Audit & Internal Review

Lecture
Internal Control

SERVICE EXCELLENCE
 Introduction
The auditor must understand the accounting
system and control environment in order to
determine the audit approach.

An understanding of internal control assists the

auditor in identifying types of potential
misstatements and factors that affect the risks
of material misstatement and that helps the
auditor to design the nature, timing and extent
of further audit procedures.
SERVICE EXCELLENCE
 Definitions
Internal Control is defined as ‘the whole system
of control, financial and otherwise, established by
management in order to carry on the business of
the enterprise in an orderly and efficient manner,
ensure adherence to management policies,
safeguard assets and secure as far as possible the
completeness and accuracy of records’. APB of
UK
The individual components of an internal control
system are known as controls or internal controls.

SERVICE EXCELLENCE
 Definitions
‘Internal control is the process designed and
effected by those charged with governance,
management, and other personnel to provide
reasonable assurance about the achievement of
the entity’s objectives with regard to reliability
of financial reporting, effectiveness and
efficiency of operations and compliance with
applicable laws and regulations’. ISA 315

SERVICE EXCELLENCE
 Definitions
Internal controls includes all policies and
procedures adopted by the directors and
management of an entity to assist in their
objective of achieving as far as possible, the
orderly and efficient conduct of the business
including adherence to internal policies,
safeguard of assets, the prevention and detection
of fraud and error, the accuracy and
completeness of accounting record and timely
preparation of reliable financial statement.
SERVICE EXCELLENCE
 Objectives of Internal Controls
Internal Controls are instituted in order to
ensure:
 The reliability and integrity of information
 Compliance with policies
 The safeguarding of assets
 The economical and efficient use of
resources
 The accomplishment of established
objectives and goals for operations and
programmes
SERVICE EXCELLENCE
 Elements of internal controls
Internal control has five elements:
 The control environment
 The entity’s risk assessment process
 The information system relevant to
financial reporting
 Control activities
 Monitoring of controls

SERVICE EXCELLENCE
 Control Environment
 The control environment is the framework within which
controls operate. It is very much determined by the
management of a business.
 It includes the governance and management functions and
the attitudes, awareness and actions of those charged with
governance and management concerning the entity’s
internal control and its importance in the entity.
 A strong control environment does not by itself, ensure
the effectiveness of the overall internal control system,
but can be a positive factor when assessing the risks of
material misstatement. A weak control environment can
undermine the effectiveness of controls

SERVICE EXCELLENCE
 Elements of Control Environment
Communication and enforcement of integrity
and ethical values.
Commitment to competence
Participation by those charged with governance
Management’s philosophy and operating style
Organizational structure:
 Assignment of authority and responsibility
Human resource policies and practices

SERVICE EXCELLENCE
 Entity’s Risk Assessment Process
ISA 315 says the auditor shall obtain an
understanding of whether the entity has a process
for:
 Identifying business risks relevant to financial
reporting objectives.
 Estimating the significance of the risks
 Assessing the likelihood of their occurrence
 Deciding upon actions to address those risks

SERVICE EXCELLENCE
Information system relevant to Financial
reporting
 This is a component of internal control that includes the
financial reporting system, and consists of the
procedures established for initiating, recording,
processing and reporting on the entity’s transactions and
to maintain accountability for related assets, liabilities
and equity. It includes:
 Classification of the entity’s transactions
 How procedures within both IT and manual systems
are initiated
 Related accounting records
 Controls surrounding journal entries

SERVICE EXCELLENCE
 Control Activities
These are the policies and procedures that help
ensure that management directives are carried out.
Control activities include those activities designed
to prevent or detect and correct errors. They
include activities relating to authorization,
performance reviews, information processing,
physical controls and segregation of duties.
Examples are approval and control of documents,
controls over computerized application, checking
arithmetical accuracy of records, etc.

SERVICE EXCELLENCE
 Monitoring of Controls
This is a process for assessing the
effectiveness of internal control performance
over time. It includes assessing the design and
operating effectiveness of controls on a timely
basis and taking the necessary corrective
actions or modifying controls in reaction to
changes in conditions.

