5.

Internal Control Page 40

Ch # 5: Internal Control

The Importance of Internal Control

Internal control may be defined as the process designed, put in place and maintained to provide assurance
of a reasonable level regarding the achievement of the objectives of an entity. These objectives relate to the
reliability of the financial reports, the efficiency and effectiveness of operations and adherence to relevant
and applicable laws and regulations.

How the auditor uses internal controls

▪ Modern auditing is, wherever possible, based on a ‘systems’ based approach.

▪ Auditor relies on accounting systems and related controls to ensure that transactions are properly
recorded.
▪ His assumption is that if the systems and internal controls are adequate, the transactions should be
processed correctly.

The degree of effectiveness of an internal control system will depend on following two factors:
▪ The design of the internal control system and the individual internal controls.
(Existence of Controls)
▪ The proper implementation of the controls.
(Operating effectiveness of controls)

Summary of the audit approach: tests of controls or substantive tests?

▪ If auditor concludes that the system of controls is weak, and that the controls cannot be relied on, he
will have to carry out extensive substantive procedures.
▪ If the auditor judges that internal controls are strong
- He would perform tests of controls (in order to verify his opinion about them); and
- Perform some substantive procedures on the transactions and balances in the F/S.

Management letter

▪ It is common practice for the external auditor to prepare a ‘management letter’ for client.
▪ This is sometimes also known as letter of weakness.
▪ A management letter is a report typically presented in columnar fashion detailing:
- Weaknesses observed in the client’s system of internal controls.
- Possible effect of that weakness
- Recommendations / Suggestions for client to improve control
- Management’s response on that issue

General Limitations of Internal Controls

▪ Human error may result in incomplete or inaccurate processing

(which may not be detected by control systems)
▪ It may not be cost-effective to establish certain types of controls
▪ Controls may be ignored or overridden by employees or management.
▪ Collusion may make segregation of duties ineffective
(Collusion means 2 or more people work together to avoid a control, possibly for fraud)
Due to these limitations auditors will always supplement their work on systems with some testing of
transactions and balances themselves (substantive testing).
5. Internal Control Page 41

The Elements of Internal Control

There are 5 elements which together make up the internal control system.
1) The control environment
2) The information system
3) The entity’s risk assessment process
4) Control activities (internal controls)
5) Monitoring of controls

ISA 315 requires the auditor to:

▪ Gain an understanding of each of these elements; and
▪ Document relevant features of control systems and his evaluation of their effectiveness.

Auditor should then confirm that his understanding is correct by performing ‘walk-through’ tests on
each major transaction type (e..g. revenue, purchases and payroll).

Walk-through testing involves the auditor selecting a small sample of transactions and following them
through the various stages in their processing in order to establish whether his understanding of the
process is correct.

1) The control environment

The control environment includes the views, awareness and actions of management regarding an entity’s
internal control (general ‘attitude’ to internal control).

It also includes governance and functions of management.

The control environment includes the following elements:

▪ Communication and enforcement of integrity and ethical values
▪ Commitment to competence
▪ Participation of management
▪ Management’s philosophy and operating style
▪ Organisational structure
▪ Assignment of authority and responsibility
▪ Human resource policies and practices

A strong control environment is typically one where management shows a high level of commitment to
establishing and operating appropriate controls. Without a strong control environment, the control
system as a whole is likely to be weak.

2) The information system

Auditor would identify and understand the following:

▪ Entity’s principal business transactions relevant to financial reporting;
▪ How these transactions and other events are ‘captured’ (identified and recorded) by entity;
▪ Processing methods (manual and computerized) applied to those transactions;
▪ Accounting records used to support the figures appearing in the F/S; and
▪ Processes used in the preparation of the F/S.
5. Internal Control Page 42

3) The entity’s risk assessment process

Management should identify, assess and manage business risks, on a continual basis.
▪ Identifying means recognising the existence of risks or potential risks.
▪ Assessing means deciding whether the risks are significant, and possibly ranking risks
▪ Managing means developing and implementing controls to deal with those risks.

Business risks are events or omissions that may prevent entity from achieving its objectives. Risks can
arise or change due to circumstances such as:
▪ Changes in the entity’s operating environment
▪ New personnel
▪ New or revamped information systems
▪ Rapid growth
▪ New technology
▪ New business models, products or activities
▪ Corporate restructurings
▪ Expanded foreign operations
▪ New accounting pronouncements.

