CHAPTER 13

O V E RV I E W O F I N T E R N A L C O N T R O L
TOPIC 1: NATURE AND PURPOSE OF
INTERNAL CONTROL
First what is Internal Control?
The process designed and effected by those
charged with governance, management and
other personnel to provide reasonable assurance
about the achievement of the entity’s objectives
with regard to reliability of financial reporting,
effectiveness and efficiency of operations and
compliance with applicable laws and
regulations.
Nature and Purpose of Internal
Control
Internal control is designed and
implemented to address identified
business risks that threaten the
achievement of any of these objectives.
Which is categorized as follows:

• Reliability of the entity's financial

reporting
• Effectiveness and efficiency of
operations
• Compliance with applicable laws and
regulations
TOPIC 2: INTERNAL CONTROL
SYSTEM DEFINED
 Internal Control System
All the policies and procedures (internal
controls adopted by the management of
an entity to assist in achieving
management’s objective of ensuring, as
far as practicable, the orderly and
efficient conduct of its business,
including adherence to management
policies, the safeguarding of assets, the
prevention and detection of fraud and
error, the accuracy and completeness of
the accounting records, and the timely
preparation of reliable financial
information.
 Did you know?
• Internal control structures vary significantly
from one company to the next.
• Factors such as size of the business, nature of
operations, the geographical dispersion of its
activities, and objectives of the organization
affect the specific control features of an
organization.
TOPIC 3: ELEMENTS OF
INTERNAL CONTROL
 Elements of Internal Control
Certain elements or features must be
present to have a satisfactory system of
control in almost any large scale
organization.

a. the control environment;

