ACCOUNTING SYSTEM AND RELATED INTERNAL CONTROLS

4.1 Introduction.
The Glossary of terms ISA 110 states that an accounting system means a series of tasks and
records of an entity by which transactions are processed as a means of maintaining financial
records.
Such systems identify, assemble, analyses, calculate, classify, record, summaries and report
transactions and other events. The auditor’s interest in the accounting system comes from two
sources:
1) Section 162 of the Companies Act as expounded by the 7th schedule to the Act.
This section requires the auditor in preparing the report to carry out such an investigation as
will enable them to:
a) Form an opinion as to whether books of accounts have been kept by the company and
proper returns have been received from branches not visited by them.
b) To state whether the company’s balance sheet and profit and loss account are in
agreement with the books of accounts and returns. According to the Act if the auditor
forms a contrary opinion they should report that in their report.
2) The International Standard on Auditing, (ISA) 400 requires the auditor: -
a. To obtain an understanding of the accounting and internal control systems sufficient to
plan the audit and develop an effective audit approach.
b. In planning the audit, to obtain and document an understanding of the accounting systems
and control environment sufficient to determine their audit approach.
c. If after obtaining an understanding of the accounting systems and control environment, they
expect to be able to rely on their assessment of control risks to reduce the extent of their
substantive procedures, they should make a preliminary assessment of control risk for
material financial statement assertions and should plan and perform tests of control to
support that assessment.
4.2 Definitions
Control risk- Risk that a misstatement that could occur in an account balance or class of
transactions and that could be material, either individually or when aggregated with
misstatements in other balances or classes would not be prevented or detected and corrected on a
timely basis by the accounting and internal control systems.
Tests of control – are tests to obtain audit evidence about the effective operation of the
accounting and internal control systems- i.e. that properly designed control identified in the
preliminary assessment of control risk exist in fact and have operated effectively throughout the
year or relevant period. Such tests are also called COMPLIANCE TESTS.

Page 1 of 24
 Internal control system- the whole system of controls, finance and otherwise established by the
management in order to carry on the business of the enterprise in an orderly and efficient manner
to ensure adherence to management policies, safeguard the assets and secure as far as possible
the completeness and accuracy of the records. The individual components of an internal control
system are known as “controls” or “internal controls”.
4.3 Types of internal controls
Internal control can be categorized as:
Organization: An enterprise should have a plan of organization, which should define and
allocate responsibilities. Every function should be in the charge of a specified person i.e.
responsible official. Also the organizational plan should identify who reports to whom. It is
important under this type of control for the employee to know precisely powers delegated to him,
the extent of his authority and to whom he should report.
Segregation of duties – This calls for involvement of several people in recording and processing
of transaction i.e. No one person should be responsible for the recording and processing of a
complete transaction. This reduces the risks of intentional manipulation or accidental error and
increases the element of checking of work. For example, the sales representative initiates a sale;
authorization is by the credit control and sales manager, execution by the finished goods
warehouse staff who physically sends the goods e.t.c.
Physical –This concerns physical custody of the assets and involves procedures designed to limit
the access to authorized personnel only. Access can be direct e.g. being able to enter the
warehouse or indirect that is by documentation e.g. personnel knowing the right procedure may
be able to extract goods by doing the correct/right paper work. These controls are especially
important in the case of valuable, portable, exchangeable or desirable assets e.g. locking of
securities (share certificates) in a safe with procedures for the custody of use of keys, use of
passes to restrict access to warehouses, e.t.c.
Authorization and approval – This is a special case of organization control. All transactions
should require authorization or approval by an appropriate person. The limits to this
authorization should be specified. Example, all credit sales must be approved by the credit
control department.
Arithmetical and accounting - These are controls in the recording function which check that
the transactions have been authorized, that they are all included and that they are correctly
recorded and accurately processed. Procedures include checking the arithmetical accuracy of
records, the maintenance and checking of the totals, reconciliation, control accounts, trial
balances, accounting for documents (also known as sequence or continuity checks), previews –
that is before an important action involving the company’s property is taken, the person concern
should review the documentation available to see that all that should have been done, has been

Page 2 of 24
done. Example, a clerk in the buying department examining purchase requisition to ensure that
they are correct, complete and authorized before making out an order.
Personnel – procedures should be designed to ensure that the personnel operating a system are
competent and motivated to carry out the tasks assigned to them, as proper functioning of the
system depends upon the competence and integrity of the operating personnel. Measures include
appropriate remuneration and promotion and career development prospects e.t.c.
Supervision – All actions by all levels of staff should be supervised. The responsibility for
supervision should be clearly laid down and communicated to the person being supervised.
Management – These are controls exercised by management, which are outside and over and
above the day to day routine of the system. They include overall supervisory controls, review of
management accounts, comparison with budgets, internal audit and any other special review
procedure.
4.4 Advantages/objectives of having internal controls in a business
a) It will minimize chances of errors and frauds in the business, for example, through
segregation of duties.
b) Serves as a safeguard to the company’s assets, for example, through physical controls.
c) Boosts efficiency in a business and ensures an orderly run business, for example through
supervision and competent personnel.
d) It enables the company to achieve its goals, as policies will be followed through budgeting
controls, managerial reviews e.t.c.
e) Boosts control of work and avoids duplication of effort through organization charts, defined
powers e.t.c.
f) They facilitate efficiency in statutory audits as it will act as a basis on which the auditor will
perform his work and as such, this will reduce his tests and amounts of time in the company
and thus less audit fee.
g) Boosts the morale of the client’s staff through compulsory leave, defined powers e.t.c.
h) Encourages specialization through segregation of duties and this boosts efficiency and thus
output.
i) A strong internal control system will usually lead to unqualified reports which are essential
for the company’s survival because different parties with financial stake in the business will
be positively influenced by this report and will contribute to the company’s financial and
material needs.
4.5 Limitation of internal control
1. Internal controls are essential features of any organization that is run efficiently. However,
it is important to realize that as an auditor, internal controls have inherent limitations
which includes:
Page 3 of 24
2. A requirement that the cost of an internal control is not disproportionate to the potential
loss which may result from its i.e. cost of internal control should not outweigh the benefit.
3. Internal controls tend to be directed at routine transactions. The one-off or unusual
transaction tends not to be the subject of internal control.
4. Potential human error caused by stress of workload, alcohol, carelessness, distraction,
mistakes of judgement e.t.c. Cannot be addressed by ICS
5. The possibility of circumvention of controls either alone or through collusion with parties
outside or inside the entity.
 Abuse of the responsibility.
 Management overrides the control.
 Changes in the environment making controls inadequate.
 Human cleverness – however secure the computer code designed to prevent access,
there is always some hacker who gets in.
N.B (ISA 400) requires that auditors must always perform some substantive tests of material
items as well as relying on internal controls. The inherent limitations of internal controls are the
reason.
4.6 Internal control in specific areas of a business
Internal control generally
Objectives – To carry on the business in an orderly and efficient manner to ensure adherence to
management policies, safeguard its assets and secure the accuracy and reliability of the records.
Measures
1. An appropriate and integrated system of accounts and records.
2. Internal control over those accounts and records.
3. Financial supervision and control by the management, including budgetary control,
management accounting reports and interim accounts.
4. Safeguarding and if necessary duplicating records.
5. Engaging, training, allocating to specific duties staff that are capable of fulfilling their
responsibilities. Rotation of duties and cover for absence.
a) Cash and cheques received by post
Objectives
i. To ensure that all cash and cheques received by post are accounted for and accurately.
ii. To ensure such receipts are promptly and intactly deposited in the bank.
Measures
Measures to prevent interception of mail between receipt and opening.
Appointment of an official to be responsible for the opening of the post.