4) Control activities

These are the specific policies and procedures, other than the control environment, designed to prevent
errors, or to detect and correct errors that may arise in processing information.

Description
Preventive Controls
Designed to stop errors or
Tutor’s irregularities from occurring.
Note
Detective Controls
Designed to find errors or
irregularities after they have
occurred.
Corrective
Restore the system or process back
to the state prior to harmful event
Or
To prevent errors & irregularities
from reoccurring once discovered
Examples
▪ Segregation of Duties
▪ Security guards
▪ Proper authorization of transactions
▪ Using passwords.
▪ Bank reconciliation
▪ Exception Reports
(to identify unexpected results that require follow-up)
▪ Camera
▪ System logs
▪ Periodic audit (internal as well as external)
▪ Contingency planning
▪ System backup
▪ Service level agreements with reliable software
companies, for technical support
▪ Policies of reporting irregularities to correct those
▪ Positive discipline to prevent employees from
making future errors.

Categories of control activities (internal controls)

Performance ▪ Reviews and analyses of actual performance versus budgets, forecasts, and prior
reviews period performance
▪ It include supervision by management of the work of subordinates, management
review of performance and control reporting
Physical ▪ Physical security of assets and records to prevent unauthorised use, theft or damage
controls
5. Internal Control Page 43

Information ▪ General IT controls

processing ▪ Application controls
(A variety of controls are used to check the accuracy, completeness and authorisation
of transactions)
Authorization ▪ Assigning different people for
& Segregation - Authorizing transactions
of duties - Recording transactions
- Custody of assets.
▪ Work done by one individual acts as a check on the work of the others.

5) Monitoring of controls
Management should review and monitor the operation of the controls, on a systematic basis, to confirm
that the controls remain adequate and that they are being applied properly.

Internal controls in IT systems: General controls and Application controls

General IT controls
▪ General IT controls are policies and procedures that relate to many different applications
▪ They support the effective functioning of application controls
▪ If general IT controls are weak, it is unlikely that the processing undertaken by the system will be
complete and accurate.
▪ Auditor will firstly review and test the general IT controls to check their effectiveness.
(to assess the control risk attached to the entity’s IT systems as a whole).

Main general controls normally suggested, in a computer-based information system, are:

▪ Controls over the development of new computer information systems and applications
▪ Controls over the documentation and testing of changes to programs
▪ Prevention or detection of unauthorised changes to programs or data files
▪ Controls to prevent the use of incorrect data files or programs
▪ Controls to ensure that there will be continuity in computer operations
(that the system will not ‘break down’).

Application controls
▪ Application controls apply to processing of individual applications (e.g. revenue, purchases or payroll).
▪ These controls could be manual or computerized

System logs

A log file is a file that records events taking place in the execution of a system. This generates an audit trail
that can be used to understand the activity of system and to diagnose problems.

Examples of system logs include:

▪ Which user logged-in, when and where from ▪ Black box flight recorders
▪ Failed log-in attempts ▪ CPU speed
▪ Who accessed and amended data in a file ▪ Broadband speed
▪ Changes made to a program – what, when and ▪ Call log on mobiles
by whom ▪ Which web pages a user accessed
▪ When employees entered and left the building ▪ Attempted cyber intrusions
5. Internal Control Page 44

Specific IT controls

Control Example
Control totals If an accountant is entering data for 100 admission forms of CA
Checking total against total value for all students in a college. Control total for 100 forms can be
the transactions input. calculated (e.g. with calculator). When 100 forms have been
entered, accounting software may output its own total. This
can be checked against control total taken manually, to make
sure that they agree.

Range Check If student of auditing class are assigned roll numbers from
The value of an item of data might have 2100–2240. System would generate error report if ay roll
to be within a particular range number other than above range is entered

Existence Check If a roll number (e.g. 2911) is entered by the accountant which
Program checks actual existence of a does not exists in the database of students, system would
particular code generate an error report.

Sequence Check Documents are sequentially numbered

Completeness Check A filed should always contain a data rather than blank

Duplicate Check New transactions are matched to those previously input to

ensure that they have not already been entered

Batch total If in above example of control total, accountant is entering

It is a form of control total. forms in batches of 20 each, total would be checked for each
(however it is batch wise) batch seperately.

