C HAPTER 4

INTERNAL CONTROL
THE MEANING OF INTERNAL CONTROL
• Internal control is a process effected by an entity board of
directors, management and other personnel.
• It is designed to provide reasonable assurance regarding the
achievement of objective in the following categories.
 Effectiveness and efficiency of operations
 Accuracy , reliability and timely preparation of financial reports
 Prevention and detection of fraud and error compliance with
internal policies and applicable laws and regulations
 Safeguarding of assets against unauthorized acquisition , use or
disposition.
• It includes the plans, policies and procedures adopted by the
management of an entity to assist in achieving managements
objective.
 OBJECTIVE OF INTERNAL CONTROL
• There are three broad objectives in designing an effective internal control
system.
1. Reliability of financial reporting : Management has both a legal and
professional responsibility to be sure that the information (financial
statement ) is fairly presented in accordance with reporting requirements
of accounting frameworks such as GAAP and IFRS.
2. Efficiency and effectiveness of operations: controls within a company
encourage efficient and effective use of its resource to optimize the
companies goals.
 An important objective of these controls is accurate financial and non
financial information about the company's operations for decision-making.
3. Compliance with laws and regulations
 MANAGEMENT AND AUDITORS RESPONSIBILITIES
FOR INTERNAL CONTROL
• Management is responsible for establishing and maintain the entity internal
controls.
• In contrast the auditors responsibilities included understanding and testing
internal control over financial reporting
Management responsibility for establishing internal control
 Two key concepts underlie managements design and implementation of
internal control , reasonable assurance and inherent limitations.
 Reasonable Assurance : A company should develop internal controls that
provide reasonable , but not absolute , assurance that the financial statements
are fairly stated.
 After considering both the costs and benefits of the controls, management
develops internal controls.
 The concept of reasonable assurance allows for only a remote likelihood that
material misstatements will no be prevented or detected on a timely basis by
internal control.
 MANAGEMENT AND AUDITORS RESPONSIBILITIES
FOR INTERNAL CONTROL
• Inherent limitations: internal controls can never be completely
effective, regard less of the care followed in their design and
implementation.
• Even if management can design an ideal system its effectiveness
depends on the competency and depending on the ability of the
people using it.
• Assume , for example that a carefully developed procedure for
counting inventory requires two employees to count
independently.
• The employees might decide to overstate the counts to
intentionally cover up a theft of inventory by one or both of them.
An act of two or more employees who conspire to steal assets or
misstate records is called collusion.
 MANAGEMENT AND AUDITORS RESPONSIBILITIES
FOR INTERNAL CONTROL

• Managements assessment of internal control over financial

reporting are evaluating the design of internal control over
financial reporting and testing the operating effectiveness of
those controls.
• In designing of internal control management evaluate how
transactions are initiated, authorized, recorded, processed, and
reported to identify points in the flow of transactions where
material misstatements due to error or fraud could occur.
• The testing objective is to determine whether the controls are
operating as designed and whether the person performing the
control possesses the necessary authority and qualifications to
perform the control effectively.
 AUDITORS RESPONSIBILITIES FOR UNDERSTANDING
INTERNAL CONTROL
• The second GAAS field work standard states the auditor must obtain a
sufficient understanding of the entity and its environment, including its
internal control.
• The auditor obtains the understanding of internal control to assess control risk
in every audit.
• Auditors are primarily concerned about controls over the reliability of financial
reporting and controls over classes of transactions.
• Controls over the reliability of financial reporting: financial statements are not
likely to correctly relate GAAP or IFRS if internal control over financial reporting
are inadequate.
• Auditors deals with controls affecting internal management to run the business
and can be important source of evidence that help the auditor decide
whether the financial statements are fairly presented.
• In addition, auditors concerned with the clients internal control over the
safeguarding of assets and compliance with laws and regulations if they affect
the fairness of the financial statement.
 AUDITORS RESPONSIBILITIES FOR UNDERSTANDING INTERNAL
CONTROL
• Controls over classes of transaction: Auditors emphasize internal
control over classes of transactions rather than account balances
because the accuracy of accounting system outputs(account
balance) depends heavily on the accuracy of inputs and processing
( transaction)
• For example, if products sold units shipped or unit-selling price are
wrong in billing customers for sales, both sales and accounts
receivable will be misstated.
• Because of the emphasis on classes of transaction , auditors are
primarily concerned with the transaction-related audit objectives.
• Event though auditors emphasize transaction-related controls
The auditor must also gain an understanding of controls over ending
account balance and presentation and disclosure objective
 COMPONENTS OF INTERNAL CONTROL