Page 4 of 24
 Two persons to be present at the opening of the mails.
All cheques and other negotiable instruments to be immediately given a restrictive
crossing e.g. account payee only, not negotiable.
Immediate entry of the details of the receipts (date, payer, amount e.t.c) in a post- list of
money received. Both parties should sign this list.
b) Cash sales collection
Objectives
i. To ensure that all cash, to which the enterprise is entitled, is received.
ii. To ensure that all such cash is promptly and instantly deposited.
iii. To ensure that all such cash is properly accounted for and entered in the records.
Measures
1. Prescribing and limiting the number of persons who are authorized to receive cash e.g. sales
assistants, cashiers, etc.
2. Establishing a means of evidencing cash receipts e.g. cash registers with sealed till rolls.
3. Appointing officers with responsibility for empting cash registers at prescribed intervals and
agreeing the amount present with till roll totals or internal registers.
4. Immediate and intact banking.
5. Investigations of shorts and overs.
6. Persons handling cash should not have access to other cash funds or to the sales ledger
records.
7. Rotations of duties and cover for holidays e.t.c.
c) Payments to the bank
Objectives
 To ensure that all cash and cheques received are banked intact.
 To ensure that all cash and cheques received are banked without delay at prescribed
intervals, preferably daily.
 To ensure that all cash and cheques received are accounted for and recorded accurately.
Measures
1. Cash and cheques should be banked intact.
2. Cash and cheques should be banked without delays preferably daily.
3. The bank paying in-slip should be prepared by an official without access to cash collections
points, bought or sales ledgers.
4. Banking should be made with security in mind e.g. for large cash sums, security guards
should be used.
5. There should be independent comparison of paying-in-slips with collections records, post
lists and sales ledger records.
Page 5 of 24
d) Cash balances
Objectives
 To prevent misappropriation of cash balances.
 To prevent an authorized cash payments.
Measures
1. Establish of cash floats of specified amounts and locations.
2. Appointment of officials responsible for each cash balance.
3. Arrangements of security measure including use of safes and restrictions of access.
4. Use of imprest systems with rules on reimbursement only against authorized vouchers.
5. Strict rules on the authorization of cash payments.
6. Independent cash counts on a regular and a surprise basis.
7. Insurance arrangements e.g. for cash balances and fidelity guarantee.
e) Bank balances
Objectives
 To prevent misappropriation of bank balances.
 To prevent teeming and lading i.e. misappropriation of cash received from debtors in
such a way that the cashier receiving cash from debtor A, misappropriates it and when
debtor B pays the account of A is credited with B’s money – this can go on until the
cashier repays the money or writes off one debtor.
Measures
1. Reconciliation should be prepared at prescribed frequency.
2. They should be performed by independent personnel.
3. Arrangements should be made for bank statements to be sent direct to the person
responsible for the reconciliation.
4. The balances at the bank should be independently verified with the bank at intervals.
5. Special arrangements should be instituted on the controls and recording of trust monies e.g.
employee’s sick pay or holiday funds, attachment of earnings.
f) Cheque payments and bank balances.
Objective
 To prevent unauthorized payments being made from the bank account.
Measures
1. Control over custody and issue of unused cheque books. A register should be kept if
necessary.
2. Appointment of an official to be responsible for the preparation of cheques or traders
credits.
3. Rules should be established for the presentation of supporting documents before Cheques
Page 6 of 24
 can be made out. For example invoices, orders e.t.c.
4. All documents should be stamped “paid by cheque no…” with date.
5. Establishment who can sign cheques. All cheques should be signed by at least two persons,
with no person being permitted to sign if he is a payee.
6. No cheques should be made out to the bearer except for the collection of wages or
reimbursement of cash funds.
7. All cheques should be restrictively crossed.
8. The signing of blank cheques should be prohibited.
9. Rules to ensure prompt dispatch to prevent misappropriation
10. Measures to ensure cash discounts are obtained.
11. Separation of duties: custody, recording and initiation of cheque payments.
12. Special rules for authorizing and checking debits and standing orders.
g) Fixed assets
Objectives
 To ensure that fixed assets are acquired with proper authority.
 To ensure that fixed assets are properly maintained and used only in the business.
 To ensure that fixed assets are accounted for and recorded.
 To ensure that disposals are properly authorized and that proceeds are accounted for and
recorded.
Measures
1. Capital expenditure should be subjected to authorization procedures, which in all cases should
be evidenced. It may be desirable for proposed capital expenditure e.g. new productions
methods or new products developments to be reviewed by a special committee and for board
authority to be required.
2. All capital expenditure should be monitored by a senior official (e.g. chief accountant) with
approvals and any excess expenditure investigated and explanations sought.
3. Allocation of expenditure between capital and revenue should be approved.
4. Adequate recording of fixed assets should be made with detailed breakdowns as necessary. In
many cases (e.g. plant, vehicles or buildings) detailed fixed assets register should be maintained.
6. Where registers are maintained, senior independent officials should make frequent and regular
review of the record with actual assets where necessary e.g. land and building should include
a check of documents of the title. Also, check condition and usage.
7. Disposals whether by scrapping, sale, or trade in should be subject to authorization
procedures. A senior official e.g. financial controller or chief accountant should monitor
receipt of and assess the reasonableness of proceeds.
8. Arrangements to see that fixed assets are properly maintained by regular inspection and
Page 7 of 24
 reporting of location, operation and condition. This can be combined with the physical
verification of the asset registers.
9. Depreciation policy should be laid down by the board (subject to a minute). Policy should
accord with the requirement of the International Accounting Standards or statements of
standards of accounting practices. Officials should be appointed to calculate and check the
actual calculations.
h) Wages and salaries
Objectives
 To ensure that wages and salaries are paid to actual employees at authorized rates of pay.
 To ensure that all the wages and salaries are computed in accordance with records of
work performed whether in respect of time, output, sales made or other criteria.
 To ensure that payrolls are correctly calculated.
 To ensure that payments are made only to correct employees.
 To ensure that payroll deductions are correctly accounted for and paid over to the
appropriate third parties.
 To ensure that all transactions are correctly recorded in the books of account.
Measures
1. There should be separate records kept for each employee. The records should contain such
matters as date of engagement, age, next of kin, agreed deductions, skills, department, and
a specimen signature. Ideally, a separate personnel department should maintain these
records.
2. Procedures for, and specified officials responsible for, engagements, retirements,
dismissals, fixing and changing rates of pay. Procedures should be laid down for
notification of these matters to the personnel and payroll preparation departments.
3. Time records should be kept, preferably by means of supervised clock card recording.
These should be approved and approval acknowledged. All overtime should be authorized.
4. Output or piecework records should be properly controlled and authorized. Procedures
should exist for reconciling output or piecework records with production records.
5. The payroll should be prepared by personnel unconnected with other wage duties. Special
procedures should exist for dealing with advances, holiday pay, lay off pay, luncheon
vouchers, new employees, employees leaving, sickness and other absences and bonuses.
6. Separate personnel should check the payroll. All work on the preparation and checking of
the payroll should be initiated. All such work should be supervised and the payroll
scrutinized and approved by a senior official.
7. The net amount due to be paid out in cash should be drawn after a coin analysis. Tight

