Chapter four: Internal Control

Introduction: From your previous study of generally accepted auditing standards, you may remember that the
second standard of field work states that “auditors have to examine the internal control system of the client before
they actually start collecting evidence that supports the amounts reported on the financial statements.

The amount of audit work the auditors do in examining the financial statement depends directly on the quality of
the client’s internal control system. From the auditor’s point of view, this means if the client’s internal control
system is strong, and you can rely on it. In this case you need less time to complete the audit.

Objectives

After studying this chapter, you will be able to:

 Define and describe internal control and its components
 Distinguish between management and auditor’s responsibility regarding a company’s internal control; and
 Explain the primary and secondary reasons for conducting an evaluation of a client’s internal control.
 Distinguish between internal audit and internal control.
 Explain the relationship between internal control and control risk
 Distinguish between accounting and administrative controls
 Limitations of internal control
4.1 Meaning and importance of Internal control

Internal control is the process, designed by an entity’s board of directors, management and other personnel. It is
designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, reliability of
financial reporting and compliance with applicable laws and regulations.

In other words, internal control consists of all the measures taken by the organization for the purpose of:

1-Protecting its resources against waste, fraud and inefficiency

2-Ensuring accuracy and reliability in accounting and operating data
3-Securing compliance with the policies of the organization and
4-Evaluating the level of performance in all organizational units of the organization.
In principle, a company is expected to establish adequate policies and procedures to achieve the objectives of
accounting controls. The specific internal control policies and procedures depend on the nature of transactions and,
the data processing system and other similar factors.

An organization’s internal control structure consists of the policies and procedures established to provide
reasonable assurance that the organizations related objectives will be achieved. The concept of reasonable
assurance recognizes that no structure is perfect and that the cost of an entity’s internal should not exceed the
benefits expected to be derived.
1|Page
Internal control extends beyond the accounting and financial functions and its scope is companywide and touches
all activities of the organizations. It includes the methods by which top management delegates authority and assigns
responsibility for such functions as selling, purchasing, accounting, and production.

4.2 Need for Internal controls

The evolution of large corporate enterprises, including a great variety of specialized technical operations and
employees numbered in the tens of thousands, has made it impossible for corporate executives to exercise personal,
firsthand supervision of operations. No longer able to rely upon personal observations as a means of appraising
operating results and financial position, and the necessity has come to depend upon a stream of accounting and
statistical reports. The information carried by this stream of reports enables management to control and direct the
enterprise. It keeps management informed as to whether company policy is being carried out, whether government
regulations are being observed, and whether financial positions are sound and profitable.

Business decisions of almost every kind are based at least in part on accounting data. These decisions range from
such minor matters as authorizing overtime work or purchasing office supplies to such major issues as a shift from
making one product to another or making choice between leasing or buying a new plant. The internal control
structure provides assurance to management of the dependability of the accounting data used in making these
decisions. The independent auditors obtain an understanding of the internal control structure in order to plan the
audit and to determine the nature, timing, and extent of the other auditing work necessary to permit them to express
an opinion as to the fairness of the financial statements.

Internal control is intended to achieve the following objectives:

1) Detect and eliminate errors and frauds

2) Exercise moral pressure over the employees and
3) Ensure reliability of accounting information
4) Verify the compliance with company policies
4.3-Accounting vs. Administrative controls

Internal controls can be classified in to two broad categories: accounting controls and administrative controls.

Accounting Controls: These are controls related to the accounting system. They are concerned with achieving the
following objectives. To make sure that:

 Transactions are executed in accordance with the management’s authorization

 Transactions are promptly recorded in a proper manner to ensure timely preparation and communication of
reliable financial information

2|Page
  Accountability for assets is maintained and assets are safeguarded from unauthorized access, use or
disposal.

Administrative controls: These controls emphasize on the effectiveness and efficiency of the management
decision-making process. Administrative controls emphasize on controls for management decision
concentrating on authority and responsibility for authorization of information. Administrative controls include
the organizational structure, procedures and records related to the decision process.

The plan of the organization refers to the organizational structure and the methods of assigning authorities and
responsibilities. A proper plan of the organization is important for effective operation of the entire internal
control system. Accounting controls have a direct impact on the reliability of financial information,
administrative controls, on the other hand, have only an indirect effect on the financial information. Therefore,
in financial statement audit, the auditor will be primarily concerned with reviewing accounting controls rather
than administrative controls. But auditors should not forget that administrative controls that have impact on the
reliability of financial information should also be also reviewed.

