UNIT 4:

INTERNAL CONTROL AND ITS EVALUATION

INTRODUCTION
Our consideration of internal control in this unit has three major objectives.
~First to explain the meaning and significance of internal control,
~Second, to discuss the major components of a client's internal control structure; and
~Third, to show how auditors go about obtaining an understanding of internal control to meet
the requirements of the second standard of field work. Internal control has attained greatest
significance in large-scale business organizations.

THE MEANING OF INTERNAL CONTROL

An internal control system is a set of policies and procedures designed :
~ to protect assets,
~ provide accurate accounting records and
~ evaluate performances.

The internal control system comprises the control environment and control procedures.
It includes all the policies and procedures adopted by the directors and management of an
entity to assist in achieving their objective of ensuring, as far as practicable, the orderly and
efficient conduct of its business

OBJECTIVES OF INTERNAL CONTROL

Some studies suggest that management typically has the following objectives in setting up a
good system of internal control.

a) The orderly and efficient conduct of its business

1
 An organization which is efficient and conducts its affairs in an orderly manner is much
more likely to be able to supply the auditors with sufficient appropriate audit evidence on
which to base their audit opinion. More importantly, the level of inherent and control risk
will be lower, giving extra assurance that the financial statements do not contain material
errors.
b) Adherence to Internal Policies
Management is responsible for setting up an effective system of internal control and
management policy provides the broad framework within which internal controls have to
operate. Unless management does have a pre-determined set of policies, then it is very
difficult to imagine how the company could be expected to operate efficiently.
Management policy will cover all aspects of the company's activities and will range from
broad corporate objectives to specific areas such as determining selling prices and wage
rates.
c) Safeguarding of Assets
This objective may relate to the physical protection of assets (for example by locking
monies in a safe at night) or to less direct safeguarding (for example ensuring that there is
adequate insurance, cover for all assets). It can also be seen as relating to the maintenance
of proper records in respect of all assets.
The auditors will be concerned to ensure that the company has properly safeguarded its
assets so that they can form an opinion on existence of specific assets and, more generally,
on whether the company's records can be taken as a reliable basis for the preparation of
financial statements. Reliance on the underlying records will be particularly significant
where the figures in the financial statements are derived from such records rather than as
the result of physical inspection.
d) Prevention and Detection of Fraud and Error
The directors are responsible for taking reasonable steps to prevent and detect fraud. They
are also responsible for preparing financial statements, which give a true and fair view of
the entity's affairs. However, the auditors must plan and perform their audit procedures
and evaluate and report the results thereof, recognizing that fraud or error may materially
affect the financial statements. A strong system of internal control will give the auditors

2
 some assurance that frauds and errors are not occurring unless management are colluding
to overcome that system.
e) Accuracy and completeness of the accounting record s /timely preparation
of reliable financial information
This objective is most clearly related to statutory requirements relating to both
management and auditors. The auditors must form an opinion on whether the company
has fulfilling this obligation and also conclude whether the financial statements are in
agreement with underlying records.

f) Reliability of financial reporting

Management is responsible for preparing statements for investors, creditors, and other users.
Management has both a legal and professional responsibility to be sure that the information is
fairly presented in accordance with reporting requirements of accounting frameworks such as
GAAP and IFRS. The objective of effective internal control over financial reporting is to
fulfill these financial reporting responsibilities.
g) . Efficiency and effectiveness of operations
Controls within a company encourage efficient and effective use of its resources to optimize
the company’s goals. An important objective of these controls is accurate financial and
nonfinancial information about the company’s operations for decision making.
i) Compliance with laws and regulations
Section 404 requires management of all public companies to issue a report about the operating
effectiveness of internal control over financial reporting. In addition to the legal provisions of
Section 404, public, nonpublic, and not-for-profit organizations are required to follow many
laws and regulations. Some relate to accounting only indirectly, such as environmental
protection and civil rights laws. Others are closely related to accounting, such as income tax
regulations and anti-fraud legal provisions.

