INTERNAL CONTROLS: Defined

In accounting and auditing internal control is defined as:

A process designed, implemented & maintained by

• Those charged with governance, Management, Other personnel

To provide reasonable assurance

About achievement of entity’s objectives with regard to

• Reliability of • Compliance • Effectiveness

Financial with laws and & Efficiency
Reporting regulations of operations
Commitment of Sponsoring Organizations of
the Treadway Commission (COSO)
• The COSO defines internal control as “a process, effected by an
entity’s board of directors, management and other personnel,
designed to provide reasonable assurance of the achievement of
objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations”
Internal Control is a Process
• It is a means to an end, not an end in itself. Business processes, which
are conducted within or across organization units of functions, are
managed through the management processes of planning, executing
and monitoring. It is a tool used by management, not a sunstitute for
management.
Internal Control Involves People
• It is not merely policy manuals and forms, but people at every level of
an organization
Internal Control Provides Reasonable Assurance
• No matter how well designed and operated, internal control can
provide only reasonable assurance to management and those
charged with governance regarding the achievement of an entity’s
objectives.
Internal Control is Geared Towards the Achievement of an Entity’s Objectives

Internal control is geared to the achievement of objectives in several overlapping categories.

OPERATIONS REPORTING COMPLIANCE

Reliability and
Efficiency and timeliness of Laws
Effectiveness reporting

Accurate financial
Safeguarding of and non-financial Regulation
assets information
What is an Internal Control System?
• An internal control system consists of all the policies and procedures
adopted the management of an entity to assist in achieving
management ‘s objective of ensuring as far as practicable, the orderly
and efficient conduct of its business, including adherence to
management policies, the safeguarding of assets, the prevention and
detection of fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable financial
information.
Examples of Economic Decisions Made by
Users of Financial Statement
Operations Relating to effective and efficient use of the entity’s
resources. These pertains to effectiveness and
efficiency of the entity’s operations including
performance and profitability goals and safeguarding
resources against loss.
Financial Reporting Relating to preparation of reliable published financial
statements, including prevention of fraudulent public
financial reporting.

Compliance Relating to the entity’s compliance with applicable

laws and regulations.
COMPONENTS OF INTERNAL CONTROL

Risk Assessment
Control Environment Control Activities
Process

Information System and

Related Business Processes Monitoring of
Relevant to Financial Reporting Controls
and Communication
Commitment to Competence
• Competent should reflect the knowledge and skills needed to
accomplish tasks that define the individual’s job. How well this tasks
needs to be accomplished generally is a management decision which
should be made considering the entity's objectives and management
strategies and plans for achievement of the objectives
• Commitment and competence is express through:
1. Formal and Informal job description or other means of defining tasks that
comprise particular jobs.
2. Analyses of the knowledge and skills needed to perform jobs adequately.
Participation by Those Charged with
Governance
• The control environment is influenced significantly by the entity’s
board of directors and audit committee. Factors include
• The board’s od directors or audit committee’s
• Independence from management
• Experience and stature of its members
• Extent of its environment and scrutiny of activities and the appropriateness of
its actions.
Controls involving the Board of Directors or
Audit Committee include
1. Indepedence from management, such that necessary, even if difficult
and probing, questions are raised
2. Frequently and timeliness with which meetings are held with chief
financial and/or accounting officers, internal officers, internal auditors
and external auditors.
3. Sufficiency and timeliness with which information is provided to board or
committee members, to allow monitoring of management’s objectives
and strategies, the entity’s financial position and operating results, and
terms of significant agreements
4. Sufficiency and timeliness with which the board or audit committee is
apprised of sensitive information, investigations and improper acts of
officers.
Assignment and Authority and Responsibility
• This element pertains to how an organization assigns authority and
responsibility for operating activities and how reporting relationships
and authorization hierarchies are established.
• It also includes policies relating to appropriate business practices,
knowledge and experience of key personnel and resources to carry
out duties.
Human Resources
• Human resources practices send messages to employees regarding
expected levels of integrity, ethical behavior and competence such
practices relate to hiring, orientation training, evaluating counseling
promoting, compensating and remedial actions
Controls involving human resources policies
and practices includes.
1. Th extent to which policies and procedures for hiring, training
promoting and compensating employees are in place.
2. Appropriateness of remedial action taken in response to departures
from approved policies and procedures
3. Adequacy of employee candidate background checks, particularly
with regard to prior actions or activities considered to be
unacceptable by the entity.
4. Adequacy of employee retention and promotion criteria and
information-gathering techniques (e.g performance evaluations)
and relation to the code of conduct or other behavioral guidelines.
Risk Analysis and Management
• After the entity has identified entity-wide and activity risks a risk
analysis needs to be performed. The methodology for analyzing risks
can vary, largely because many risks are difficult to quantify.
Nonetheless, the process which may be more or less formal usually
includes;
1. Estimating the significance of a risk;
2. Assessing the likelihood(or frequency) of the risk occurring ;
3. Considering how the risk should be managed
Circumstances Demanding Special Attention
Changes in operating Changes in the regulatory or operating environment can result in changes in
environment competitive pressures and significantly different risks.
New personnel New personnel may have a different focus on or understanding of internal control.

