AUDIT PRINCIPLES & PRACTICE-I

Handout
Unit 5
Internal Control system
Contents
5.0 Aims and Objective
5.1 Introduction
5.2 Definition
5.3 Objective of Internal control system
5.4 Components of internal control
5.5 Limitations of Internal Control
5.6 Summary
5.0 Aims and Objective
After studying this unit, you should be able to
• define what is meant by internal control
• Describe the purpose and objective of internal control, and management responsibility.
• Describe the components of Internal control system
• Explain the characteristics of effective Internal Control.
• Explain the limitation of internal control.
5.1. Introduction
Internal control is not only essential to maintaining the accounting and financial records of an
organization, it is essential to managing the entity. For that reason everyone, external auditors,
management, board of directors, stockholders, and government is interested in the internal
control.
The Important consideration of internal control in this unit has three major objectives first, to
explain the meaning of internal control, second, the significance of purpose and objective of
internal control, third, the characteristics of good internal control. In addition, the Unit would let
you to know the broad classification of internal control and the major weakness of internal
control.
5.2 Definition
Internal Control is a process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories.
(1) effectiveness and efficiency of operations
(2) Reliability of financial reporting, and
(3) Compliance with applicable laws and regulations.
Alternative definition, internal control system means all the policies and procedures adopted by
the directors and management of an entity to assist in achieving their objective of ensuring, as far

ADMAS UNIVERSITY 1
 AUDIT PRINCIPLES & PRACTICE-I

Handout
as practicable, the orderly and efficient conduct of its business, including adherence of internal
policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy
and completeness of the accounting records, and the timely preparation of reliable financial
information.
Overall internal controls are also defined as operational checks and balances that prevent loss due
to fraud, waste, abuse, and mismanagement of resources. The resources include: personnel,
information, and capital.
5.3. Objectives of Internal Control System
Management concern: studies suggest that management typically has the following objectives in
setting up a good system of internal control.
a) The orderly and efficient conduct of its business
An organization which is efficient and conducts its affairs in an orderly manner is much more
likely to be able to supply the auditors with sufficient appropriate audit evidence on which to
base their audit opinion. More importantly, the level of inherent and control risk will be lower,
giving extra assurance that the financial statements do not contain material errors.
b) Adherence to Internal Policies
Management is responsible for setting up an effective system of internal control and
management policy provides the broad framework within which internal controls have to
operate. Unless management does have a pre-determined set of policies, then it is very difficult
to imagine how the company could be expected to operate efficiently. Management policy will
cover all aspects of the company's activities and will range from broad corporate objectives to
specific areas such as determining selling prices and wage rates.

Given that the auditors must have a sound understanding of the company's affairs generally,
and of specific areas of control in particular, then the fact that management policies are
followed will make the task of the auditors easier in that they will be able to rely more readily
on the information produced by the systems established by the management.
c) Safeguarding of Assets
This objective may relate to the physical protection of assets (for example by locking monies in
a safe at night) or to less direct safeguarding (for example ensuring that there is adequate
insurance, cover for all assets). It can also be seen as relating to the maintenance of proper
records in respect of all assets.
The auditors will be concerned to ensure that the company has properly safeguarded its assets
so that they can form an opinion on existence of specific assets and, more generally, on
whether the company's records can be taken as a reliable basis for the preparation of financial
statements. Reliance on the underlying records will be particularly significant where the
figures in the financial statements are derived from such records rather than as the result of
physical inspection.

ADMAS UNIVERSITY 2
 AUDIT PRINCIPLES & PRACTICE-I

Handout
d) Prevention and Detection of Fraud and Error
The directors are responsible for taking reasonable stops to prevent and detect fraud. They are
also responsible for preparing financial statements, which give a true and fair view of the
entity's affairs. However, the auditors must plan and perform their audit procedures and
evaluate and report the results thereof, recognizing that fraud or error may materially affect
the financial statements. A strong system of internal control will give the auditors some
assurance that frauds and errors are not occurring. Unless management are colluding to
overcome that system.
e) Accuracy and completeness of the accounting records/timely preparation of reliable
financial information
This objective is most clearly related to statutory requirements relating to both management
and auditors. The auditors must form an opinion on whether the company has fulfilling this
obligation and also conclude whether the financial statements are in agreement with
underlying records.

