Internal Control
Internal Control
1
Internal control are ;
- Policies
- Procedures
- Processes
- Practices
That help an organization to;
Safeguard its assets, ensure work is done in accordance with management’s wishes
and properly reflect transactions on its financial reports.
Internal control also can be defined as the process designed by management ,
those charged with governance and other personnel to provide reasonable
assurance in terms of the achievement of the entity’s objectives in terms of
reliability of financial reporting, effectiveness and efficiency of operational
and compliance with applicable laws and regulations.
2
➢It is a series of actions that implant entity’s activities.
3
SUMMARY OF THE AUDIT APPROACH
5
The main objectives of internal control
are:
1. To ensure the orderly and efficient conduct of business in respect of
systems being in place and fully implemented.
6
3. To ensure the timely preparation of financial information which applies to
statutory reporting (of year end accounts, for example) and also management
accounts, if appropriate, for the facilitation of effective management decision-
making.
7
5. To ensure the completeness and accuracy of accounting records. Ensuring
that all accounting transactions are fully and accurately recorded, that assets and
liabilities are correctly identified and valued, and that all costs and revenues can be
fully accounted for.
8
HOW TO DESIGN INTERNAL CONTROL
SYSTEM
9
Components/elements of Internal control
✓ The control environment
✓ Control activities
✓ The entity’s risk assessment process
✓ The information system relevant to financial reporting/ information and
communication.
✓ Monitoring of controls
10
Control environment
➢Is the framework within which controls operates.
It includes: the processes, and structures that provide the foundation for internal
control throughout the organization, include the tone at the top (general attitude
to the internal control of management and employees in the organization)
▪ Communication and enforcement of integrity and ethical values. Example
effectiveness of monitoring of controls
▪ Commitment to competence. Example considering competence level for a
particular job
▪ Participation by those charged with governance. Example extent of involvement
and inspection of activities.
▪ Management philosophy and operating style
▪ Organization structure
11
• A strong control environment is typical one where management shows a high level of commitment to
establishing and operating appropriate controls.
• The existence of a strong control environment cannot guarantee that controls are operating effectively, but it
is seen as a positive factor in the auditors risk assessment process. Without a strong control environment, the
control system as whole is likely to be weak.
In evaluating the control environment the auditor should consider the following;-
- Management participation in control process, including participation by the board of directors;
- Management’s commitment to a control culture
- The existence of an appropriate organization structure with clear divisions of authority and responsibility.
- An organization culture that expects ethically acceptable behavior from its managers and employees and
- Appropriate human resources policies, covering recruitment, training, development and motivation, which
reflect a commitment to qualify and competence in the organization.
12
The entity’s risk assessment process
Is the process od identifying risk to achieving objectives; analyzing potential events, considering events,
considering their likelihood of occurring and impact on achieving objectives; and deciding how to
respond to the risks.
How well the organization sets objectives to identify and manage risks e.g does the company assess
the risk of financial statement fraud?
The entity should have the process for identifying the business risk relevant to financial reporting
objectives, estimating the significance of risk, assessing the like hood of their occurrence and deciding
upon action to address those risk.
Risk assessment forms the basis for determining what risks need to be controlled and the controls
required to manage them.
Risk assessment involves
i) Risk identification
ii) Analyzing the key risk (likelihood and impact)
iii) Deciding how to respond to each risk. Risk responses are avoiding, reducing, transferring
(sharing), and accepting risk
13
Risks can rise or change due to circumstances such as ;-
- Changes in entities operating system
- New personnel
- New information system
- Rapid growth
- New technology
14
Information system relevant to financial
reporting
An information system consists of
- Infrastructure (physical and hardware components
- Software
- People
- Procedures
- Data
It has been established that effective internal control depends on high quality of
information.
Example
- -The accounting system should accurately record and present financial data
- - internal control responsibilities are communicated to employees through
policy manuals and by top management
15
Control Activities
➢These are policies and procedures that help ensure that management directives
are carried out or policies and procedures used to address risks.
➢Those activities designed to prevent or to detect and correct errors. Examples
activities relating to authorization, performance review, information
processing, physical controls and segregate on of duties.
16
Monitoring of Control
Refers to the assessment of the quality of internal control performance over time.
Can be
a) Ongoing monitoring occurs in the course of operations
b) Periodic monitoring includes tasks such as periodic internal audit and annual
reviews of high-risk business process.
The organization should evaluate the performance of its internal control
➢Is the process to assess the effectiveness of internal control performance over
time. It includes assessing the design and operation of controls on a timely basis
and taking necessary corrective actions modified for changes in conditions.
17
KEY ELEMENTS OF A GOOD
PRACTICE INTERNAL CONTROL
(i) Clear Policies, Guidelines and Procedures
Written down guidelines, policy and procedure for the company’s various business
functions as appropriate, such as the staff administration and procurement.
Ensure the guidelines are understood by the staff concerned through briefing or
training. Update the policies, guidelines and procedures to suit the company’s
operation as necessary.
18
(ii) Segregation of duties
Segregate duties is an important business processes as far as practicable.
Ensure important processes performed by a single staff member are counter-
checked at random (or in full) and audited as resources permit.
19
(iv) Information Security
Make sure all staff are aware of the classification of the information they handle.
Define information access authorities and require staff to take measures to
protect the information in their possession (e.g. lock up documents or activate
personal password control in the computer).
Build in security safeguards to protect data and records in the computer system
(e.g. restriction on data amendments and access control).
20
(v) Supervision
Require managers or supervisors to make spot checks on the operations and
business transactions as appropriate to prevent and detect irregularities.
21
(vi) Feedback Channels
Establish a user-friendly channel, promising confidentiality, for feedback from both
customers and staff on the activities or operations of the company.
Assign an independent staff member at the appropriate level to investigate into any
irregularities reported to ensure fairness.
22
Limitations of Internal Control
✓ The costs of control not outweighing their benefits
✓ The potential human error
✓ Collusion between employees
✓ The possibility of controls being by-passed or override by management
✓ Controls being designed to cope with routine and not non –routine
transactions.
Note: Auditors concern is the Internal Control systems so as to comply with
standard of fieldwork.
23
REVIEW QUESTIONS
1. Boko Pumps is a newly set-up small company which manufactures pumps. The
company has software which records all inventory, purchases, sales and
accounting transactions. Sales orders are received through mail, fax or telephone.
The sales orders received are not monitored through the computer software. The
software can be used by authorized persons only. The dates of transactions are
only recorded in the format (MM/DD/YY) set by the software. The software has a
provision through which transactions cannot be cancelled. Transactions can be
cancelled only by recording journal entries.
Required:
With the help of examples, explain the types of control procedures which the
company must adopt so as to ensure good internal controls
2. Financial controls relate to controls in various areas, with aid of examples
explain at least five important areas of financial control
3. Explain the significance of internal financial control
24
4. Explain the objectives of internal control system
5. Explain the responsibilities of management, external auditors and internal auditors with
regard to internal control system (ICS)
25