Page 8 of 24
 security should be imposed on cash, both on collection from the bank and at all times up to
the receipt of pay envelops by the work force. Ideally, collection of cash from the bank
should be by a security organization.
8. Wage envelopes should be made up by personnel independent of payroll preparation.
9. Specified times should be laid down for distribution of wage packets. The recipients should
either acknowledge these or distribution should be made in the presence of (but not by)
foremen or others capable of identifying employees.
10. Surprise attendance at payouts should be made at intervals by internal auditor or by a senior
official.
11. Unclaimed wages should be subject to special procedures. These should include a record to
be maintained of unclaimed wages, safe custody of such pay packets, a requirement for
investigation, subsequent payout only after proof of entitlement, breaking down and
rebanking after a specified period of time.
12. Payments by cheque and credit transfer should be subject to special procedures. These
could include maintenance of a separate bank account with regular reconciliation.
13. Deductions such as PAYE, national insurance, pension contributions, save as you earn, and
union dues should be subject to prompt payment over to the institutions concerned. Control
totals subject to frequent review should be kept. Independent comparisons of such totals
with records such as tax deduction cards should be performed regularly.
14. Regular independent comparisons should be made between personnel records and wages
records.
15. Regular independent comparisons of payrolls at different rates.
16. Regular independent comparisons of wages paid with budgets and investigation of
variances.
17. Surprise investigations of wage records and procedures by internal audit or senior officials.
18. An independent official should be appointed to be responsible for settling queries.
19. Wage records should conform to the requirements of statutory sick pay.
Note that most firms can now credit employees’ bank accounts through the banking system.
i) Purchase and trade creditors
Objectives
 To ensure that goods and services are only ordered in the quantity, of the quality, and at
the best terms available after appropriate requisition and approval.
 To ensure that goods and services received are inspected and only accepted items are
accepted.
 To ensure that all invoices are checked against authorized orders and receipt of the
subject matter in good condition.
Page 9 of 24
  To ensure that goods and services invoiced are properly recorded in the books.
Measures
1. There should be procedures for the requisitioning of goods and services only by specified
personnel on specified forms with space for acknowledgement of performance.
2. Order forms should be pre-numbered and kept in safe custody. Issue of blank orders
formbooks should be controlled and recorded.
3. Order procedures should include requirements for obtaining tenders, estimates or
competitive bids.
4. A senior official should perform sequence checks of order forms regularly and missing
items investigated.
5. All goods received should be recorded on goods received notes (preferably pre-numbered)
or in a special book.
6. All goods should be inspected for condition and agreement with order and counted on
receipt. The inspection should be acknowledged. Procedures for dealing with rejected
goods or services should include the creation of debit notes (pre-numbered) with
subsequent sequence checks and follow up of receipt of suppliers’ credit notes.
7. At intervals, a listing of unfulfilled orders should be made and investigated.
8. Invoices should be checked for arithmetical accuracy, pricing, correct treatment of VAT
and trade discount, and agreement with order and good-in records. The performer should
acknowledge these checks preferably on spaces marked by a rubber stamp on the invoices.
9. Invoices should have consecutive numbers put on them and batches should be pre-listed.
10. Totals of the entries in the invoice register or daybook should be regularly checked with the
pre-lists.
11. Responsibility for purchase ledger entries should be vested in personnel separate from
personnel responsible for ordering, receipt of goods and the invoice register.
12. The purchase ledger should be subject to frequent reconciliation in total by or be checked
by an independent senior official.
13. Ledger accounts balances should be regularly compared with suppliers’ statements of
accounts.
14. All goods and services procurement should be controlled by budgetary techniques. Orders
should be placed that are within budget limits. There should be frequent comparisons of
actual purchases with budgets and investigation into variances.
15. Cut off procedures at the year-end are essential.
16. A proper coding system is required for purchase of goods and services so that the correct
nominal accounts are debited.