Auditors concern: The generally accepted auditing standard field work standard number two
states that a sufficient understanding of internal control is to be obtained to plan the audit and
determine the nature, timing and extent of tests to be performed. Thus, the primary purpose of
studying and evaluating of internal control system by external auditors is to determine the
amount of audit work. It is assumed that good internal control provides more reliable financial
data and statements.

Detailed internal control objectives- for reliability of financial reporting:

There are seven detailed objectives that an internal control system must meet to prevent errors in
the accounting records. A basic assumption that underlines the assessment of whether the
objectives were met is that the system of internal control was in operation as described for the
period of reliance. The auditor must be careful to ensure that the objectives were met continuously
and not just periodically.
The client's system of internal control must be sufficient to provide reasonable assurance that:
a. recorded transactions are valid (validity). The system should not permit the inclusion of
fictitious or non-existent transactions in journal or other accounting records.
b. transactions are properly authorized (authorization). If a transaction that is not authorized
takes place, it could result in a fraudulent transaction and it could also have the effect of
wasting or destroying company assets.
c. the existing transactions are recorded (completeness). The client's procedures must
provide controls to prevent the omission of transactions from the records.

ADMAS UNIVERSITY 3
 AUDIT PRINCIPLES & PRACTICE-I

Handout
d. transactions are properly valued (valuation). An adequate system includes procedures to
avoid errors in calculating and recording transactions at various stages in the recording
transactions at various stages in the recording process.
e. transactions are properly classified (classification). The proper account classification
according to the client's chart of accounts must be made in the journals if the financial
statements are to be properly stated. Classification also includes such categories as division
and product.
f. transactions are recorded at the proper time (timing). The recording of transactions either
before or after the time they took place increases the likelihood of failing to record
transactions or of recording them at the improper amount. If late recording occurs at the
end of the period, the financial statements will be misstated.
g. transactions are properly included in subsidiary records and correctly summarized
(posting and summarization). In many instances individual transactions are summarized
and totaled before they are recorded in the journals. The journals are then posted to the
general ledger, and the general ledger is summarized and used to prepare the financial
statements. Regardless of the method used to enter transactions in the subsidiary records
and to summarize transactions, adequate controls are needed to make sure summarization
is correct.
The seven detailed internal control objectives must be applied to each material type of transaction
in the audit, such transactions typically include sales, purchases, cash receipts and payments,
acquisition and issuance provision of goods and services, payroll, and so on.

5.4 Components of internal control

Internal controls can be characterized as two types: administrative controls and accounting
controls. Administrative controls are primarily concerned with the promotion of operational
efficiency and the adherence to prescribed managerial policies. Administrative controls are
related to operational audits and compliance audits.

Accounting controls are principally concerned with safeguarding of assets and providing
assurance that the financial statements and the underlying accounting records are reliable.
Internal accounting controls relate to external and internal financial audit. The independent
auditor is primarily concerned with the accounting controls which generally bear directly and
importantly on the reliability of financial records.

Auditing standards states that the directors of an entity will set up internal controls in the
accounting system to assess the following:
a) Transactions are executed with proper authorization

ADMAS UNIVERSITY 4
 AUDIT PRINCIPLES & PRACTICE-I

Handout
b) All transactions and other events are promptly recorded at the correct amount, in the
appropriate accounts and in the proper accounting period.
c) Access to assets is permitted only in accordance with proper authorization.
d) Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences.
The internal control consists of five interrelated components. These are:
 control environment  information and communication
 risk assessment  monitoring
 control activities/procedures

5.4.1 Control Environment

The control environment consist of the actions, policies and procedures that reflect the overall
attitudes of the top management, directors and owners of an entity about internal control and
its importance to the entity. If management believes that control is important others in the
organization will sense that and respond by carefully observing the controls established on the
other hand, if it is clear to members of the organization that control is not an important
concern to top management it will not be important to them.