COMPONENTS (ELEMENTS) OF INTERNAL CONTROL

3
Internal Control—Integrated Framework, the most widely accepted internal control
framework in the United States, describes five components of internal control that
management designs and implements to provide reasonable assurance that its control
objectives will be met. Each component contains many controls, but auditors concentrate on
those designed to prevent or detect material misstatements in the financial statements. The
internal control components include the following:
 Control environment
 Risk assessment
 Control activities
 Information and communication
 Monitoring
1. The Control Environment
The control environment serves as the umbrella for the other four components. Without an
effective control environment, the other four are unlikely to result in effective internal
control, regardless of their quality.
The essence of an effectively controlled organization lies in the attitude of its management. If
top management believes that control is important, others in the organization will sense this
commitment and respond by conscientiously observing the controls established. If members
of the organization believe that control is not an important concern to top management, it is
almost certain that management’s control objectives will not be effectively achieved.
The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about internal control
and its importance to the entity.
~ To understand and assess the control environment, auditors should consider the most
important control sub components.
 Integrity and Ethical Values: Integrity and ethical values is the product of the
entity’s ethical and behavioral standards, as well as how they are communicated and
reinforced in practice. They include management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in dishonest, illegal,
or unethical acts. They also include the communication of entity values and behavioral
standards to personnel through policy statements, codes of conduct, and by example.

4
  Commitment to Competence: Competence is the knowledge and skills necessary to
accomplish tasks that define an individual’s job. Commitment to competence includes
management’s consideration of the competence levels for specific jobs and how those
levels translate into requisite skills and knowledge.
 Board of Director or Audit Committee Participation: The board of directors is
essential for effective corporate governance because it has ultimate responsibility to
make sure management implements proper internal control and financial reporting
processes. An effective board of directors is independent of management, and its
members stay involved in and scrutinize management’s activities. Although the board
delegates responsibility for internal control to management, it must regularly assess
these controls. In addition, an active and objective board can reduce the likelihood that
management overrides existing controls.
To assist the board in its oversight, the board creates an audit committee that is charged with
oversight responsibility for financial reporting. The audit committee is also responsible for
maintaining ongoing communication with both external and internal auditors, including the
approval of audit and non-audit services done by auditors for public companies. This allows
the auditors and directors to discuss matters that might relate to such things as management
integrity or the appropriateness of actions taken by management.
The audit committee’s independence from management and knowledge of financial reporting
issues are important determinants of its ability to effectively evaluate internal controls and
financial statements prepared by management. The Sarbanes–Oxley Act directed the SEC to
require the national stock exchanges (NYSE and NASDAQ) to strengthen audit committee
requirements for public companies listing securities on the exchanges.
 Management’s Philosophy and Operating Style: Management, through its
activities, provides clear signals to employees about the importance of internal control.
For example, does management take significant risks, or is it risk averse? Are sales
and earnings targets unrealistic, and are employees encouraged to take aggressive
actions to meet those targets? Can management be described as “fat and bureaucratic,”
“lean and mean,” Dominated by one or a few individuals, or is it “just right”?
Understanding these and similar aspects of management’s philosophy and operating
style gives the auditor a sense of management’s attitude about internal control.

5
  Organizational Structure: The entity’s organizational structure defines the existing
lines of responsibility and authority. By understanding the client’s organizational
structure, the auditor can learn the management and functional elements of the
business and perceive how controls are implemented.
 Human Resource Policies and Practices: The most important aspect of internal
control is personnel. If employees are competent and trustworthy, other controls can
be absent, and reliable financial statements will still result. Incompetent or dishonest
people can reduce the system to a shambles—even if there are numerous controls in
place. Honest, efficient people are able to perform at a high level even when there are
few other controls to support them. However, even competent and trustworthy people
can have shortcomings. For example, they can become bored or dissatisfied, personal
problems can disrupt their performance, or their goals may change.
Because of the importance of competent, trustworthy personnel in providing effective control,
the methods by which persons are hired, evaluated, trained, promoted, and compensated are
an important part of internal control.

