions are
properly authorized.
 For example, the purchase of inventory may create a purchase order, a receiving report,
and a vendor invoice.
 By inspecting these documents and comparing them with company policy, the auditor
may be reasonably satisfied that a business transaction be authorized and executed in a
manner consistent with company policy.

2. Segregation of duties
 An important element in designing an internal accounting control system that safeguard
assets and reasonably ensures the reliability of the accounting records is the concept of
segregation of responsibilities.
 No one person should be assigned duties that would allow the person to commit an error
or perpetuate fraud and to conceal the error or fraud.
 For example, the same person should not be responsible for recording the cash received
on account and for posting the receipts to the accounting records.

3. Adequate documents and records

 The use of adequate documents and records allow the company to obtain reasonable
assurance that all valid transactions have been recorded.

4. Access to assets
 The resources of a client can be protected by the establishment of physical barriers and
appropriate policies.
 For example, inventories may be kept in a storeroom, or negotiable instruments may be
 placed in a safe deposit box.
 Appropriate company policies are adopted so that only authorized persons have access
to company resources.
 Safeguarding of assets is more than establishing physical barriers.
 A client should design its internal accounting control system so that documents
authorizing the movement of assets into an organization or out of an organization are
adequately controlled.

5. Independent checks on performance

 The objective of a well-designed internal accounting control system is the adoption of
procedures that periodically compare the actual asset with its recorded balance.
 Regardless of the effectiveness of an internal control system, some transactions may not
be accurately recorded, and some assets may be misappropriated.
 An important part of an internal accounting control system is to determine the
effectiveness of recording policies and asset access policies.
 This is accomplished by periodic counts of assets by the client and comparing the counts
to the balances in the general ledger account.
 Examples, are the count of inventory and the preparation of monthly bank reconciliation.

c. Physical controls
 Controls that encompass:
o The physical security of assets, including adequate safeguard such as secured
facilities over access to assets and records.
o The authorization for access to computer programs and data files.
o The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with
accounting records).
 The extent to which physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on
circumstances such as when asset are highly susceptible on misappropriation.
 The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies.
 Further, small entities may find that certain types of control activities are not relevant because
of controls applied by management.
 For example, management’s retention of authority for approving credit sales, significant
purchases, and drawdown’s on lines of credit can provide strong control over those activities,
lessening or removing the need for more detailed control activities.
 An appropriate segregation of duties often appears to present difficulties in small entities.
 Even companies that have only a few employees, however, may be able to assign their
responsibilities to achieve appropriate segregation or, if that is not possible, to use
management oversight of the incompatible activities to achieve control objectives.

d. Monitoring of controls
 Monitoring the final component of internal control, is the process that an entity uses to
assess the quality of internal control over time.
 Monitoring involves assessing the design and operation of controls on a timely basis
and taking corrective action as necessary.
 Management monitors controls to consider whether they are operating as intended
and to modify them as appropriate for changes in conditions.
 In many entities, internal auditors evaluate the design and operation of internal control
and communicate information about strengths and weaknesses and recommendations
for improving internal control.
 Some monitoring activities may include communications from external parties.
 For example, customers implicitly corroborate sales data by paying their bills or raising
questions.
 Also, bank regulators, other regulators, and outside auditors may communicate about
the design or effectiveness of internal control.
 Monitoring activities may include using information from communications from
external parties that may indicate problems are highlight areas in need of
improvement.
 Customers implicitly corroborate billing data by paying their invoices or complaining
about their charges.
 In addition, regulators may communicate with the entity concerning matters that affect
the functioning of internal control.
 For example, communications concerning examinations by bank regulatory agencies.
 Also, management may consider communications relating to internal control for
external auditors in performing monitoring activities.
 Application in Small Entities
o Ongoing monitoring activities of small entities are more likely to be informal
and are typically performed as a part of the overall management of the entity’s
operations.
o Management close involvement in operations often will identify significant
variances from expectations and inaccuracies in financial data leading to
corrective action to the control.