• A company's internal control structure consists of five components:

1. The control environment
2. Risk assessment
3. The accounting information and communication system
4. Control activities
5. Monitoring
 1. COMPONENTS OF INTERNAL CONTROL THE CONTROL
ENVIRONMENT

1. The control environment consists of the actions, policies, and

procedures that reflect the overall attitudes of top management,
directors and owners of an entity about internal control and its
importance to the entity.
• The control environment serves as the umbrella for the other four
components.
• Without an effective control environment the other four are
unlikely to result in effective internal control, regardless of their
quality.
• The essence of an effectively controlled organization lies in the
attitude of its management
• If top management believes that control is important other in the
organization will sense this commitment and respond by
conscientiously observing the controls established.
 1. COMPONENTS OF INTERNAL CONTROL THE
CONTROL ENVIRONMENT
• To understand and asses the control environment auditors should consider the
most important control subcomponents.
a) Integrity and ethical values: Management should establish behavioural and
ethical standards that discourage employees from engaging in acts that would
be considered dishonest, unethical or illegal.
b) Commitment to competence : management should insure that employee
possess the skill and knowledge to the performance of their jobs.
c) Board of directors or audit committee : The control environment of an
organization is significantly influenced by the effectiveness of its board of
director or the audit committee.
d) Management philosophy and operating style: Managers differ in both their
philosophies towards financial reporting and their attitudes in taking business
risks.
 e ) Organizational structure :
a well designed organizational structure provide a basis
for planning, directing and controlling operations.
f) Human resource policies and procedure:
Managements policies for hiring, training, evaluating,
promotion and compensating employee have a
significant effect on the effectiveness of the control
environment .
g) Assignment of authority and responsibility:
personnel within an organization need to have a clear
understanding of their responsibilities and the rules and
regulations that governs their action .
 2. COMPONENT OF INTERNAL
CONTROL- RISK ASSESSMENT
• Risk assessment for financial reporting is managements identification and
analysis of risk relevant to the preparation of financial statements in conformity
with appropriate accounting standards.
• Once management identifies a risk it estimates the significance of that risk
assesses the likelihood risk occurring and develops specific actions that need to
be taken to reduce the risk to an acceptable level.
• Management assesses risks as part as a part of designing and operating internal
controls to minimize errors and fraud where as auditors assess risk to decide
the evidence needed in the audit.
• If management effectively assesses and respond to risks, the auditor will
typically accumulate less evidence than when management fails to identify or
respond to significant risks.
• Auditors obtain knowledge about managements risk assessment process using
questionnaires and discussions with management.
 3.Component of internal control-control activity
• Control activity are the policies and procedures.
• It help to ensure that necessary actions are taken to address risks to the
achievement of the entity's objectives. The control activities generally fall into
the following five types:
1. Adequate separation of duties: four general guidelines for adequate a
separation of duties to prevent both fraud and errors are especially significant
for audits.
a) Separation of the custody of assets from accounting to protect company
from embezzlement
b) Separation of the authorization of transactions from the custody of related
assets.
c) Separation of operational responsibility from record-Keeping responsibility:
For example , if a department or division oversees the creation of its own
records and reports, it might change the result to improve it reported
performance.
d) Separation of IT duties from user department
 Component of internal control-control activity
2. Proper authorization of transactions and activities:
Authorization can be either general or specific
 Under general authorization, management establish policies and
subordinates are interested to implement theses general authorizations
by approving all transactions within the limits set by the policy
 General authorization decisions include the issuance of fixed price lists
for the sale of products, credit limits for customer , and fixed reorder
points for making acquisitions.
 Specific authorization applies to individual transactions
 The distinction between authorization and approval is also important