Check Digit Suppose all roll numbers in a college are up to 4 digits. The
These are checks within computer system would initially add a 5th digit as a check digit to all roll
program on the validity of key numbers (i.e. code).
numerical codes. Suppose that a student’s roll number is 3467. The check digit is
Every code is given an extra digit. This calculated as follows (in the Modulus 11 system).
is a unique digit obtained from the
Code digit Weighting
other digits in the code.
3 ×5 15 The 5 digit
4 ×4 16 student code
6 ×3 18 is therefore
7 ×2 14 3467-3
63
Check digit × 1 3
(would be 66 Divisible by
3) 11
When the accountant would enter the roll number, system
would automatically multiply 1st digit by 5, 2nd by 4, 3rd by 3, 4th
by 2 and 5th by 1. After adding all totals system would divide
this by 11; If the total is fully divisible by 11, there would be no
error otherwise there must be an error in the input of code.
5. Internal Control Page 45

Narrative notes and questionnaires

The principal methods available to the auditor for recording internal control systems are:

▪ Narrative notes
▪ Systems flowcharts
▪ Questionnaires

Narrative notes

▪ Written description of the control system and the controls that are in place.
▪ Used mainly to make a record of the control activities involved in processing transactions.
▪ Simple to prepare, but can become lengthy
▪ May be time-consuming to prepare initially and afterwards updating may also take time
▪ Ideally, narrative notes should be written clearly, but should not be longer than necessary.

Questionnaires

▪ Questionnaires are widely used by auditors to document systems.

▪ Questionnaires can be prepared in advance as standard documents.
▪ It is a list of questions about controls in a particular aspect of operations or accounting.

There are 2 main types of questionnaire

1) Internal Control Questionnaire (ICQ)

▪ ICQ is designed to establish whether appropriate controls exist, that meet specific control
objectives.
▪ Each question deals with a particular control and requires a ‘Yes’ or a ‘No’ answer
▪ ICQs are usually drawn up in such a way that a:
- ‘Yes’ answer to a question indicates a control strength, and
- ‘No’ answer to a question indicates a control weakness.
▪ Auditor can also review the Yes/No answers to gain an overall picture of the reliability of the
system under review.
▪ A questionnaire is relatively simple for the auditor to complete.
▪ However sometimes questionnaire can become lengthy and hence time consuming

Checking ICQs

Instead preparing new ICQ each year, auditor can take ICQs from previous year’s audit, check their
accuracy and where appropriate bring them up to date. Auditor should:
▪ Look at any control weaknesses that were indicated in those ICQs
▪ Find out whether the client has taken any action during the year to deal with them.
▪ Check the accuracy of each ICQ through a series of checks and enquiries
(e.g. review system documentation, interview staff responsible for controls and carry out walk-
through tests)
▪ Make any amendments and updates as necessary.
5. Internal Control Page 46

2) Internal Control Evaluation Questionnaire (ICEQ).

Idea behind ICEQ is to draw up a small number of key control questions designed to establish
whether major weaknesses may exist in a control system:
▪ Using ICQ, Auditor is looking for ‘good news’ and expects to find particular controls.
▪ Using ICEQ, auditor is looking for ‘bad news’ and possibility that controls may be weak
Like an ICQ, an ICEQ contains a shorter list of questions, for which the answer is Yes or No.

ICEQ approach typically produces a shorter document than an ICQ but it may suffer from the
disadvantage that the questions are less precise and may need more knowledge and experience on the
part of the auditor to answer them.
Choosing which type of questionnaire to use is a matter of preference for the auditor.

Systems flowcharts

▪ Provide a representation of accounting systems in the form of a diagram.

▪ Flowcharts show the flow of work by showing how documents are transferred within a system (and
filed) and how they are used.
▪ Flowcharts present an immediate visual impact of the system.
▪ Some expertise is needed to draw a good flowchart and to use it

Problems for small entities

▪ Many control activities may be inappropriate for because they are too costly or impractical.
(e.g. it is difficult to segregate duties in a small company with only a few employees)
▪ There is unlikely to be a written code of conduct so a culture of integrity and ethical behaviour of
management will be important.

Following problems may arise when control systems rely excessively on the involvement of senior
management.
▪ There may be a lack of evidence as to how systems are supposed to operate.
▪ There may be lack of evidence of controls.
▪ Management may override other controls that are in place.
▪ Management may lack the expertise necessary to control the entity effectively.
▪ There is unlikely to be any independent person within the management team as there would be within
“those charged with governance” in a large entity.

It is likely that a lower level of reliance will be placed on controls in a smaller entity, and that a large
amount of substantive testing will therefore be required.