2. Risk assessment
Risk assessment for financial reporting is management’s identification and analysis of risks
relevant to the preparation of financial statements in conformity with appropriate accounting
standards. For example, if a company frequently sells products at a price below inventory cost
because of rapid technology changes, it is essential for the company to incorporate adequate
controls to address the risk of overstating inventory.
Similarly, failure to meet prior objectives, quality of personnel, and geographic dispersion of
company operations, significance and complexity of core business processes, introduction of
new information technologies, economic downturns, and entrance of new competitors are
examples of factors that may lead to increased risk. Once management identifies a risk, it
estimates the significance of that risk, assesses the likelihood of the risk occurring, and
develops specific actions that need to be taken to reduce the risk to an acceptable level.
Management’s risk assessment differs from but is closely related to the auditor’s risk

6
assessment. While management assesses risks as a part of designing and operating internal
controls to minimize errors and fraud, auditors assess risks to decide the evidence needed in
the audit. If management effectively assesses and responds to risks, the auditor will typically
accumulate less evidence than when management fails to identify or respond to significant
risks.
Auditors obtain knowledge about management’s risk assessment process using questionnaires
and discussions with management to determine how management identifies risks relevant to
financial reporting, evaluates the significance and likelihood of the risks occurring, and
decides the actions needed to address the risks

3. Control activities
Control activities are the policies and procedures, in addition to those included in the other
four control components that help ensure that necessary actions are taken to address risks to
the achievement of the entity’s objectives. There are potentially many such control activities
in any entity, including both manual and automated controls. The control activities generally
fall into the following five types, which are discussed next:
 Adequate separation of duties
 Proper authorization of transactions and activities
 Adequate documents and records
 Physical control over assets and records
 Independent checks on performance
1. Adequate Separation of Duties: Four general guidelines for adequate
separation of duties to prevent both fraud and errors are especially significant for
auditors.
 Separation of the Custody of Assets from accounting: To protect a company from
embezzlement, a person who has temporary or permanent custody of an asset should
not account for that asset. Allowing one person to perform both functions increases the
risk of that person disposing of the asset for personal gain and adjusting the records to
cover up the theft. If the cashier, for example, receives cash and is responsible for data
entry for cash receipts and sales, that person could pocket the cash received and adjust

7
 the customer’s account by failing to record a sale or by recording a fictitious credit to
the account.
 Separation of the Authorization of Transactions from the Custody of Assets: It is
desirable to prevent persons who authorize transactions from having control over the
related asset, to reduce the likelihood of embezzlement. For example, the same person
should not authorize the payment of a vendor’s invoice and also approve the
disbursement of funds to pay the bill.
 Separation of Operational Responsibility from Record-Keeping Responsibility:
To ensure unbiased information, record keeping is typically the responsibility of a
separate department reporting to the controller. For example, if a department or
division oversees the creation of its own records and reports, it might change the
results to improve its reported performance.
 Separation of IT Duties from User Departments: As the level of complexity of IT
systems increases, the separation of authorization, record keeping, and custody often
becomes blurred (unclear, distorted). For example, sales agents may enter customer
orders online. The computer authorizes those sales based on its comparison of
customer credit limits to the master file and posts all approved sales in the sales cycle
journals. Therefore, the computer plays a significant role in the authorization and
record keeping of sales transactions. To compensate for these potential overlaps of
duties, it is important for companies to separate major IT-related functions from key
user department functions. In this example, responsibility for designing and
controlling accounting software programs that contain the sales authorization and
posting controls should be under the authority of IT, whereas the ability to update
information in the master file of customer credit limits should reside in the company’s
credit department outside the IT function.
2. Proper Authorization of Transactions and Activities: Every transaction
must be properly authorized if controls are to be satisfactory. If any person in an
organization could acquire or expend assets at will, complete chaos would result.
Authorization can be either general or specific. Under general authorization,
management establishes policies and subordinates are instructed to implement these
general authorizations by approving all transactions within the limits set by the policy.