For the purpose of understanding and assessing the control environment, the following are the
most important sub-components that the auditor should consider:
 Integrity and ethical values
 Commitment to competence
 Board of directors or audit committee participation
 Management’s philosophy and operating style
 Organizational structure
 Human resource policies and practices

5.4.2. Risk assessment

One of the components of internal control is risk assessment. Management should carefully
consider the factors that affect the risk that the organization's objectives will not be achieved.
When considering the financial reporting objective, these risks include the threats to preparing
financial statements in accordance with generally accepted accounting principles. For example,
the following factors might be indicative of increased financial reporting risk:
 changes in the organization's regulatory or operating environment
 changes in personnel
 changes in the accounting standards

ADMAS UNIVERSITY 5
 AUDIT PRINCIPLES & PRACTICE-I

Handout
 implementation of a new or modified information system
 rapid growth of the organization
 changes in technology affecting production processes or information systems
 introduction of new lines of business, products, or processes

Management's process of risk assessment is similar to the auditor's assessment of audit risk, as
described in unit 3. However, the scope of management's risk assessment is more
comprehensive in that it involves consideration of factors that affect all of the organization's
objectives. The auditor's are concerned only with the level of inherent risk and control risk that
affect the organization's ability to produce financial statements that are in accordance with
generally accepted accounting principles.

5.4.3. Control activities/procedures

The control activities are policies and procedures in addition to those included in other four
components that help ensure that necessary actions are taken to address risks in the
achievement of the entity’s objectives. The control activities are commonly identified as
essential elements of internal control systems and discussed below.

Essential elements of sound (effective) Internal Control:

It is necessary that a system have certain elements or characteristics that increase the likelihood
of reliable accounting records and safeguarding of assets. Elements are directly related to
internal control objectives and the way in which a company satisfies them. The following six
are discussed in this section. In evaluating the strength and weakness of a system of internal
control it is imperative to look into the following elements.
 Competent, trustworthy personnel with clear lines of authority and responsibility
 Adequate segregation of duties
 Proper procedures for authorization
 Adequate documents and records
 Physical control over assets and records
 Independent checks on performance
a) Competent and Trustworthy Personnel
The most important element of any system of internal control is its personnel. If employees are
competent and trustworthy, even if some of the other elements are absent, reliable financial
statements will results. Honest, efficient people are able to perform at a high level even when
there are few other controls to support them. Conversely, even if the other five elements of
control are strong, incompetent or dishonest people can reduce the system to a shambles.

6
 AUDIT PRINCIPLES & PRACTICE-I

Handout
b) Adequate Segregation of Duties
Four general guidelines for segregation of duties to prevent both intentional and unintentional
errors are of special significance to auditors. A discussion of each follows.

Separation of the Custody of Assets from Accounting

The reason for not permitting a person who has temporary or permanent custody of an asset to
account for that asset is to protect the firm from fraud. When one person performs both
functions, there is an excessive risk of his disposing of the asset for personal gain and adjusting
the records to reliance himself of responsibility. For example, if the casher receives cash and
maintains both the cash and account receivable records, it is possible for has to take the cash
received from a customer and adjust the customer's account by failing to record a sale or by
recording a fictitious credit to the account.

Separation of the Authorization of Transactions from the Custody of Related Assets

It is desirable, if possible, to prevent persons who authorized transactions from having control
over the related asset. For example, the same person should not authorize the payment of a
vendors invoice and also sing the cheque in payment of the bill. Similarly, the authority for
adding new employees to or eliminating terminated employees from the payroll should not be
given to the person responsible for distributing payroll cheques. As illustrated, the
authorization of the transaction and the handling of the related asset by the same person
increase the possibility of fraud within the organization.

Separation of Duties within the Accounting Function

The least accounting system is one in which one employee is responsible for recording a
transaction from its origin to its ultimate posting in the general ledger. This enhances the
likelihood that unintentional or intentional errors will remain undetected and it may
encourage sloppy performance of duties. It is possible, however, that a single bookkeeper may
be cost effective.
There are many opportunities for automatic cross checking of different employees' work in a
manual system by simply segregating the recording in journals from the recording in related
subsidiary ledgers. It is also possible to segregate the responsibility for recording in related
journals, such as the sales and cash receipts journals.