Page 10 of 24
j) Sales and debtors
Objectives
 To ensure that all customers orders are promptly executed.
 To ensure that sales on credit are made only to bona fide/ good credit customers.
 To ensure that all sales on credit are invoiced, that authorized prices are charged and that
before issue all invoices are completed and checked as regards price, trade discounts and
VAT.
 To ensure that all invoices raised are entered in the books.
 To ensure that all customers’ claims are fully investigated before credit notes are issued.
 To ensure that every effort is made to collect all debts.
 To ensure that no unauthorized credits are made to debtors accounts.
Measures
1. Incoming orders should be recorded, and if necessary, acknowledged, on pre-numbered
forms. Orders should be matched with invoices and lists prepared at intervals of
outstanding orders for management action. A senior should make sequence checks
regularly official.
2. Credit control. There should be procedures laid down for verifying the credit worthiness of
all persons or institutions requesting goods on credit. For existing customers, credit-
worthiness data should be kept up-to date and checks made that outstanding balances plus a
new sale does not cause the pre-set credit limit be exceeded. For new customers,
investigative techniques should be applied including enquiry of trade protection
organizations, credit rating agencies, referees, the company’s file with the Registrar of
Companies, e.t.c. A credit limit should be established. This may be fixed at two levels, a
higher
one such that further sales are not made and a lower one such that management are
informed and a judgement made on granting credit.
3. Selling prices should be prescribed. Policies should be laid down on credit terms, trade and
cash discounts, and special prices.
4. Dispatch of goods should only be on properly evidenced authority. Goods out should be
recorded either in a register or using pre-numbered dispatch notes. Unissued blocks of
dispatch notes should be safeguarded and issue recorded. A senior should make sequence
checks of dispatch notes regularly. Where appropriate, acknowledgment of receipt of goods
should be made by customers on copy dispatch notes.
5. Invoicing should be carried out by a separate department or by sales staff. Invoices should
be pre-numbered and the custody and issue of unused invoice blocks controlled and

Page 11 of 24
 recorded. A senior official should regularly make sequence checks and missing and spoiled
invoices investigated.
6. All invoices should be independently checked for agreement with customer order, with
goods dispatched record, for pricing, and discounts, VAT and other details. All actions
should be acknowledged with signatures or initials.
7. Employing separate staff for cash, invoice register, sales ledger entries and statement
preparation should segregate accounting for sales and debtors.
8. Sales invoices should be pre-listed before entry into the invoice register or daybook and the
pre-list total independently compared with the total of the register.
9. Customer claims should be recorded and investigated. Similar controls (e.g. pre-
numbering) should be applied to credit notes. At the year-end, uncleared claims should be
carefully investigated and assessed. All credit notes should be subject to acknowledgement
approval by a senior person.
10. A control account should be regularly and independently prepared
11. Personnel separate from the sales ledger personnel should prepare debtors’ statements.
Posting should be subject to safeguards so that no statements are misappropriated before
posting.
12. Procedures must exist for identifying and chasing slow payers. Very overdue balances
should be brought to the attention of senior manager for legal or other action to be taken.
13. All balances must be reviewed regularly by an independent official to identify and
investigate overdue accounts, debtors paying by installments or round sums, and accounts
where payments do not match the invoices.
14. Bad debts should only be written off after due investigation and acknowledged
authorization by senior management
15. At the year-end, an aged analysis of debtors should be prepared to evaluate the need for a
doubtful debt provision.
16. Also at the year-end, cut off procedures will be required. Particular attention will be paid to
orders dispatched but not invoiced.
Stock and work in progress
Objectives
 To ensure that Stock is adequately protected against loss or misuse.
Measures
1. Separate arrangements for each type of stock e.g. raw materials, components, work in
progress, finished goods, consumable stores
2. Control over the receipt of goods
3. Stock should be stored under conditions which deter deterioration due to physical causes
Page 12 of 24
 e.g. heat, cold, microbial action. Special arrangement for stock which is dangerous or
classified secret.
4. Stock should be safeguarded against loss by theft by appropriate physical controls
including restriction of access.
5. Where appropriate, stock records should be maintained. Entries should be made by
personnel independent of staff responsible for purchasing and custody of goods.
6. Documentation should be controlled pre-numbered forms with regular sequence checks.
7. Work in progress and finished goods stocks may be subject to recording by the value
including the charging of material, labour and overhead costs. The use of control accounts
and reconciliation with payroll or records of machine hours can exercise control over the
latter items.
8. Stock records should be continuously compared with actual stocks held by independent
official. All differences should be corrected and causes investigated.
9. Ideally all stock items should be subject to established maximum and minimum stock
levels with re-order levels.
10. Special arrangements should be applied to returnable containers, other’s stock on our
premises, our stock on other’s premises, scrap and waste.
11. Whether or not a continuous inventory is maintained, there should at least be an annual
stock take. Procedures should be prescribed for this with emphasis on identifying
damaged, slow moving, and obsolete stock and on cut off procedures.
4.7 Control environment and control procedures
4.7.1 The control environment
The control environment means the overall attitude, awareness and actions of the directors and
management regarding internal controls and their importance to the entity. The control
environment encompasses the management style, and corporate culture and values shared by all
the employees. Factors reflected in this includes;-
a) The philosophy and operating style of the directors and management
b) The entity’s organizational structure and methods of assigning authority and
responsibility (including segregation of duties and supervisory controls); and
c) The directors’ methods of imposing control, including the internal; audit function, the
functions of the Board of Directors and personnel policies and procedures.
4.7.2 Control procedures
Control procedures are those policies and procedures in addition to the control environment,
which are established to achieve the entity’s specific objectives. They include in particular
procedures designed to prevent or detect and correct errors. Specific control procedures include;