b. the entity's risk assessment process;
c. the information system, including
the related business processes,
relevant to financial reporting. and
communication;
d. control activities;
e. monitoring of controls.
 A. Control Environment
The overall attitude, awareness and
actions of directors and management
regarding the internal control system
and its importance in the entity. The
control environment has an effect on
the effectiveness of the specific control
procedures. However, a strong
environment does not, by itself, ensure
the effectiveness of the internal control
system.
Factors reflected in the Control
Environment
• The function of the board of
directors and its committees;
• Management's philosophy and
operating style;
• The entity's organizational structure
and methods of assigning authority
and responsibility;
• Management’s control system
including the internal audit function,
personnel policies and procedures
and segregation of duties.
 Several Factors comprise the Control
Environment
1. Communication and Enforcement of
Integrity and Ethical Values
• Integrity and ethical values are essential elements of
the internal control environment. They affect the
design, administration, and monitoring of other
components of internal control. An entity's ethical
and behavioral standards and the manner in which it
communicates and reinforces them determine the
entity's integrity and ethical behavior. Integrity and
ethical values include management's actions to
remove or reduce incentives and temptations that
might prompt personnel to engage in dishonest,
illegal, or unethical acts.
 Several Factors comprise the Control
Environment
2. Commitment to Competence
Competence is the knowledge and skills necessary to
accomplish tasks that define an employee's job.
Commitment to competence means that management
considers the competence levels for particular jobs in
determining the skills and knowledge required of each
employee and that it hires employees competent to
perform the tasks.
 Several Factors comprise the Control
Environment
3. Participation by those Charged with
Governance
An entity's control consciousness is influenced significantly by
those charged with governance. Attributes of those charged with
governance include independence from management, their
experience and stature, the extent of their involvement and scrutiny
of activities, the appropriateness of their actions, the information
they receive, the degree to which difficult questions are raised and
pursued with management, and their interaction with internal and
external auditors. The importance of responsibilities of those
charged with governance is recognized in codes of practice and
other regulations or guidance produced for the benefit of those
charged with governance. Other responsibilities of those charged
with governance include oversight of the design and effective
operation of whistle blower procedures and the process for
reviewing the effectiveness of the entity’s internal control.
 Several Factors comprise the Control
Env1ironment
\ and Operating
4. Management's Philosophy
Style
This refers to management's attitude towards (a) business risk, (b)
financial reporting, (c) meeting budget, profit and other established
goals which all have impact on the reliability of the financial
statements. Management's approach to talking and monitoring
business risks, its conservative or aggressive selection from
alternative accounting principles, its conscientiousness and
conservatism in developing accounting estimates, and its attitude
toward information processing and the accounting function and
personnel are factors that affect the control environment.
 Several Factors comprise the Control
Environment
5. Organizational Structure
The responsibilities and authorities of the various personnel within
the organization should be established in such a manner as to (1)
assist the entity in meeting its goals and objectives and (2) ensure
that transactions are processed, recorded, summarized and reported
in an accurate and timely manner. Organizational structure
provides the overall framework for planning, directing and
controlling operations.
 Several Factors comprise the Control
Environment
6. Assignment of Authority and Responsibility
Personnel within an organization need to have a clear
understanding of their responsibilities and the rules and regulations
that govern their actions. Management may develop job
descriptions, computer system documentation. It may also establish
policies regarding acceptable business practice, conflicts of interest
and code of conduct.
 Several Factors comprise the Control
Environment
7. Human Resources Policies and Procedures
Perhaps the most important element of an internal accounting
control system is the people who perform and execute the
established policies and procedures. Personnel policies should be
adopted by the client to reasonably ensure that only capable and
honest persons are hired and retained. Policies with respect to
employee selection, training, and supervision should be adopted
and implemented by the client. The selection of competent and
honest personnel does not automatically assure that errors or
irregularities will not occur. However, adequate personnel policies,
coupled with the design concepts suggested earlier in the section,
enhance the likelihood that the client's policies and procedures will
be followed.
 What is Risk Assessment?
The "identification, analysis, and management
of risks pertaining to the preparation of financial
statements". For example risk assessment may
focus on how the entity considers the possibility
of transactions not being recorded or Identifies
and assesses significant estimates recorded in
the financial statements.
 B. Entity’s Risk Assessment
Process
An entity's risk assessment process is its
process for identifying and responding
to business risks and the results thereof.
For financial reporting purposes, the
entity's risk assessment process includes
how management identifies risks
relevant to the preparation of financial
statements that are presented fairly, in
all material respects in accordance with
the entity's applicable financial
reporting framework, estimates their
significance, assesses the likelihood of
their occurrence, and decides upon
actions to manage them.
 B. Entity’s Risk Assessment
Process
Risks relevant to financial reporting include
external and internal events and
circumstances that may occur and adversely
affect an entity's ability to initiate, record,
process, and report financial data consistent
with the assertions of management in the
financial statements. Once risks are
identified, management considers their
significance, the likelihood of their
occurrence, and how they should be
managed. Management may initiate plans,
programs, or actions to address specific
risks or it may decide to accept a risk
because of cost or other considerations.
 Risk can arise or change due to
circumstances
• Changes in operating environment. Changes in the
regulatory or operating environment can result in
changes in competitive pressures and significantly
different risks.
• New personnel. New personnel may have a
different focus on or understanding of internal
control.
• New or revamped information systems. Significant
and rapid changes in information systems can
change the risk relating to internal control.
• Rapid growth. Significant and rapid expansion of
operations can strain controls and increase the risk
of a breakdown in controls.
 Risk can arise or change due to
circumstances
• New technology. Incorporating new technologies
into production processes or information systems
may change the risk associated with internal
control.
• New business models, products, or activities.
Entering into business areas or transactions with
which an entity has little experience may introduce
new risks associated with internal control.
• Corporate restructurings. Restructurings may be
accompanied by staff reductions and changes in
supervision and segregation of duties that may
change the risk associated with internal control.
 Risk can arise or change due to
circumstances
• Expanded foreign operations. The expansion or
acquisition of foreign operations carries new and
often unique risks that may affect internal control,
for example, additional or changed risks from
foreign currency transactions.
• New accounting pronouncements. Adoption of new
accounting principles or changing accounting
principles may affect risks in preparing financial
statements.
 Considerations Specific to
Smaller Entities
Many small entities are carried out
entirely by the engagement partner
(who may be a sole practitioner). In
such situations, it is the engagement
partner who, having personally
conducted the planning of the audit,
would be responsible for considering
the susceptibility of the entity's
financial statements to material
misstatement due to fraud and error.
C. Information System, including
the Business Processes, Relevant
to Financial Reporting and
Communication
An information system consists of
infrastructure (physical and hardware
components), software, people,
procedures, and data. Infrastructure and
software will be absent, or have less
significance, in systems that are
exclusively or primarily manual. Many
information systems make extensive
use of IT.
 The information system relevant to financial reporting
objectives, which includes the accounting system,
consists of the procedures and records designed and
established to:
• Initiate, record, process, and report entity
transactions (as well as events and conditions) and
to maintain accountability for the related assets,
liabilities, and equity;
• Resolve incorrect processing of transactions, for
example, automated suspense files and procedures
followed to clear suspense items out on a timely
basis;
• Process and account for system overrides or by
passes to controls;
• Transfer information from transaction processing
systems to the general ledger;
 The information system relevant to financial reporting
objectives, which includes the accounting system,
consists of the procedures and records designed and
established to:
• Capture information relevant to financial reporting
for events and conditions other than transactions,
such as the depreciation and amortization of assets
and changes in the recoverability of accounts
receivables; and
• Ensure information required to be disclosed by the
applicable financial reporting framework is
accumulated, recorded, processed, summarized and
appropriately reported in the financial statements.
 Journal Entries
An entity's information system typically
incudes the use of standard journal
entries that are required on a recurring
basis to record transactions.