Separation of Operational Responsibility from Record Keeping Responsibility

If each department or division in an organization were responsible for preparing its won
records and reports, there would be a tendency to bias the results to improve its reported

7
 AUDIT PRINCIPLES & PRACTICE-I

Handout
performance. In order to ensure unbiased information, record keeping is typically included in
a separate department under the controller.

Separation of IT duties from the duties of the key users outside it

The computer operator (who inputs data) should not be able to modify the program and a
programmer should get access to input data. Such functions if performed by the same person
it creates temptation for manipulation.
The overall organizational structure of a business must provide proper segregation of duties,
yet still promote operational efficiency and effective communication.
c) Proper Procedures for Authorization
Every transaction must be properly authorized if controls are to be satisfactory. If any person
in an organization could acquire or expand assets at will, complete chaos would result.
Authorization can be either general or specific. General authorization means that management
establishes policies for the organization to follow. Subordinates are instructed to implement
these general authorizations by approving all transactions within the limits set by the policy.
Examples of general authorization are issuance of fixed price lists for the sale of products,
credit limits for customers, and fixed automatic recorder points for making purchases.

Specific authorization has to do with individual transactions. Management is often unwilling

to establish a general policy of authorization for some transactions. Instead, they prefer to
make authorizations on a case-by-case basis. An example is the authorization of a sales
transaction by the sales manager for a used car.

The individual or group who can grant either specific or general authorization for transactions
should hold a position commensurate with the nature and significance of the transactions. The
policy for such authorizations should be established by top management. For example, a
common policy is to have all acquisitions of capital assets over a set amount authorized by the
board of directors.

There is also a distinction between authorization and approval. Authorization is a policy

decision for either a general class transactions or specific transactions. Approval is the
implementation of management's general authorization decisions. For example, assume
management sets a policy authorizing the ordering of inventory when less than a three-week
supply on hand. That is a general authorization. When a department orders inventory, the
desk responsible for maintaining the perpetual record approves the order to indicate the
authorization policy has been met.

8
 AUDIT PRINCIPLES & PRACTICE-I

Handout
d) Adequate Documents and Records
Documents and records are the physical objects upon which transactions are entered and
summarized. They include such diverse items as sales invoices, purchase orders, subsidiary
ledgers, sales journals, time cards and bank reconciliation. Both documents of original entry
and records upon which transactions are entered are important elements of a system, but the
inadequacy of documents normally causes greater control problems.

Documents perform the function of transmitting information throughout the client's

organization and between different organizations. The documents must be adequate to
provide reasonable assurance that all assets are properly controlled and all transactions
correctly recorded. For example, if the receiving department fills out a receiving report when
material is obtained, the accounts payable department can verify the quantity and description
on the vendor's invoice by comparing it with the information on the receiving report.
Certain relevant principles dictate the proper design and use of documents and records.

Documents and records should be:

- Pre-numbered consecutively to facilitate control over missing documents, and as an aid
in locating documents when they are needed at a later date.
- Prepared at the time transaction takes place, or as soon thereafter as possible. When there
is a longer time interval, records are less credible and the chance for error is increased.
- Sufficiently simple to ensure that they are clearly understood.
- Designed for multiple uses whenever possible, to minimize the number of different
forms. For example, a properly designed and used sales invoice can be the basis for
recording sales in the journals, the authority for shipment, the basis for developing sales
statistics, and the support for salesmen's commission.
- Constructed in a manner that encourages correct preparation. This can be done by
providing a degree of internal check within the form or record. For example, a document
might include instruction for proper routing, blank spaces for authorization and
approvals, designated column spaces for numerical data.

e) Physical Control over Assets and Records

The most important type of protective measure for safeguarding assets and records is the use
of physical precautions. An example is the use of storerooms for inventory to guard against
pilferage. When the storeroom is under the control of a competent employee, there is also
further assurance that obsolescence is minimized. Fireproof safes and safety deposit vaults for
the protection of assets such as currency and securities are other important physical
safeguards.

9
 AUDIT PRINCIPLES & PRACTICE-I

Handout
Physical safeguards are also necessary for records and documents. The redevelopment of lost
or destroyed records is costly and time consuming. Imagine what would happen if an accounts
receivable master file were destroyed. The considerable cost of backup records and other
controls can be justified to prevent this loss. Similarly, such documents as insurance polices
and promissory notes should be physically protected.