Page 13 of 24
 a) Approval and control of documents (e.g. custody and use of purchase orders)
b) Controls over the computer applications and the information technology environment
c) Checking the arithmetical accuracy of the records (e.g. checking the sales invoice
calculations)
d) Maintaining and reviewing control accounts and trial balances
e) Reconciliations
f) Comparing the results of cash, security and stock counts with the accounting records
g) Comparing the internal data with the external sources of information (e.g. bank
statements, customers remittance advices, supplies statement of accounts)
h) Limiting direct physical access to assets and records (e.g. passwords and locks and keys)
Auditors are expected to make an assessment of the control environment in a client. A good
control environment may well mean that internal control is strong but nevertheless internal
control may be weak at the level of control procedures. It’s generally felt that a poor control
environment will mean unreliable control procedures but not necessary so.
4.8 Accounting system
The relevant International Standard on Auditing is ISA 400 (accounting & internal control
systems and audit risk assessments).
4.8.1 The auditor’s interest in the client’s accounting system.
ISA 400 requires that the auditors should obtain an understanding of the accounting and
internal control systems sufficient to plan the audit and develop an effective audit approach.
Further the standard requires that auditors should in planning the audit, obtain and document
an understanding of the accounting system and control environment sufficient to determine
their audit approach.
Further the Companies Act requires the auditors in preparing their report, to carry such
investigation as will enable them to form an opinion as to: -
a) Whether proper accounting records have been kept by the company and proper returns
adequate for their audit have been received from the branches not visited by them,
b) Whether the company’s balance sheet and (if not consolidated) its profit and loss account
are in agreement with the accounting records and returns.
If auditors form a contrary opinion, they must state the fact in their report.
4.8.2 The management’s interest in the accounting system
The management of an enterprise needs complete and accurate accounting and other records
because:
1. The business cannot otherwise be controlled
2. Day to day records of the debtors and creditors are indispensable.
3. Assets can only be safeguarded if a proper record of them is made.
Page 14 of 24
4. Financial statements which are required for numerous purposes can only be prepared if
adequate primary records exist.
5. Statutes e.g. Companies Act often have specific requirements on record keeping for
specific types of business.
6. Record keeping for PAYE, NHIF, VAT and statutory sick pay and statutory maternity pay
are a statutory requirement.
NOTE: What constitutes an adequate system of accounting depends on the circumstances.
The basic need of a system is that it provides for the orderly assembly of information to
enable the financial statements to be prepared and all the other requirements (above) should
be borne in mind.
4.8.3 The need for controls over the system.
A system of accounting and record keeping will not succeed in completely and accurately
processing all transactions unless controls i.e. internal controls are built into the system. The
purposes of such internal controls are: -
a) To ensure transactions are executed in accordance with proper general or specific
authorization.
b) To ensure all transactions are promptly recorded at the correct amount, in the appropriate
accounts and in the proper accounting period so as to permit preparation of the financial
statements in accordance with the relevant legislation and accounting standards.
c) To ensure access to assets is permitted only in accordance with proper authorization.
d) To ensure recorded assets are compared with the existing assets at reasonable intervals
and appropriate action take with regard to the differences.
e) To ensure errors and irregularities are avoided or made apparent.
4.8.4 Auditor’s procedures with regard to accounting system and related internal controls.
The auditor’s procedures will depend on the circumstances but may include: -
1. Obtaining an understanding of the enterprise as a whole in order to see the accounting
system in the context and being able to assess the system’s effectiveness and
appropriateness
2. Ascertaining the complete system by inquiry, use of an internal control questionnaire or
requesting the client to supply full details
3. Recording the system in the form of flowcharts, narrative notes, and checklists or in the
answers to the internal control questionnaires.
4. If the auditor want to rely on internal controls, he/she should record the system of the
controls in a special details
5. If the system specification was supplied by the client, then perform walk through checks
to confirm the correctness of the description
Page 15 of 24
 6. Perform a preliminary evaluation of the system
7. If the system of controls seems adequate and the auditor is able to and wishes to rely upon
the controls, then design and perform compliance tests
8. If the auditor does not feel able to rely on the controls then perform substantive tests on
the records. In any case, some substantive tests must be planned and performed on all
material items
9. Evaluate his evidence and form an opinion on whether proper books of account have been
kept and whether the records form a reliable basis for the preparation of financial
statements.
NOTE: ISA 400 requires that the auditor should obtain and document an understanding of the
accounting system and control environment sufficient to determine the approach. Further, the
standard suggests that what is required is an understanding of the system sufficient to enable
them identify and understand:
1. Major classes of transactions in the entity’s operations
2. How much transactions are initiated
3. Significant accounting records, supporting documents and accounts in the financial
statements
4. The accounting and financial process, from initiation of significant transactions and
other events to their conclusion in the financial statements.
4.9 Ascertaining and recording the system of internal controls
The auditor’s operational standard states that,” The auditor should ascertain the entity’s
system of recording and processing transactions and assess its adequacy as a basis for the
preparation of the financial statements”
4.9.1 Methods for recording the system
Flowcharts: The auditor will, in establishing the nature of the system in operation, include the
flow chart of the system, supplemented by detailed system notes in the permanent audit file. The
auditor flow charts can be adopted from those of the client, or produce them from the scratch.
The advantages of flow charting are: -
a) The system or any part of it may be presented as a totality without any loss of detail.
b) The relationship between procedures in different areas can be deeply simplified.
c) Control features may be highlighted by use of designated symbols
d) References to other related audit documents may be easily incorporated
e) Diagrammatic representation facilitates subsequent references to particular features in
the system more readily than pure narrative.
f) New members of the audit team are enabled to participate in the audit work after a
shorter induction period as a result of advantages already mentioned, thus effecting a
Page 16 of 24
 considerable saving of time.
Other methods of recording the systems are: -
 The use System notes
 The use of Descriptive questionnaires
4.9.2 Methods of Ascertainment
Of all systems assessment techniques, the internal control questionnaires, (ICQ), has been
operational for the longest period of time which is due to their effectiveness. Its function is to
highlight precisely the areas of the strength and weaknesses in the internal control.
The following points concern the use of ICQs;
a) An ICQ would normally be used only if the size and the complexity of the client’s
organization justify it.
b) A completed ICQ should have an effective life of approximately three years during which
time updating would be necessary.
c) A senior member of the audit staff should complete the ICQ after putting the questions to
the client company officers responsible for each of the sections into which the ICQ is
divided.
d) Observations and selected tests will ensure that the ICQ accurately reflects the strengths
and weaknesses within the procedures that operate from day to day. These audit tests are
known by various titles, such as “procedural tests” or “walk through” tests.
e) The auditor should not place reliance on controls on the basis of this preliminary
evaluation. He should perform further tests ((compliance tests) designed to give a
reasonable assurance that the controls are well functioning.
4.10 Evaluating the system of internal controls
The internal control questionnaire (ICQ) forms the basis for evaluating the internal controls. This
evaluation determines the nature and extent of the audit tests to be undertaken.
“Yes” responses on the ICQ signify strengths whereas “No” responses signify weaknesses in the
system of internal control.
Evaluating the system of internal control provides assurance to the auditor whether the system is
satisfactory in theory.
The ICQ provides an important means for this preliminary evaluation.
4.11 Compliance tests
The auditor carries out compliance tests to obtain reasonable assurance that the controls on
which he wishes to place reliance were functioning properly and throughout the period.
Compliance test are thus called the tests of controls. The points to note about these tests are: -
a) It is the application of the system that is being tested not the transaction although the
testing is through the medium of transactions.
Page 17 of 24
 b) If discovery is made that the system was not complied with in any particular way, then,
He may need to revise the system description and re-appraise its effectiveness
He will need to determine if the failure of compliance test was an isolated instance or was
symptomatic.
4.12 Substantive tests
Substantive procedures are tests to obtain audit evidence to detect material misstatements in the
financial statements. They are generally of two types
Analytical procedures
Other substantive procedures such as, tests of details of transactions and balances,
review of minutes of directors meetings and enquiry.
Examples of substantive procedures,
i. Of a balance- direct confirmation of balance in a deposit account obtained from the bank
ii. Analytical review- evidence of correctness of cut off by examining the gross profit ratio.