An entity’s financial reporting process

also includes the use of non- standard
journal entries to record non-recurring.
unusual transactions or adjustments.
When automated procedures are used to
maintain the general ledger and prepare
financial statements, such entries may
exist only in electronic form and may
therefore be more easily identified
through the use or computer-assisted
audit techniques.
 Related Business Processes

An entity's business processes are the

activities designed to:
• Develop, purchase, produce, sell and
distribute an entity's products and
services;
• Ensure compliance with laws and
regulations; and
• Record information, including
accounting and financial reporting
information.
 Business processes

Result in the transactions that are

recorded, processed and reported by the
information system. Obtaining an
understanding of the entity's business
processes, which include how
transactions are originated, assists the
auditor obtain an understanding of the
entity’s information system relevant to
financial reporting in a manner that is
appropriate to the entity's
circumstances.
Accordingly, an information
system encompasses methods
and records that:
• Identify and record all valid
transactions.
• Describe on a timely basis the
transactions in sufficient detail to
permit proper classification of
transactions for financial reporting.
• Measure the value or transactions in
a manner that permits recording their
proper monetary value in the
financial statements.
Accordingly, an information
system encompasses methods
and records that:
• Determine the time period in which
transactions occurred to permit
recording of transactions in the
proper accounting period.
• Present properly the transactions and
related disclosures in the financial
statements.
 Application to Small Entities
Information systems and related
business processes relevant to financial
reporting in small entities are likely to
be less formal than in larger entities but
their role is just as significant. Small
entities with active management
involvement may not need extensive
descriptions of accounting procedures,
sophisticated accounting records, or
written policies. Communication may
be less formal and easier to achieve in a
small entity than in a larger entity due
to the small entity's size and fewer
levels as well as management's greater
visibility and availability.
 D. Control Activities

Control activities are the policies and

procedures that help ensure that
management directives are carried out,
for example, that necessary actions are
taken to address risks that threaten the
achievement of the entity's objectives.
Control activities, whether within IT or
manual systems, have various
objectives and are applied at various
organizational and functional levels.
The major categories of control
procedures are:

A. Performance Review

B. Information Processing Controls

1. Proper authorization of transactions
and activities
2. Segregation of duties
3. Adequate documents and records
4. Safeguards over access to assets;
and
5. Independent checks on performance

C. Physical controls
 A. Performance Review
In a performance review management uses accounting
and operating data to assess performance, and it then
takes corrective action. Such reviews include:
• comparing actual performance (or operating
results) with budgets, forecasts, prior period
performance, or competitors’ data or tracking major
initiatives such as cost-containment or cost-
reduction programs to measure the extent to which
targets are being met.
• investigating performance indicators based on
operating or financial data, such as quantity or
purchase price variances or the percentage of
returns to total orders.
• reviewing functional or activity performance, such
as relating the performance of a manager
responsible for a bank’s consumer loans with some
 A. Performance Review

Personnel at various levels in an organization may

make performance reviews. Performance reviews may
be used by managers for the sole purpose of making
operating decisions. For example, managers may
analyze performance data and base operating
decisions on them because the data are consistent with
their expectations. This type of review improves the
reliability of the data. However, when managers
follow up on unexpected results determined by a
financial reporting system, performance reviews
become a useful control over financial reporting.
 B. Information Processing Controls
Information processing controls are policies and
procedures designed to require authorization of
transactions and to ensure the accuracy and
completeness of transaction processing. Control
activities may be classified according to the scope of
the system they affect. General controls are control
activities that prevent or detect errors or irregularities
for all accounting systems. General controls affect all
transaction cycles and apply to information processing
as a center, hardware and systems software acquisition
and maintenance, and backup and recovery
procedures. Application controls are controls that
pertain to the processing of a specific type of
transaction, such a payroll, or sales and collections.
These controls help ensure that transactions occurred,
are authorized, and are completely and accurately
 Internal controls relating to the accounting system are
concerned with achieving objectives such as:
• Transactions are executed in accordance with
management’s general or specific authorization.
• All transactions and other events are promptly
recorded in the correct amount, in the appropriate
accounts and in the proper accounting period so as
to permit preparation of financial statements in
accordance with an identified financial reporting
framework.
• Access to assets and records is permitted only in
accordance with management’s authorization.
• Recorded assets are compared with the existing
assets at reasonable intervals and appropriate action
is taken regarding any differences.
Control activities related to the processing of
transactions may be grouped as follows: (1)
proper authorization, (2) design and use of
adequate documents and records, and (3)
independent checks on performance.
 1. Proper authorization of transactions and activities
As suggested earlier, authorization for the execution
of transactions flows from the stockholders to
management and its subordinates. Before a transaction
is entered into with another party, certain conditions
must usually be met. As part of the evaluation of the
potential transaction, documentation will be created.
The auditor uses this documentation to determine
whether business transactions are properly authorized.
For example, the purchase of inventory may create a
purchase order, a receiving report, and a vendor
invoice. By inspecting these documents and
comparing them with company policy, the auditor
may be reasonably satisfied that a business transaction
was authorized and executed in a manner consistent
with company policy.
 2. Segregation of duties