 Authorization is a policy decision for either a general class of
transactions or specific transactions.
 Approval is the implementation of managements general authorization
decisions.
 Component of internal control-control activity
3. Adequate Documentations and Records : Document and records
are the record upon which transactions are entered and
summarized.
 Pre- numbered consecutively to facilitate control over missing
documents and records and as an aid in locating them when they
are needed at a later date.
4. Physical control over assets and records: if records are not
adequately protected they can be stolen, damaged, altered, or
lost which can seriously disrupt the accounting process and
business operations.
5. Independent checks on performance: the need for independent
checks arises because internal control tend to change over time
unless there is frequent review.
 4.Component of internal control information and communication
• The purpose is to initiate, record, process, and report the entity's transactions
and to maintain accountability for the related assets.
• To understand the design of the accounting information system the auditor
determines.
• The major classes of transactions of the entity
• How those transactions are initiated and recorded
• What accounting records exist and their nature
• How the system captures other events that are significant to the financial
statements such a decline in asset value
• The nature and details of the financial reporting process followed including
procedures to enter transactions and adjustments in the general ledger.
5.Component of internal control- monitoring
• Monitoring activity deal with ongoing or periodic assessment of the quality of
internal control by management to determine that controls are operating as
intended and that they are modified as appropriate for changes in conditions.
 The use of internal control system by auditors
• Auditors shall :
• Assess the adequacy of the accounting system as a basis
for preparing the account.
• Identify the types of potential misstatements that could
occur in the accounts
• Consider factors that affect the risk of misstatements
• Design appropriate audit procedures
 Internal controls and control risk
• Internal control are all the policies and procedures that a
company use to prevent , detect, and correct errors
irregularities, and frauds that might get in to financial
statements.
• Control risk is the probability that a company controls
will fail to detect errors, irregularities, and fraud
• The auditors task is to assess the control risk associated
with the control procedure designed and implemented
for the period under audit.
• The auditor as to see what internal control system exists
in the client and then check whether the system is
operating properly as designed.
 Internal audit and internal control
• Internal audit is a means of management control mechanism
established internally and arising out of the need for
verification.
• In addition, is part of the internal control system in an
organization , which is responsible for evaluating and
commenting on the effectiveness of the internal control system.
• There are two forms of internal auditing
• These are pre audit and post audit
• The pre-audit is the examination of transactions before payment
is affected. It is a more traditional audit function.
• Post-audit presents after the fact examination and is a more
recent one.
 Internal audit and internal control
• The purposes of pre-audit are to provide reasonable assurance that:
• Expenditures are not unreasonable or extravagant
• Sufficient funds are available to enable payments of the invoice and
• There has been compliance with government proclamations, regulation
and directive procedural and budgetary requirements.
• Post –audit is conducted to achieve the following objectives:
• To verify the accounting records
• To review the internal control system
• To evaluate the efficiency effectiveness and economy of operations and
• To evaluate if management objective are achieved.
• The basic limitation of the post –audit is that it concentrate on detection
of fraud and error rather than preventing their occurrence.
 Limitations of internal control
• All internal control system are subject to three major inherent
limitations:
• Human factors: An employee through misunderstanding of
instructions, carelessness, fatigue, absenteeism, deliberate
circumvention, or overriding specific controls can impair the
effectiveness specific controls. In short , incompetent and or
dishonest people can reduce the system to a shamble.
• Scope of controls: controls may not encompass all transactions that
is non-routine transactions and extraordinary events may not be
covered.
• Business environment : Changed conditions may necessitate major
modifications in the control structure.
• Thus, there is always some level of control risk but detection risk
can be reduced when there is an effective internal control structure.