ROTATIONAL TESTS
These are of two kinds:

1. Visit rotation: this is where the client has numerous branches, factories or locations. It may be impractical
to visit all of them each year. In such cases the auditor visits them in rotation such that each will not be
visited each year, but all will be visited over a period of time.

2. Emphasis: there are times the auditor rotates audit emphasis. The auditor performs a systems audit on all
areas of the clients business every year but he would select one area for special in depth testing. There is
opinion that every audit every year must cover all areas adequately, however, as auditors usually serve for
several years rotational testing makes sense in terms of effectiveness and efficiency. It is vital that rotational
tests are carried out at random so that client staff do not know which areas or locations will be selected in
any one year.

TECHNIQUES OF AUDIT TESTING

Under our review of audit evidence we examined techniques of obtaining audit evidence and these are the techniques
for audit testing.

Timing of audit testing

1. Walk through tests: their purpose is to conform the correct recording of an accounting system and the
auditor's understanding of that system and the related controls. These are therefore best performed:

a) After recording the system.

b) The following year if you are the auditor because it is inefficient to ascertain and record the system
every year. All the auditor needs to do is to ask the client whether there has been any changes in
the system and if there has been no changes then a walk through test confirms that the record is
still appropriate.
c) After an interim audit visit when the auditor comes in for the final audit he can carry out
walk through tests to confirm that the systems have not changed.
d) When the auditor did not prepare the record of the system then he carries out walkthrough tests to
confirm his understanding of the system.

2. Compliance tests: the sample should be representative of the whole years transactions. They are usually
carried out at the interim audit visit and up-dated at the final visit to ensure that the whole period has been
covered.
3. Substantive test: these tests are applied to:
Page 18 of 24
 a) Transaction records where internal controls are weak or non-existent or where the system cannot
be relied on.
b) Unusual, extraordinary or one off transaction and transactions which are not covered by the system.
c) All assets and liabilities at the balance sheet date.

Therefore we can see that substantive tests are usually carried out at any time during the audit but mostly
concentrated at the final visit.

To summarise audit testing

The stages in audit testing are:

1. Internal control evaluations which will be followed by.

2. Compliance testing which gives satisfaction to some extent on the reliability of the records and the
controls. This will be followed by:-

3. An overall analytical review designed to expose apparent inconsistencies and abnormalities in the financial
statements and the underlying records. These three help us determine the extent of substantive testing.
Substantive testing consists of tests that are designed to substantiate the completeness, accuracy and
validity of information contained in the accounting records and financial statements. They consist of:

a) detailed analytical review which is designed to help locate material mis-statements in the accounts
by comparing transactions and balances with related items both for the same period and for
previous periods.
b) tests of detail which consist of transaction testing and balance testing and are designed to
substantiate individual items in the accounts and so gain assurance either about the validity
of similar transactions or about the details that underlie the various accounts balances. Test
of details consist of transaction testing which is achieved by vouching whereby vouching is
defined as proving the authenticity of a recorded transaction, the checking of casts and cross
casts, checking of postings and reconciliations. Balance testing is achieved by direct
confirmation and the physical inspection, all these give the necessary confidence for the
auditor to express an opinion on the accounts.

The Relationship between External Auditing and Internal Auditing.

Introduction
Very large organisations (and some small ones) have found a need for an internal audit in addition to an external
audit. Internal auditors are employees of the organisation and work exclusively for the organisation. Their
functions partly overlap those of the external auditors but in part are quite different.

The precise functions of external auditors are either laid down by statute or embodied in a letter of engagement.
The functions (which are rarely precisely laid down) of internal auditors are determined by management and vary
greatly from organisation to organisation.

Internal audit can be defined as:

"an independent appraisal function within an organisation for the review of systems of control and the quality
of performance, as a service to the organisation. It objectively examines, evaluates and reports on the adequacy
of internal control as a contribution to the proper, economic, efficient and effective use of resources."

Internal auditing is thus:

a. Carried on by independent personnel. Internal auditors are employees of the firm and thus independence is
not always easy to achieve. However it can be assisted by:

• having the scope to arrange its own priorities and activities

• having unrestricted access to records, assets and personnel
• freedom to report to higher management and where it exists to an audit committee
• Having internal audit personnel with an objective frame of mind

Page 19 of 24
 The ISA 610, deals with Reliance by External Auditors on the work of the Internal Auditor.