An important element in designing an internal

accounting control system that safeguards assets and
reasonably ensures the reliability of the accounting
records is the concept of segregation of
responsibilities. No one person should be assigned
duties that would allow that person to commit an error
or perpetuate fraud and to conceal the error or fraud.
For example, the same person should not be
responsible for recording the cash received on account
and for posting the receipts to the accounting records.
 3. Adequate documents and records
The use of adequate documents and records allow the company to obtain
reasonable assurance that all valid transactions have been recorded.

4. Access To assets
The resources of a client can be protected by the
establishment of physical barriers and appropriate policies.
For example, inventories may be kept in a storeroom, or
negotiable instruments may be placed in a safe deposit box.
Appropriate company policies are adopted so that only
authorized persons have access to company resources.
Safeguarding of assets is more than establishing physical
barriers. A client should design its internal accounting control
system so that documents authorizing the movement of assets
into an organization or out of an organization are adequately
controlled.
 5. Independent checks on performance

The objective of a well-designed internal accounting

control system is the adoption of procedures that
periodically compare the actual asset with its recorded
balance. Regardless of the effectiveness of an internal
control system, some transactions may not be
accurately recorded, and some assets may be
misappropriated. An important part of an internal
accounting control system is to determine the
effectiveness of recording policies and asset access
policies. This is accomplished by periodic counts of
assets by the client and comparing the counts to the
balances in the general ledger account. Examples are
the count of inventory and the preparation of monthly
bank reconciliation.
 C. Physical Controls

Controls that encompass:

• The physical security of assets, including adequate

safeguards such as secured facilities over access to
assets and records.
• The authorization for access to computer programs
and data files.
• The periodic counting and comparison with
amounts shown on control records (For example,
comparing the results of cash, security and
Inventory counts with accounting records).
 C. Physical Controls

The extent to which physical controls intended to

prevent theft of assets are relevant to the reliability of
financial statement preparation, and therefore the
audit, depends on circumstances such as when assets
are highly susceptible to misappropriation.

The concepts underlying control activities in small

entities are likely to be similar to those in larger
entities, but the formality with which they operate
varies. Further, small entities may find that certain
types of control activities are not relevant because of
controls applied by management.
E. Monitoring of Controls
Monitoring, the final component of internal
control, is the process that an entity uses to
assess the quality of internal control over
time. Monitoring involves assessing the
design and operation of controls on a
timely basis and taking corrective action as
necessary. Management monitors controls
to consider whether they are operating as
intended and to modify them as appropriate
for changes in conditions. In many entities,
internal auditors evaluate the design and
operation of internal control and
communicate information about strengths
and weaknesses and recommendations for
improving internal control.
 E. Monitoring of Controls
Some monitoring activities may include
communications from external parties. For
example, customers implicitly corroborate
sales data by paying their bills or raising
questions. Also, bank regulators, other
regulators, and outside auditors may
communicate about the design or effectiveness
of internal control.

Monitoring activities may include using

information from communications from
external parties that may indicate problems are
highlight areas in need of improvement.
Customers implicitly corroborate billing data
by paying their invoices or complaining about
their charges. In addition, regulators may
communicate with the entity concerning
matters that affect the functioning of internal
 Application to Small Entities

Ongoing monitoring activities of small entities are

more likely to be informal and are typically performed
as a part of the overall management of the entity's
operations. Management's close involvement in
operations often will identity significant variances
from expectations and inaccuracies in financial data
leading to corrective action to the control.
THANK YOU FOR LISTENING