Chapter Four

4. Internal control
1. 1 Fundamentals of controls

 In the broadest sense an organization internal control structure (also referred to as internal
control system) consists of the policies and procedures established to provide reasonable
assurance that the organization objectives will be achieved.
General objectives of internal controls
 improving operational efficiency and effectiveness
 reliability of financial reporting
 safeguarding of assets and
 Compliance with management applicable laws, policies and procedures.
 For the purpose of auditor’s internal controls may be defined as:
“All the policies and procedures a company uses to prevent detect and correct material errors,
irregularities and misstatements that might get into financial statements.
For internal auditors: as an organizational control itself, one that functions by measuring and
evaluating the effectiveness of other controls (both operational and financial areas) operating
elsewhere in the organization should understand
 basic control concepts
 the adequacy of internal control
 consistent definition of internal control by management, employees and for him/herself
 objectives and components of internal control
 how to evaluate system of internal control to perform an audit review and to report to
management. Reasons for evaluation of internal control:
(1).To give the internal auditor a basis for planning the audit and to determine the nature, timing and
extent of audit procedures.(2).To formulate constructive suggestion for improvements in the
organizational internal controls deficiencies such as:
 absence of appropriate segregation of duties
 absence of appropriate reviews and approval of transactions
 evidence of failure of control procedures by persons in authority to the detriment of control
objectives

1
  evidence of willful wrong doing by employees or management including manipulation,
falsification or alteration of accounting records

For external auditors: external auditors should be concerned with the existence of
internal controls that are designed to prevent or detect misstatement in financial statements
INTERNAL CONTROL COMPONENTS
An internal control system consists of five interrelated components integrated with managerial
functions.
The Control environment

This environment creates a frame of mind within which an internal control system can function at all
levels in the institution. This entails integrity, ethical values, and competence as well as the attention
and direction of the head of the department and/or the Audit Committee, and also comprises
management’s philosophy and operating style, methods of assigning authority and responsibility, as
well as organization and development of staff.

Control activities

The internal control system contains certain control activities, including policies and procedures with
regard to approval, authorization, verification, reconciliation, review of operational activities,
safeguarding of assets, and segregation of duties.
Risk assessment
Risk assessment includes identification and analysis of risks posing a threat to the achievement of
institutional objectives. This assessment assists management in designing, implementing and
maintaining appropriate controls to minimize or eliminate the possible occurrence of undesirable
events. At the same time, the will also assist management in determining how to manage these risks.

Information and communication

A proper communication strategy is necessary to inform staff about development and implementation
of internal controls as part of existing system. This assists them in carrying out their responsibilities
and ensures set internal controls are applied to maintain the system.

Monitoring
Management should monitor the internal controls system to determine and improve quality of
performance, as this is a vital management tool.

2
1.2.1 Internal Control Structures

Internal control structures vary significantly from one organization to the other because of many
factors such as:
 the size of the entity
 the characteristics of the organization and ownership(e.g. centralized and decentralized,
share co. vs p.l.c, sole owner vs shareholders)
 the nature of the business(e,g.bank vs factory)
 diversity and complexity of its operation(mobile vs axum hotel)
 methods of processing data(computerized vs manual)
 legal and regulatory requirement( e.g. schools are regulated by MOE)

Internal control structure is divided into;

A) The Control Environments
B) The Accounting System
C) Control procedures

A) The control Environment

 The control environment is the collective effect of various overall factors that establish,
enhance, or mitigate the effectiveness of specific control policies and procedures. In other
words, it is the client’s environment (internal as well as external) within which controls exist
or operate.
 It includes the attitude, awareness & actions of the board of directors, management, owners,
& other parties in controlling the firm’s overall situations.
Internal Control Environmental Factors
1. Management Philosophy & Operating Style.

 Manages differ in both their philosophies to ward financial reporting and their
attitudes toward taking business risk.
2. Organizational Structure
 A well-designed organizational structure provides a basis for planning directing,
and, controlling operations.
A sound organizational structure of an entity should separate responsibilities for:
1. Authorization of transactions

3
 2. Record keeping for transaction, and
3. Custody of resulting assets.
4. Execution of the operation
 The responsibilities for financial matters & operating problems should be given to two separate
departments namely, the finance & accounting departments respectively
 While the finance department conducts financial activities, the accounting department
establishes accountability through accounting record
3. Personnel policies and procedures (or practices)
 The effectiveness of an internal control structure is affected by the characteristics for
hiring, training, evaluating, promoting and compensating employees.
4. Methods of Assigning authority & Responsibility
 The effectiveness of method of communicating employees’ authority and responsibilities
(Job description) including the organization’s rules and regulation affects the quality of the
control environment.
 Having sound organizational policies related to such matters as acceptable business
practices, conflicts of interests and codes of conduct
 Very effective methods of assignment of authority and responsibility will reduce the
likelihood of irregularities that may result in a significant misstatement in financial
statement figures.
5. Management Control Methods

 Management control methods are used to exercise control over the authority delegated to
others
 One good example is developing plans and monitoring the progress toward accomplishment
of those plans: budgeting and control system and variance analysis.