• IA personnel who have no conflicts of interests or any restrictions placed upon their work by
management.
• IA personnel having no responsibility for line work or for new systems. A person cannot be
objective about something he/she has taken responsibility for. On the other hand the IA should
be consulted on new or revised systems
• IA personnel who have no non-audit work.

Since internal auditors are employees it is difficult to ensure that they are truly independent in mind and attitude.

b. an appraisal function. The internal auditor's job is to appraise the activity of others, not to perform a
specific part of data processing. For example, a person who spent his time checking employee expense
claims is not performing an internal audit function. But an employee who spent time reviewing the system
for checking employee expense claims may well be performing an internal audit function.

c. as a service to the organisation.

The management requires that:

i. Its policies are fulfilled.

ii. The information it requires to manage effectively is reliable and complete.
iii. The organisation's assets are safeguarded.
iv. The internal control system is well designed.
v. The internal control system works in practice.

The internal auditor's activity will be directed to ensure that these requirements are met. The internal
auditor can be seen as the eye of the board within the enterprise.

d. Other duties may include:

i. Being concerned. An example of this is in energy saving.
ii. Being concerned with the response to the internal control system to errors and required changes to
prevent errors.
iii. Acting as a training officer in internal control matters.
iv. Auditing the information given to management particularly interim accounts and management
accounting reports.
v. Taking a share of the external auditor's responsibility in relation to the figures in the annual
accounts.

2. ESSENTIAL ELEMENTS OF INTERNAL AUDIT

The essential elements of internal audit are:

a. Independence—see above
b. Staffing—the internal audit unit should be adequately staffed in terms of numbers, grades and experience.
c. Training—all internal auditors should be fully trained.
d. Relationships—internal auditors should foster constructive working relationships and mutual
understanding with management, with external auditors with any review agencies (e.g. management
consultants) and where appropriate with an audit committee. Mutual understanding is the goal.
e. Due care—an internal auditor should behave much as an external auditor in terms of skill, care and
judgement. He should be up to date technically and have personal standards of knowledge, honesty,
probity and integrity much as an external auditor. It is desirable that an internal auditor is qualified, because
of ethical considerations as much as technical standards implied by membership of a professional body.
f. Planning, controlling and recording—fundamentally the internal auditors should behave much as external
auditors in this respect. The plan should identify audit areas which may be:

i. Activity (e.g. payroll, income, stores, purchasing etc.)

ii. Nature of the audit (e.g. protective, systems audit, value for money)
iii. Level of audit required (e.g. degree of risk, frequency and extent of audit).

Page 20 of 24
 Internal auditors plan their work strategically (two to five years for all areas to be covered), periodically
(typically one year when the strategic plan is translated into a schedule of work) and operationally (each
piece of work, in detail).

Controlling includes supervision and review of internal audit work.

Working papers should be of a similar detail and standard as those of external auditors.

g. Systems control—the internal auditor must verify the operations of the system in much the same way as
an external auditor i.e. by investigation, recording, identification of controls and compliance testing of the
controls. However, the internal auditor is also concerned with:

• The organisation's business being conducted in an orderly and efficient manner

• Adherence to management policies and directives
• Promoting the most economic, efficient and effective use of resources and achieving the management's
policies.
• Ensuring compliance with statutory requirements
• Securing as far as possible the completeness and accuracy of the records
• Safeguarding the assets

h. Evidence—the internal auditor has similar standards for evidence as an external auditor, he will evaluate
audit evidence in terms of sufficiency, relevance and reliability.

i. Reporting—the internal auditor must produce timely, accurate and comprehensive reports to management
on a regular basis. These should report on the matters outline in g. above and with the accuracy of
information given to management and give recommendations for change.

3. EXTERNAL AND INTERNAL AUDITORS COMPARED AND CONTRASTED

Common interests
a. An effective system of internal control
b. Continuous effective operation of such system
c. Adequate management information flow
d. Asset safeguarding
e. Adequate accounting system (for example to comply with the Companies Act Cap 486)

Differences
a. Scope—the extent of the work undertaken. Internal audit work is determined by management but the
external auditor's work is laid down statute.

b. Approach. The internal auditor may have a number of aims in his work including an appraisal of the
efficiency of the internal control system and the management information system. The external auditor is
interested primarily in the truth and fairness of the accounts.

c. Responsibility. The internal auditor is answerable only to management. The external auditor is
responsible to shareholders and arguably to an even wider public. both are of course answerable to their
conscience and the ethical concepts of their professional bodies.

Areas of work overlap. This can apply in the following areas:

a. Examination of the system of internal control.

b. Examination of the accounting records and supporting documents.
c. Verification of assets and liabilities.
d. Observation, enquiry and the making of statistical and accounting ratio measurements.

Page 21 of 24
Reasons for Co-Operation between External and Internal Auditors
Internal audit is an element of the Internal Control system established by management. Thus as external auditors are
accustomed to place reliance on internal controls they will consider if reliance can be placed on this element.

Some of the objectives of internal audit are the same as those of the external auditor. For example, the internal auditor
will perform work on the documentation and evaluation of accounting systems and internal controls and will carry out
compliance and substantive tests. It makes economic sense to reduce the work of the external auditor by relying on
work done by the internal auditor.

Basis of Co-Operation
The external auditor may utilize the work of the internal auditor in two ways:
a. By taking into account the work done by the internal auditor;
b. By agreeing with the management that internal audit will render direct assistance to the external auditor.

Nature of Internal Auditing

The scope and objectives of internal audit ate set by management and vary widely. The areas of activity may include:

a. Reviewing accounting systems and internal control;

b. Examining financial and operating information for management, including detailed testing of transactions
and balances;
c. Reviewing the economy, efficiency and effectiveness of operations and of the functioning of non financial
controls;
d. Review of the implementation of corporate policies, plans and procedures;
e. Special investigations.

Some of these functions are directly relevant to the objectives of the external auditor—seeking evidence of the truth
and fairness etc., of items in the Accounts. Even special investigations may be relevant. For example, an investigation
into the extent of slow moving stock is relevant to the value of stock or an investigation into the viability of a branch
may be evidence as to the correctness of using going concern values for that branch's assets.