New or revamped information
systems
Rapid growth
New technology
New business, models,
products or activities
Corporate restructurings
Significant and rapid changes in information systems can change the risks relating to
internal control
Significant and rapid expansion of operations can strain controls and increase the risk
associated with internal control.
Incorporating new technologies into production processes or information systems
may change the risk associated with internal control.
Entering into business areas or transactions with which an entity has a little
experience may introduce new risk associated wit internal control
Restructurings may be accompanied by staff reductions and changes in supervision
and segregation of duties that may change the risk associated with internal control.

Expanded foreign operations The expansion or acquisition of foreign operations carries new and often unique risks
that may affect internal control for example (additional or changed risks from foreign
transactions.
New accounting Adoption of new accounting principles or changing accounting principles may affect
pronouncements risks in preparing financial statements.
Control Activities
• are policies and procedures, which are the actions of people to
implement the policies, to help ensure that management directives
identified as necessary to address risks are carried out
• To help ensure that necessary actions are taken to address risks to
achievement of the entity’s objectives
• Include a range of activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance,
security of assets and segregation of duties.
Type of Control Activities
• Control activities can be divided into three categories, based on the
nature of the entity’s objectives to which they relate
• Operations
• Financial Reporting
• Compliance
The following are certain control activities commonly performed by
various personnel at various levels in organizations

1. Performance reviews. Include:

Reviews and analyses of actual performance versus budgets, forecasts, and
prior period performance;
Relating different sets of data – operating or financial - to one another,
together with analyses of the relationships and investigative and corrective
actions;
Comparing internal data with external sources of information
Review of functional or activity performance, such as bank’s consumer loan
manager’s review of reports by branch, region and loan type for loan
approvals and collections
2. Information Processing – These controls are performed to check
accuracy, completeness and authorization of transactions. The two
broad groupings of information systems control activities are General
IT- Controls and Application Controls.
General Controls
Description Policies and procedures that relate to many
applications and support the effective functioning
of application controls by helping to ensure the
continued proper operation of information
systems
Examples Controls over data center and network operations;
system software acquisition, change and
maintenance; access security; application system
acquisition, development and maintenance.
Application of Controls
Description Controls that apply to the processing of individual
applications. These controls help ensure that
transactions occurred, are authorized, and are
completely and accurately recorded and
processed.
Examples Checking the arithmetical accuracy of record,
maintaining and reviewing accounts and trial
balances, automated controls such as edit checks
of input data and numerical sequence checks, nad
manual follow-up of exception reports
3. Physical Controls – these activities encompass the physical security
of assets, including adequate safeguards such as:
Secured facilities over access to assets and records
Authorization for access to computer programs and data files;
Periodic counting and comparison with amounts shown on control
records ( for example comparing the results of cash security ad
inventory counts with accounting records
4. Segregation of duties – Assigning different people the responsibilities
of authorizing transactions, recording transactions, and maintaining
custody of assets is intended to reduce the opportunities to allow any
person to be in a position to both perpetrate and conceal errors or
fraud in the normal course of the person’s duties. Examples of
segregation of duties include reporting, reviewing and approving
reconciliations, and approval and control of documents
Policies and Procedures
Control activities usually involve two elements:
• A policy establishing what should be done and serving as a basis for the
second element , procedures to implement the policy.
• Example: A policy might call for review of consumer trading activities by a
securities dealer retail branch manager. The procedure is the review itself,
performed in a timely manner and with attention given to factors set forth in
the policy, such as the nature and volume of securities traded, and their
relation to customer net worth and age.
Evaluation of Control Activities
• Control activities must be evaluated in the context of management
directives to address risks associated with established objectives for
each significant activity. An evaluator(e.g internal auditor or external
auditor) therefore will consider whether control activities relate to
the risk-assessment process and whether they are appropriate to
ensure that management’s directives are carried out
Inherent Limitations of Internal Control
Internal control can provide only reasonable assurance that management’s objectives are
reached because the inherent limitations such as:
1. Management usual requirement that a control be cost effective, i. e, that the cost of a
control procedure not be disproportionate to the potential loss due to fraud or error
2. The fact that most controls tend to be directed at anticipated types of transactions
and not at unusual transactions; potential for human error due to carelessness,
distraction, mistakes of judgement of the misunderstanding of instructions;
3. The possibility of circumvention of controls through collision with parties outside the
entity or with employees of the entity
4. The possibility that a person reasonable for exercising control could abuse that
responsibility, for example a member of management overriding a control.
5. The possibility that procedures may become inadequate due to changes on condition
and compliance with procedures may deteriorate.
Relevance of Controls to the Audit
• Auditors should consider that controls that are relevant to an audit
pertain to the entity’s objective of preparing financial statements for
external purposes that are presented fairly, in all material respects, in
accordance with an applicable financial reporting framework and the
management of risk to a material misstatements in those financial
statements .
• It is a matter of the auditors professional judgement, whether a
control, individually or in combination with others, is relevant to the
auditors considerations in assessing the risk of material misstatement
and designing and performing further procedures in response to
assessed risks.
Factors Considered in Determining the
Relevance of Controls to the Audit
1. The auditors judgment about materiality
2. The size of the entity
3. The nature of the entity’s business including its organization and
ownership characteristics.
4. The diversity and complexity of the entity’s operations
5. Applicable legal and regulatory requirements.
6. The nature and complexity of the systems that are part of the
entity’s internal control, including the use of service organizations.