6. Internal Auditing
 Anther component of the internal control environment is an internal auditing staff or unit.
 Internal auditors investigate and appraise the internal control structure & the efficiency with
which the various units of the business are performing their assigned functions, and report
their findings and recommendations to top management.
 The amount and quality of work done by internal auditors are important considerations to
external auditors in assessing the control environment of a firm.

4
  The effectiveness of the internal audit unit of an organization mainly affected by factors
such as its authority, the qualification of its staff, and the resources made available it.
7. Audit committee
 In corporate environment, an audit committee is composed of members of the board of
directors who are neither officers nor employees of the client organization.
 This kind of independent body, the audit committee, from management will help to
maintain a direct line of communication between the board of directors & the entity’s
external or independent & that of internal auditors.
 They also monitor top management of the organization.
 While that audit committee monitors financial reporting the board oversees the business
activities of the firm.
B. The Accounting System
 An accounting system consists of the methods & records established to gather and report an
entity’s transaction & to maintain accountability for the related assets & liabilities.
 An accounting system is maintained to attain the following objectives.
1. Identify & record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting
3. Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of
transaction in proper accounting period
5. Present properly the transactions and related disclosures in the
financial statement.
C. Control procedures: In addition to the control environment and the accounting system,
management establishes other controls over the entity’s transactions and assets. The many control
procedures that can be implemented by a firm may be categorized as procedures for:
1. Proper authorization of transaction and activities
2. Appropriate segregation of duties
3. Adequate documentation and recording of transaction and events.
4. Effective safeguards over access to and use of assets and records access controls, and
5. Independent checks on performance and proper valuation of recorded amounts.

5
1. Authorization of Transaction
 Authorization of transactions may be either general or specific
 General authorization occurs when management establishes criteria for acceptance of a
certain type of transactions such as quantity discounts. Specific authorization occurs when
transactions are authorized on an individual basis ( e.g. sale of a major asset)
2. Segregation of Duties

 A functional concept of internal control is that no one department or person should handle all
aspects of a transaction from beginning to end

 No one department or individual should perform more than one of the functions of
authorizing transactions, recording transactions, and maintaining custody over assets.
 Below is given an example of a credit sale transaction in which initiation, execution and
recording as done by different persons (units).

Credit Shipping Billing Recording

Approval

 Credit * a shipping *a person in the * an accountant

Manager person billing (sales) (bookkeeper)

Department
3. Adequate Documentation

 A system of well- designed forms and documents is necessary to create a records of the
activities of all departments.(example include use of serial numbers for business documents or
preparing documents in different colors).
 Adequate safeguarding and numerical control should be maintained at all times for unused pre
numbered documents
4. Safeguarding over assets and records

 Physical access to assets and important records, documents, blank forms should be limited to
authorized personnel
 Limit access to assets such as cash inventory and securities, cost records and account receivable

6
 records and blank forms(such as blank checks, blank sales invoices and shipping orders)
 Generally, direct physical access to assets may be controlled through the use of safes, locks,
fences, guards, surveillance cameras, and security codes and so on.
5. Independent checks on performance and proper valuation

 The accuracy of the work of various individuals in a company may be verified by independent
checks on performance and valuation such as clerical checks, computer program controls,
independent review report and reconciliations.
 An independent body should make periodic comparison of accounting records and the physical
assets on hand.
 Any discrepancies thus obtained, when investigated, will uncover weakness either in
procedures for safeguarding assets or in maintaining the related accounting records-recorded
accountability.
 Periodic comparisons may include counts of cash on hand, reconciliation of bank statements,
counts of securities, confirmation of account receivable and payables, and other such comparison
of operations.
 The frequency of such comparison is governed by the related costs and benefits. yet, periodic
comparison and action to correct errors lowers the risk that material misstatements remain in the
accounts

CLASSIFICATION OF INTERNAL CONTROLS

Two different approaches to the classification of internal controls can be followed: broad and specific.
i. Broad categories: Internal controls very broadly into two categories: organizational and
procedural, both of which need discussion.
A. Organizational controls
These are often referred to as general or environmental controls involving organizational structures,
segregation of duties, supervision, management, and personnel.
Structural-The structural aspect of organizational controls refers to a clear structure and hierarchy of
responsibilities according to which authority is delegated. The structure creates an environment where
employees on one level can exercise control over employees on another.
Segregation of duties-This aspect of control is designed to avoid concentration of control and
execution of duties in a single official. Segregation can be instituted at various stages of processing and
recording of transactions, practically, the following three functions are separated: custody of goods

7
received, authorization of payments, and their recording in accounts. If a computerized accounting
system is used, which is usual, system development including programming should be separated from
operations.