8
 General authorization decisions include the issuance of fixed price lists for the sale of
products, credit limits for customers, and fixed reorder points for making acquisitions.
When a department orders inventory, the clerk responsible for maintaining the perpetual
record approves the order to indicate the authorization policy has been met. In other cases, the
computer approves the transactions by comparing quantities of inventory on hand to a master
file of reorder points and automatically submits purchase orders to authorized suppliers in the
vendor master file. In this case, the computer is performing the approval function using
preauthorized information contained in the master files.
3. Adequate Documents and Records: Documents and records are the records
upon which transactions are entered and summarized. They include such diverse items
as sales invoices, purchase orders, subsidiary records, sales journals, and employee
time cards. Many of these documents and records are maintained in electronic rather
than paper formats.
Adequate documents are essential for correct recording of transactions and control of assets.
For example, if the receiving department completes an electronic receiving report when
material is received, the accounts payable computer application can verify the quantity and
description on the vendor’s invoice by comparing it with the information on the receiving
report, with exceptions resolved by the accounts payable department.
Certain principles dictate the proper design and use of documents and records.
Documents and records should be:
 Pre numbered consecutively to facilitate control over missing documents and records
and as an aid in locating them when they are needed at a later date.
Pre numbered documents and records are important for the completeness transaction-related
audit objective.
 Prepared at the time a transaction takes place, or as soon as possible thereafter, to
minimize timing errors.
 Designed for multiple use, when possible, to minimize the number of different forms.
For example, a properly designed electronic shipping record can be the basis for
releasing goods from storage to the shipping department, informing billing of the
quantity of goods to bill to the customer and the appropriate billing date, and updating
the perpetual inventory records.

9
  Constructed in a manner that encourages correct preparation. This can be done by
providing internal checks within the form or record. For example, computer screen
prompts may force online data entry of critical information before the record is
electronically routed for authorizations and approvals. Similarly, screen controls can
validate the information entered, such as when an invalid general ledger account
number is automatically rejected when the account number does not match the chart
of accounts master file.
A control closely related to documents and records is the chart of accounts, which classifies
transactions into individual balance sheet and income statement accounts.
The chart of accounts is helpful in preventing classification errors if it accurately describes
which type of transactions should be in each account.
4. Physical Control over Assets and Records: To maintain adequate internal
control, assets and records must be protected. If assets are left unprotected, they can be
stolen. If records are not adequately protected, they can be stolen, damaged, altered, or
lost, which can seriously disrupt the accounting process and business operations.
When a company is highly computerized, its computer equipment, programs, and data files
must be protected. The data files are the records of the company and, if damaged, could be
costly or even impossible to reconstruct.
The most important type of protective measure for safeguarding assets and records is the use
of physical precautions. An example is the use of storerooms for inventory to guard against
theft. When the storeroom is under the control of a competent employee, there is further
assurance that theft is minimized. Fireproof safes and safety deposit vaults for the protection
of assets such as currency and securities are other important physical safeguards in addition to
off-site back-up of computer software and data files.
5. Independent Checks on Performance: The last category of control activities
is the careful and continuous review of the other four, often called independent checks
or internal verification. The need for independent checks arises because internal
controls tend to change over time, unless there is frequent review. Personnel are likely
to forget or intentionally fail to follow procedures, or they may become careless unless
someone observes and evaluates their performance. Regardless of the quality of the
controls, personnel can make errors or commit fraud.

10
Personnel responsible for performing internal verification procedures must be independent of
those originally responsible for preparing the data. The least expensive means of internal
verification is the separation of duties in the manner previously discussed. For example, when
the bank reconciliation is done by a person independent of the accounting records and
handling of cash, there is an opportunity for verification without incurring significant
additional costs.
Computerized accounting systems can be designed so that many internal verification
procedures can be automated as part of the system. For example, the computer can prevent
processing payment on a vendor invoice if there is no matching purchase order number or
receiving report number for that invoice included in the system.
Auditing standards require the auditor to obtain an understanding of the process company
employees follow to reconcile detail records supporting a significant account balance to the
general ledger for those accounts to help the auditor more effectively design and perform
audit procedures. For example, an auditor is likely to send confirmations of customer accounts
receivable selected from accounts receivable master files. Before planning the confirmation
procedures the auditor needs to understand the design and implementation of controls that
company personnel use to reconcile the accounts receivable master file to the related general
ledger account balance.