4.4 Components of internal control structure

Internal control structure varies significantly from one organization to another. The specific control features
used depend upon such factors as the size, nature of the operations, and objective of the organization for which
the structure was designed.

For the purpose of the financial statement audit, internal control structure should consist of the following three
major elements: Control environment, the accounting system and control procedures.

1-Control environment: The internal control environment consists of the overall sets of factors designed to
achieve the organization’s policies and procedures. It reflects the overall attitude of management and board of
directors regarding the importance of controls in the company. If top management believes that internal control
is important, others in the organization will sense that and respond conscientiously observing the policies and
procedures established.
The internal control environment consists of the following factors:
 management philosophy and operating style
 Organizational structure
 Board of Directors
 Methods of assigning authority and responsibility
 Management control methods
 Internal Auditing
 personnel policies and practices

3|Page
  External influences
 Integrity, ethical values and commitment to competence
Moreover, the internal control environment will be effective if each control environment factor is maintained as
follows:

 Management creates favorable control environment within the organization. It prescribes appropriate
controls and adheres to established controls. Management places emphasis on taking and controlling
business risk, financial goals and financial reporting.

 Organizational structure provides an overall frame work for planning, coordinating, and controlling
operations. The organizational chart accurately should reflect line of authority, and reporting relationships
that is delegation of authority and assignment of responsibility.

 The Board of Directors overseas business activities and its audit committee monitor financial reporting.

 Methods of assigning authority and responsibility are clearly established and communicated.

 Internal auditing assists management in monitoring the effectiveness of control policies and procedures and
internal auditors should be independent of the units they audit and must be qualified.

 Personnel policies and practices should result in hiring trustworthy, ethically competent and adequate
number of employees.

2-The Accounting System: The focus of the accounting system as one of the important component of the
internal control is on the transactions. The accounting system should provide a complete audit or transaction
trial for each transaction. A transaction trial is a chain of evidence provided by coding, cross references and
documentation concerning account balances and other summary results with original transaction data.

An effective accounting system should:

 Identify and record all valid transactions

 Describe the transaction in sufficient detail to permit proper classification of transactions for financial
reporting.
 Measure the value of the transactions in a manner that permits recording their proper monetary value in the
financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions in the proper
accounting period.
 Present properly the transactions and related disclosures in the financial statements.

4|Page
 In general the accounting system consists of the methods and records established to identify, record, assemble,
analyze, classify and report an entity’s transactions and to maintain accountability for the related assets and
liabilities.

3-Control procedures: The control procedures have the following factors:

 Proper authorization
 Segregation of duties
 Documents and records
 Access controls
 Independent checks
Control procedures will be effective if each control procedures are maintained as follows:

o If management personnel within the scope of their authority authorize transactions.

o The assignment of the responsibility for a transaction should enable one employee to cross check the work
of one or more employees. This helps errors and irregularities to be prevented and detected.
o Segregation of duties is applied upon the following situations like responsibility for executing a transaction,
recording the transaction and maintaining custody of assets, resulting from the transactions should be
assigned to different individuals or departments.
o The various steps involved in executing a transaction should be assigned to different individuals or
departments
o Responsibility for certain accounting operations should be segregated.
o There should be proper segregation of duties with in the electronic data processing and other departments.
o Documents should be pre-numbered and properly field and records should be properly maintained.
o The work performed by the individual or department and valuation of recorded amounts should be verified
or independently checked.
o Verifying transactions and reconciling records with existing assets.
o Comparing and analyzing financial results with budgeted amounts.
4.5-Internal controls and control risk

Internal controls are all the policies and procedures that a company uses to prevent, detect, and correct errors
and irregularities and frauds that might get in to financial statements. The auditor’s task is to assess the control
risk associated with the control procedures designed and implemented for the period under audit. Control risk is
the probability that a company’s controls will fail to detect errors, irregularities, and frauds. Control risk is a
characteristic of the client’s controls. Many auditors usually conclude the internal control risk assessment
decision with a descriptive assessment such as maximum or high, moderate and low.