Some of the functions are clearly not relevant to the external auditor's objectives. For example, the cost of a control is
not relevant, only its effectiveness.

Assessment
Before placing any reliance on the work of an internal auditor, the external auditor must assess the internal auditor and
his work in the following areas:

a. Independence. The internal auditor may be an employee of the organisation, but he may be able to
organise his own activities and report his findings to a high level in management. an internal auditor on
whom the external auditor places reliance must be independent and be able to communicate freely with
the external auditor.

b. The scope and objectives of the internal audit function areas such as 6a. and b. are likely to be useful to
the external auditor. but c., d. and e. may also. For example, an investigation into a fraud may supply
evidence to the external auditor that the extent of the fraud is not material.
c. Due professional care. To be useful to an external auditor the internal auditor's work must be done in
a professional manner. That is, it must be properly planned, controlled, recorded and reviewed. The
auditor who arrives in the morning and says to himself "what shall I do today", is not much use.
d. Technical competence. Membership of a professional body with its competence and ethical
implications is desirable. Ongoing training in specialist areas, such as computers, is useful.
e. Reporting standards. A useful internal auditor will provide high standard reports which are acted upon
by management.
f. Resource available. An internal audit department that is starved of resources will not be very useful to
the external auditor.

The assessment should be thorough and fully documented and included in the working papers. If the conclusion is that
the internal audit department is weak or unreliable, then this fact should be communicated in the external auditor's
"report to management".
Page 22 of 24
Extent of Reliance
The extent of reliance depends on many factors including:

a. The materiality of the areas or items to be tested. Petty cash expenditure may probably be left to the
internal auditor.
b. The level of audit risk inherent in the areas or items. The value of work in progress in a Civil Engineering
company or the provision for doubtful debts in a Hire Purchase company, are high risk areas which the
external auditor must see to himself.
c. The level of judgement required. The level of delay repairs in a truck leasing company requires careful
judgement.
d. The sufficiency of complementary audit evidence. The internal audit may be relied upon to audit debtors
accounting procedures if the external auditor has evidence in the form of a debtor's circularisation.
e. Specialist skills possessed by internal audit staff. In a Bank, the internal audit department will have
specialist knowledge and skills in the appraisal of the Bank's computer system.

Detailed Planning
Having decided that he may be able to place reliance on the work of the internal auditor, the external auditor should.

a. Agree with the chief of internal audit the timing, test levels, sample selection procedures and the form of
documentation to be used;
b. Record the fact of his intended reliance, its extent and the reason for the fact and extent, in his working
papers;
c. Confirm with top management that he is doing so.

Controlling
In order to be able ultimately to place reliance on the work of the internal auditor, the external auditor should:

a. Consider whether the work has been properly staffed, planned, supervised, reviewed and recorded;

b. Compare the results with other evidence (e.g. Debtors circularisation);

c. Satisfy himself that any unusual or "put upon enquiry" items have been fully resolved;
d. Examined the reports made and the management's response to the reports;
e. Ensure the work is to be done in time.

At the conclusion, the arrangements should be reviewed to make things even better next year.

Recording
The external auditor will have a high standard of recording in working papers. The internal auditor's work must be
equally good if it is to be relied upon.

Evidence
The detailed material in this chapter is important for students, but you should not lose sight of the fact that an audit is
about audit evidence. The work of the internal auditor is evidential material. Whether it is good evidence supplying a
reasonable basis for conclusions to be reached, is a matter of judgement. It may be desirable for the external auditor to
test the work of the internal auditor by supplementary procedures or by re-testing transactions or balances tested by the
internal auditor.

Report to Management
Whether or not any work of the internal auditor is relied upon, the internal auditor may uncover and report on
weaknesses in internal controls. If the internal auditor reports to management and management responds, then the
matter may rest there. If, however, weaknesses are material and the response by the management inadequate, then it
may be desirable to include the weaknesses in the external auditor's own report to management.

Page 23 of 24
4.0 The impact of developments in information technology
Internal Control Considerations
For an accountant, we can look at problems of computerisation from two angles. Their impact on the system of
internal control and their implications for the auditor.

The impact of computers in the system of internal control

There are special characteristics of an EDP system that the accountant must be aware of. Their basic differences
from a manual system are:

(a) EDP systems take much longer and are more difficult to install. Inefficient installation can therefore
result in major problems including accounting chaos that can lead to the accountant being unable to
determine the truth and fairness of the accounts and at times can lead to the failure of the company.
(b) EDP systems are much more complicated and therefore can create problem of understanding for
the accountant be he the auditor or just the company's accountant.
(c) The natural division of data processing between various parts of an organization and its
accounting department is usually lost together with the understanding of the interest in data
processing which managers have. This is because a large part of that data processing operations
become centralised and there is concentration of power in the computer department. This may facilitate
error and fraud and make its discovery difficult.
(d) The steps of processing and storage of data on magnetic files leaves no visible trail unless they
are printed out. Most modern systems rely heavily on direct entry of data via key boards and the storage
of data on discs. There is often no print out of outputs as information can be assessed as required on
visual display units.
(e) Generally speaking, if correct data is presented to the machine and faultless computer
programmes are used the output should be error free. These however reinforce the mistaken belief
that machines do not make mistakes. But machines cannot be relied upon to recognize nonsense data. A
machine will not think, it will do as it is told. Therefore if it has been instructed incorrectly it will always
correctly make the same mistake, whereas a clerk in a manual system would be expected to notice and
query this.
(f) Speed. A computer's potential for producing information in both terms of volume and speed is of course
vast but its potential as vehicles of manipulation and fraud is equally great, and even if we were to leave
aside the question of fraud, it is generally true that when production of vital data is dependent on a
computer if things go wrong, they may go wrong on a truly big scale.

All these differences radically alter the way in which accounting data is recorded, the way in which such recording must
be controlled and authenticated, the training needs and attitudes of the staff responsible at both management and
technical levels and the way in which the process and its results must be audited. This may therefore mean the
introduction of additional controls within the organization to deal with the additional problems.

The general controls that need to be incorporated into the data processing system are divided into two types of controls:

(a) General controls which are further divided into administrative controls and systems developments
controls
(b) Application controls

Page 24 of 24