Supervision-Supervision refers to daily arrangements for overseeing and checking transactions and
asset security.
Management-Internal controls should ensure management achieves their objectives. These
management controls represent, amongst others, provision of instructions, financial regulations,
reviews and checks by internal audit, budgetary controls, and monitoring of income and expenditure,.
Most are long-term arrangements for overall staff supervision.
Personnel -The reliability of personnel responsible for the application and maintenance of internal
controls is an important factor in determining that controls are reliable.
B. Procedural controls
Procedural controls often referred to as application or specific controls, involve three aspects.
Physical-These are designed to safeguard the custody, of assets, such as cash or easily removable
important documentation, and these can be stored in safes with only authorized personnel having
access.
Authorization-The authorization and approval of transactions by responsible and designated officials,
within regulatory limits, is a control ensuring accountability.
Accounting-These include arithmetical and recording functions such as trial balances, reconciliation of
cash and bank accounts, and the matching of orders with goods-received notes.
ii. Specific categories-Internal controls are, however, usually classified as: management,
accounting, and administrative.
Management control-Accounting officers, financial managers, departmental accountants, and line
managers are responsible for ensuring that government’s resources are managed effectively. They must
necessarily develop implement administrative and operational procedures to ensure that these
procedures are adhered to, and internal control is a key management tool in this regard. This is the
reason managers depend on control processes by utilizing:
 Effective plans of the organization with clear lines of reporting and responsibility;
 Adequate administrative structures, including budgetary and cost control, and policy and
procedural manuals;
 An effective and streamlined approval and authorization process, and
 Professional and well trained personnel

8
Management control depending on information generated by the procedures that they have
implemented to assist them in exercising their control responsibilities. That is why it is necessary for
management to have reassurance that these internal control procedures are functioning properly, and
are adequate to provide them with all the relevant information to control their responsibility affairs.
Essentially the process consists of:

 The process of comparing results with the institutional plan:

 Explaining variances (deviations from the initial plan), and
 Taking corrective action.

 activities.

Accounting controls: are internal controls related to the Accounting system of organizations. They
are concurred with achieving the following controls objectives. They are designed to make sure that:.
 Transactions are executed in accordance with the management’s authorization that is in
accordance with the laid down policies and procedures.
 Transactions are promptly recorded in proper manner to ensure timely preparation and
communication of reliable financial information.
 Accountability for assets is maintained and assets are safeguarded from unauthorized access,
use or disposal.
E.g. Preparation of Bank reconciliation by an employee independent of (not authorized) to
issue checks or handle cash is an internal control that increases the probability that cash
transactions are presented fairly in the accounting records and Financial statements.

Administrative controls- some of these controls have little or no bearing on the financial statements
and are thus not direct interest to auditors. Administrative controls emphasize the effectiveness and
efficiency of management decision making process. Administrative controls emphasize controls for
management decision concerning on authority and responsibility for authorization of information.

Administrative controls include the plan of the organization structure, procedures & records related to
the decision process. The plan of organization refers to the organization atonal structure and methods
of assigning authorities & responsibilities. A proper plan of organization is important for effective
operation of the entire internal control system.
Accounting controls have a direct compact on the reliability of financial information while
administrative controls have only an indirect effect on the financial information. The first concern in

9
financial statement audit is with reviewing accounting controls but not forgetting administrative
controls which have an indirect impact on the reliability of Financial Statements.

LIMITATION OF INTERNAL CONTROL

Even if internal control can do much to protect against both errors & irregularities and assure the
reliability of accounting data, it has inherent limitation. What so ever its structure is. Besides, the
following situations increase the limitation of any internal control system.
Collusion-Collusion can be defined as an agreement between two parties to Defeat an internal control
system to carry out an improper act.

E.g.: you may assign a store keeper and a guard to prevent assets from being taken for personal use,
but what if these two persons collude.
Management outride or manipulation and collusion-Management may override procedures
designed to assure execution and recoding of transactions in accordance with management
authorization
E.g.: The manager may authorize improper payment to him and threatens employees under him to
hide the theft.

Costs versus benefit - organization is faced with challenge to find the Right cost- versus- benefit
balance for internal control. Excessive controls can be too costly and counter productive, as result
100% controls might not be adapted.
Temporary failure- There is two basic reasons under this limitation:
1. Human error: due to carelessness, distraction, fatigue, misunderstanding-ins instructions etc.
2. Change: a new employer may hired he/she makes mistake until they understand the system
Mistake in judgment: This includes mistakes such as mistake in recording transaction in wrong
accounting period, erroneous classification of transactions, in capitalizing- expenditure Etc...

10