4. Information and Communication

The purpose of an entity’s accounting information and communication system is;

~ to initiate, record, process, and
~ report the entity’s transactions and to maintain account - ability for the related assets.
An accounting information and communication system has several subcomponents,
typically made up of classes of transactions such as
~ sales,
~ sales returns,
~ cash receipts,
~ acquisitions, and so on. For each class of transactions, the accounting system must satisfy
all of the six transaction-related audit objectives identified earlier in Table 10-1 (p. 293). For

11
example, the sales accounting system should be designed to ensure that all shipments of goods
are correctly recorded as sales (completeness and accuracy objectives) and are reflected in the
financial statements in the proper period (timing objective). The system must also avoid
duplicate recording of sales and recording a sale if a shipment did not occur (occurrence
objective).
To understand the design of the accounting information system, the auditor determines :
(1) the major classes of transactions of the entity;
(2) how those transactions are initiated and recorded;
(3) what accounting records exist and their nature;
(4) how the system captures other events that are significant to the financial statements, such
as declines in asset values; and
(5) the nature and details of the financial reporting process followed, including procedures to
enter transactions and adjustments in the general ledger.

5. Monitoring
Monitoring activities deal with ongoing or periodic assessment of the quality of internal
control by management to determine that controls are operating as intended and that they are
modified as appropriate for changes in conditions.
The information being assessed comes from a variety of sources, including
~ studies of existing internal controls,
~ internal auditor reports,
~ exception reporting on control activities,
~ reports by regulators such as bank regulatory agencies,
~ feedback from operating personnel, and
~complaints from customers about billing charges.

For many companies, especially larger ones, an internal audit department is essential for
effective monitoring of the operating performance of internal controls.

12
To be effective, the internal audit function must be performed by staff independent of both the
operating and accounting departments and report directly to a high level of authority within
the organization, either top management or the audit committee of the board of directors.
In addition to its role in monitoring an entity’s internal control, an adequate internal audit staff
can reduce external audit costs by providing direct assistance to the external auditor. PCAOB
Standard 5 defines the extent that auditors can use the work done by internal auditors when
reporting on internal control under Section 404.

LIMITATIONS OF INTERNAL CONTROL

Auditing standards states that the directors of an entity will set up internal controls in the
accounting system to assess the following.
a) Transactions are executed with proper authorization
b) All transactions and other events are promptly recorded at the correct amount, in the
appropriate accounts and in the proper accounting period.
c) Access to assets is permitted only in accordance with proper authorization.
d) Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences.
However, any internal control system can only provide the directors with seasonal assurance
that their objectives are reached, because of inherent limitations, such as the following.
a) The usual requirement that the cost of an internal control does not outweigh the
potential loss, which may result from its absence.
b) Most systematic internal controls tend to be directed at routine transactions than non-
routine transactions. Hence it is important for auditors to ascertain what may go on
outside the accounting system.
c) The potential of human error in the operation of internal controls due to careless,
distraction, mistakes of judgment and the misunderstanding of instructions.
d) The possibility of controls being by passed because two or more people collude.
Collusion may be between people inside the organization, but may involve outsiders
as well.
e) The possibility that a person responsible for exercising internal control could abuse
that responsibility by overriding an internal control.

13
 f) The possibility that procedures may become inadequate due to changes in conditions
or that compliance with procedures may deteriorate overtime. This may particularly
apply if a business is expanding internal controls designed to cope with a smaller
business may well have problems coping.
These factors show why auditors cannot obtain all their evidence from tests of the systems of
internal control.

14