5|Page
 If the internal control is effective and strong, then the level of control risk will be assessed as low. This is because
due to the effectiveness of the internal control the errors and frauds can be prevented and detected. Likewise if the
internal control is poor, and then the control risk can be assessed at high. If the auditors assess the control risk as
high

(i.e... poor internal control) they will tend to perform a great deal of substantive audit work with large sample
size and gather more and competent audit evidence. On the other hand if auditors assess control risk as low,
(i.e... effective internal control) they can perform a lesser quantity of substantive –audit work with small sample
size. Of course, auditors may assess control risk between low and high and adjust the substantive work
accordingly.

The effective operation of internal control ensures that the accounting records are complete and accurate. If the
auditor is satisfied that the internal control system is functioning, there is a reduced risk of error in the
accounting. Therefore, the auditor has to see what internal control system exists in the client and then check
whether the system is operating properly as designed.

The client expects the auditor to detect and report on frauds that might exist in the organization and forward
recommendations to management on how to improve the internal control of their client’s if they find weakness
in it.

4.6-Internal Audit and internal control

Internal audit is a means management control mechanism established internally and arising out of the need for
verification. Internal audit is part of the internal control system in an organization, which is responsible for
evaluating and commenting on the effectiveness of the internal control system. An internal audit function is
established within an entity to monitor the effectiveness of other control related policies and procedures. For an
internal audit function to be effective, the internal audit staff should be independent of both the operating and
accounting departments, and that it reports directly to a high level of authority within the organization.

There are two forms of internal auditing. These are pre-audit and post-audit. The pre-audit is the examination of
transactions before payment is effective. It is a more traditional audit function. Post-audit represents after the
fact examination and is a more recent one.

The purposes of pre-audit are to provide reasonable assurance that:

-Expenditures are not unreasonable or extravagant,

-Sufficient funds are available to enable payments of the invoice, and
-There has been compliance with government proclamations, regulations, and directive, procedural and budgetary
requirements.

6|Page
 Post-audit is conducted to achieve the following objectives:
 To verify the accounting records
 To review the internal control system
 To evaluate the efficiency, effectiveness and economy of operations and
 To evaluate if management objectives are achieved.
The basic limitation of the post-audit is that it concentrates on detection of fraud and error rather than preventing
their occurrence. The existence of an effective internal audit strengthens the internal control system of the
organization under consideration. This increases the degree of reliance by the external auditor on the internal
control system of the audit client. This in turn decreases the extent of examination to be made to verify the
reliability of the information included in the financial statements.

4.7-Internal audit and External audit:

Internal audit is a means of management control mechanism established internally and arising out of the need
for verification. Internal audit is part of the internal control system in an organization, which is responsible for
evaluating and commenting on the effectiveness of the internal control system. An internal audit function as
part of an internal control system is established with in an entity to monitor the effectiveness of other control
related policies and procedures.

For an internal audit function to be effective, the internal audit staff should be independent of both the operating
and accounting departments, and that it reports directly to high level of authority within the organization.
External audit is an independent audit made by the external auditors to attest the fairness of the financial
statements presentation.

Thus internal and external audit varies with regard to need, status, scope, qualification, appointment,
responsibility and procedures.

4.8-Limitations of Internal control

Regardless of how carefully designed, an internal control structure contains inherent limitations. Of course,
management is responsible to establish and maintain an appropriate internal control system by considering the
entity’s size, ownership, nature, characteristic of employees, nature and complexity of operations, methods of
data processing, and regulations. Management normally seeks reasonable assurance, rather than absolute
assurance. This is because internal control structure has inherent limitations. This shows that the auditor cannot
rely 100% on an internal control system since all internal control systems have inherent limitations. These
weaknesses primarily emanate from the fact that any internal control system is administered by human beings
who are all subject to temptation and default.

While designing the internal control system, the following two important factors need to be considered:
7|Page
 -The cost of the structure should not exceed the expected benefits.
-Controls should not have a significant adverse effect on efficiency or profitability
All internal control systems are subject to three major inherent limitations:

Human factors: An employee through misunderstandings of instructions, carelessness, fatigue, absenteeism,

deliberate circumvention, or overriding specific controls can impair the effectiveness specific controls. In short,
incompetent and/or dishonest people can reduce the system to a shamble.
Scope of controls: Controls may not encompass all transactions, that is non-routine transactions and extraordinary
events may not be covered.
Business environment: Changed conditions may necessitate major modifications in the control structure.
Thus, there is always some level of control risk but detection risk can be reduced when there is an effective internal
control structure.

8|Page