INTERNAL CONTROL

1
Internal control are ;
- Policies
- Procedures
- Processes
- Practices
That help an organization to;
Safeguard its assets, ensure work is done in accordance with management’s wishes
and properly reflect transactions on its financial reports.
Internal control also can be defined as the process designed by management ,
those charged with governance and other personnel to provide reasonable
assurance in terms of the achievement of the entity’s objectives in terms of
reliability of financial reporting, effectiveness and efficiency of operational
and compliance with applicable laws and regulations.

2
➢It is a series of actions that implant entity’s activities.

Note: Management’s role is to provide leadership that the organization needs to

achieve its goal and objectives.

➢Internal control is a technique used by managers to help an organization

achieve these objectives.

3
 SUMMARY OF THE AUDIT APPROACH

Test of controls or substantive test

as far as possible, the auditor will rely on the internal control that are in
operation. However, all internal control systems have inherent limitations, and
controls can never be perfect and 100% certain to be effective. It will
therefore be possible for the auditor to rely on them completely ;-
The auditor must therefore;-
- Test the underlying internal control systems themselves, using test of
control and
- Perform some tests on the transactions and balances in the financial
statements. These test on transactions and balances are referred to as
substantive procedures. 4
✓ When auditor concludes that the system of controls is weak, and that the
controls therefore cannot be relied on, he will have to carry out extensive
substantive procedures. When an audit relies heavily on substantive
procedures, the approach to the audit is a called a transactions-based
approach
✓ If the auditor judges that the internal control are strong, he will carry out tests
on the controls (in order to verify his opinion about them) and should need a
smaller amount of substantive testing. When an audit is based mainly on
favorable assessment of the internal controls, the approach to the audit is
called a systems-based approach

5
 The main objectives of internal control
are:
1. To ensure the orderly and efficient conduct of business in respect of
systems being in place and fully implemented.

2. To safeguard the assets of the business. Assets include tangibles and

intangibles, and controls are necessary to ensure they are optimally utilized
and protected from misuse, fraud, misappropriation or theft.

6
3. To ensure the timely preparation of financial information which applies to
statutory reporting (of year end accounts, for example) and also management
accounts, if appropriate, for the facilitation of effective management decision-
making.

4. To prevent and detect fraud. Controls are necessary to show up any

operational or financial disagreements that might be the result of theft or fraud.
This might include the use of unauthorized accounting policies, inventory controls,
and of company property

7
5. To ensure the completeness and accuracy of accounting records. Ensuring
that all accounting transactions are fully and accurately recorded, that assets and
liabilities are correctly identified and valued, and that all costs and revenues can be
fully accounted for.

8
 HOW TO DESIGN INTERNAL CONTROL
SYSTEM

Identifying the potential misstatement – potential risk should be identified

Do we have to prevent an issue or detect ? – the aim to design IC should be
stated first.
Design an effective and efficient internal control - (cost vs benefit)
- Decide whether to use manual (people should be competent) or automated
(well programed).
Monitoring – checking the operations of the control

9
 Components/elements of Internal control
✓ The control environment
✓ Control activities
✓ The entity’s risk assessment process
✓ The information system relevant to financial reporting/ information and
communication.
✓ Monitoring of controls

10
 Control environment
➢Is the framework within which controls operates.
It includes: the processes, and structures that provide the foundation for internal
control throughout the organization, include the tone at the top (general attitude
to the internal control of management and employees in the organization)
▪ Communication and enforcement of integrity and ethical values. Example
effectiveness of monitoring of controls
▪ Commitment to competence. Example considering competence level for a
particular job
▪ Participation by those charged with governance. Example extent of involvement
and inspection of activities.
▪ Management philosophy and operating style
▪ Organization structure

11
• A strong control environment is typical one where management shows a high level of commitment to
establishing and operating appropriate controls.
• The existence of a strong control environment cannot guarantee that controls are operating effectively, but it
is seen as a positive factor in the auditors risk assessment process. Without a strong control environment, the
control system as whole is likely to be weak.
In evaluating the control environment the auditor should consider the following;-
- Management participation in control process, including participation by the board of directors;
- Management’s commitment to a control culture
- The existence of an appropriate organization structure with clear divisions of authority and responsibility.
- An organization culture that expects ethically acceptable behavior from its managers and employees and
- Appropriate human resources policies, covering recruitment, training, development and motivation, which
reflect a commitment to qualify and competence in the organization.