Mechanical protective devices can also be used to obtain additional assurance that accounting
information is correctly and accurately recorded. Cash registers and certain types of automatic
data processing equipment are all potentially useful additions to the system of internal control
for this purpose.

f) Internal Verification
The last specific element of control is the careful and continuous review of the other five, often
referred to as independent checks or internal verification. The need for a system of
independent checks arises because a system tends to deteriorate over time unless there is a
mechanism for frequent review. Personnel are likely to forget or intentionally fail to follow
procedures or become careless unless someone observes and evaluates their performance. In
addition, both fraudulent and unintentional errors are always possible, regardless of the
quality of the controls.

An essential characteristic of persons performing internal verification procedures is

independence from the individual originally responsible for preparing the data. A
considerable portion of the value of checks on performance is lost when the individual doing
the verification is a subordinate of the person originally responsible for preparing the data or
lacks independence in some other way.

5.4.4 Information and communication

Information is needed at all levels of the organization: financial information; operational
information; compliance information and information about external events, activities and
condition. This information must be identified, captured and communicated inform and time
frame that enables people to carry out their responsibilities.

The purpose of accounting information and communication system is to initiate, record,

process, and report the entity’s transactions and to maintain accountability for the related
assets

10
 AUDIT PRINCIPLES & PRACTICE-I

Handout
5.4.5. Monitoring
Monitoring activities deal with management’s ongoing and periodic assessment of the quality
of internal control performance to determine whether controls are operating as intended and
modified when needed.

5.5 Limitations of Internal control

An internal control system should be designed and operated to provide reasonable assurance.
That is an entity’s cost of internal control system should not exceed the benefits that are
expected to be derived. The necessity of balancing the lost of Internal controls with the related
benefits requires considerable estimation and judgment on the part of management.

Therefore the idea of reasonable assurance arises from two concepts: cost – benefit, and the
inherent weakness: The cost – includes paying employees for implementing the system,
constructing and acquiring facilities (safes, stoves) printing of vouchers, forms, etc. the
benefits includes prevention of potential losses.

The inherent limitations include:

(i) Management override of internal control: an entity’s controls may be overridden by
management. For example, a senior – Level manager can require a low – level
employee to record entries into the accounting records (because) that are not consistent
with the substance of the transactions and are in violation of the organization’s control.
The lower – level employee may record the transaction, even though he or she knows
that it is a violation of control, because of fear of losing he’s or her job.
(ii) Personnel errors or mistakes – The internal control system is only as effective as the
personnel who implement and perform the controls. For example, employees may
misunderstand instructions or make errors of judgment. They may make mistakes
because of carelessness, distraction, or fatigue.
(iii) Collusion – the effectiveness of segregation of duties lies in the Individuals per forming
only their assigned tasks or in the performance of one person being checked by another.
Collusion may occur, for example, an individual who receives cash receipts from
customers collide (agree) with the one who records those receipts in the customers’
records order to steal cash from the entity.
(iv) Change in conditions -the possibility that procedures may become inadequate due to
changes in conditions or that compliance with procedures may deteriorate overtime.
This may particularly apply if a business is expanding internal controls designed to
cope with a smaller business may well have problems coping

11
 AUDIT PRINCIPLES & PRACTICE-I

Handout
(v) Focus on routine tasks -Most systematic internal controls tend to be directed at routine
transactions than non-routine transactions. Hence it is important for auditors to
ascertain what may go on outside the accounting system

5.6 Summary
Internal control is a process affected by the clients’ board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
in the categories of (1) effectiveness, and efficiency of operations, (2) reliability of financial
reporting (3) compliance with applicable laws and regulations.

The purpose of considering internal control in the auditors concern is to assess the audit risk
for each major financial statement assertions to determine the nature, timing and extent of the
substantive tests of that assertion. Whereas, in the managements concern, the purpose of
internal control is to increase profitability, safeguarding of assets and accounting records, to
produce reliable and accurate financial information, to adhere with applicable rules and
regulations. Thus, management of an organization should apply the six elements of good
internal control to achieve the above mentioned purposes and objectives.

12