12
 The entity’s risk assessment process
Is the process od identifying risk to achieving objectives; analyzing potential events, considering events,
considering their likelihood of occurring and impact on achieving objectives; and deciding how to
respond to the risks.
How well the organization sets objectives to identify and manage risks e.g does the company assess
the risk of financial statement fraud?
The entity should have the process for identifying the business risk relevant to financial reporting
objectives, estimating the significance of risk, assessing the like hood of their occurrence and deciding
upon action to address those risk.
Risk assessment forms the basis for determining what risks need to be controlled and the controls
required to manage them.
Risk assessment involves
i) Risk identification
ii) Analyzing the key risk (likelihood and impact)
iii) Deciding how to respond to each risk. Risk responses are avoiding, reducing, transferring
(sharing), and accepting risk

13
Risks can rise or change due to circumstances such as ;-
- Changes in entities operating system
- New personnel
- New information system
- Rapid growth
- New technology

14
Information system relevant to financial
reporting
An information system consists of
- Infrastructure (physical and hardware components
- Software
- People
- Procedures
- Data
It has been established that effective internal control depends on high quality of
information.
Example
- -The accounting system should accurately record and present financial data
- - internal control responsibilities are communicated to employees through
policy manuals and by top management
15
Control Activities
➢These are policies and procedures that help ensure that management directives
are carried out or policies and procedures used to address risks.
➢Those activities designed to prevent or to detect and correct errors. Examples
activities relating to authorization, performance review, information
processing, physical controls and segregate on of duties.

16
Monitoring of Control
Refers to the assessment of the quality of internal control performance over time.
Can be
a) Ongoing monitoring occurs in the course of operations
b) Periodic monitoring includes tasks such as periodic internal audit and annual
reviews of high-risk business process.
The organization should evaluate the performance of its internal control
➢Is the process to assess the effectiveness of internal control performance over
time. It includes assessing the design and operation of controls on a timely basis
and taking necessary corrective actions modified for changes in conditions.

17
 KEY ELEMENTS OF A GOOD
PRACTICE INTERNAL CONTROL
(i) Clear Policies, Guidelines and Procedures
Written down guidelines, policy and procedure for the company’s various business
functions as appropriate, such as the staff administration and procurement.

Ensure the guidelines are understood by the staff concerned through briefing or
training. Update the policies, guidelines and procedures to suit the company’s
operation as necessary.

18
(ii) Segregation of duties
Segregate duties is an important business processes as far as practicable.
Ensure important processes performed by a single staff member are counter-
checked at random (or in full) and audited as resources permit.

(iii) Keeping of Records

Require the staff to keep proper record of the activities carried out and their
decisions.

19
(iv) Information Security
Make sure all staff are aware of the classification of the information they handle.
Define information access authorities and require staff to take measures to
protect the information in their possession (e.g. lock up documents or activate
personal password control in the computer).
Build in security safeguards to protect data and records in the computer system
(e.g. restriction on data amendments and access control).

20
(v) Supervision
Require managers or supervisors to make spot checks on the operations and
business transactions as appropriate to prevent and detect irregularities.

Establish an information management system whereby the staff are required to

report regularly the major business activities and trends to the senior management
and the board of directors, as appropriate, to facilitate monitoring.

21
(vi) Feedback Channels
Establish a user-friendly channel, promising confidentiality, for feedback from both
customers and staff on the activities or operations of the company.
Assign an independent staff member at the appropriate level to investigate into any
irregularities reported to ensure fairness.

(vii) Reporting of Suspected Corruption or Fraud

Report any suspected corruption to the appropriate authority and suspected
crime such as fraud to the Police.

22
 Limitations of Internal Control
✓ The costs of control not outweighing their benefits
✓ The potential human error
✓ Collusion between employees
✓ The possibility of controls being by-passed or override by management
✓ Controls being designed to cope with routine and not non –routine
transactions.
Note: Auditors concern is the Internal Control systems so as to comply with
standard of fieldwork.

23
REVIEW QUESTIONS
1. Boko Pumps is a newly set-up small company which manufactures pumps. The
company has software which records all inventory, purchases, sales and
accounting transactions. Sales orders are received through mail, fax or telephone.
The sales orders received are not monitored through the computer software. The
software can be used by authorized persons only. The dates of transactions are
only recorded in the format (MM/DD/YY) set by the software. The software has a
provision through which transactions cannot be cancelled. Transactions can be
cancelled only by recording journal entries.
Required:
With the help of examples, explain the types of control procedures which the
company must adopt so as to ensure good internal controls
2. Financial controls relate to controls in various areas, with aid of examples
explain at least five important areas of financial control
3. Explain the significance of internal financial control

24
4. Explain the objectives of internal control system
5. Explain the responsibilities of management, external auditors and internal auditors with
regard to internal control system (ICS)

25