SERVICE EXCELLENCE
 Limitations of accounting and control
systems
 Any internal control system can only provide the directors
with reasonable assurance that their objectives would be
met because of their inherent limitations. These include:
 The costs of control not outweighing their benefits
 The potential for human error (key)
 Collusion between employees
 The possibility of controls being by-passed or
overridden by management
 Controls being designed to cope with routine and not
non-routine transactions

SERVICE EXCELLENCE
 Recording accounting and control
systems
The auditor must keep a record of the client’s
internal control systems which must be
updated each year. This can be done through
the use of narrative notes, flowcharts,
questionnaires or checklists.

SERVICE EXCELLENCE
 Narrative notes
The purpose of narrative notes is to describe and explain the
system, while making comments or criticism which will help to
demonstrate an intelligent understanding of the system.
Advantages
 Simple to record and understand
 Flexible method and can be used for any system
 Editing is easy when computerized
Disadvantages
 Time consuming compared to flowcharts
 Awkward to update if kept manually
 Difficult to identify missing controls

SERVICE EXCELLENCE
 Flowcharts
This can take many forms but generally are graphic illustrations of the
physical flow of information through the accounting system. Flow lines
represent the sequence of processes, and other symbols represent the
inputs and outputs to a process.
 Visit http//www.rff.com/flowcharts_samples.htm
Advantages
 Can be prepared easily after a little experience
 Fairly easy to follow and review
 System is recorded in its entirety from start to end
 Eliminate the need for extensive narrative
Disadvantages
 Suitable for standard systems
 Amendment is difficult without redrawing
 Time consuming to areas that are of no audit significance

SERVICE EXCELLENCE
 Internal Control Questionnaires (ICQ)
The major question which internal control questionnaires
are designed to answer is ‘How good is the system of
controls?’
Although many different forms of ICQs exist in practice,
they all conform to the following basic principles.
 They comprise a list of questions designed to determine
whether desirable controls are present.
 Formulated to cover each of the major transaction cycle.
ICQ is to evaluate the system as well as record it.
Example; Are purchase invoices checked with GRN before
being passed for payment? YES/NO/Comments

SERVICE EXCELLENCE
 ICQ example on Goods inward
Are suppliers examined on arrival as to quantity
and quality?
Is the supplier examination evidenced in some
way?
Are receipts from suppliers recorded: perhaps
by means of goods inwards notes?
Are receipt records prepared by a person
independent of those responsible for:
 Ordering function?
 The processing and recording of invoices

SERVICE EXCELLENCE
 Internal Control Evaluation Questionnaire
(ICEQ)
 ICEQs are concerned with assessing whether specific errors (or
frauds) are possible.
 They concentrate on significant errors or omissions that could
occur at each phase of the appropriate cycle if controls are weak.
Examples on purchases include;
 Is there reasonable assurance that;
 Goods or services could not be received without a liability
being recorded?
 Receipt of goods or services is required in order to establish a
liability?
 A liability will be recorded:
 Only for authorized items

 At the proper amount?

SERVICE EXCELLENCE
Advantages and disadvantages of ICEQs
Advantages
 Can ensure all controls are considered
 Quick to prepare
 Easy to use and control
 Easier to apply to a variety of systems than ICQs
 Identify key controls
 Highlight deficiencies
Disadvantages
 Can be drafted vaguely, hence misunderstood
 May contain irrelevant controls
 May not include unusual controls
 May overstate controls

SERVICE EXCELLENCE
 Checklists
 Checklists may be used instead of questionnaires to
document and evaluate the internal control system.
 The difference is that instead of asking questions,
statements are made to ‘mark off’ and tick boxes
are used to indicate where the statement holds true.
Example:
 ‘Suppliers are examined on arrival as to quantity
and quality’. Tick Cross out
 Checklists share many advantages and
disadvantages of ICQs and ICEQs

SERVICE EXCELLENCE
 Types of Internal Control
Preventive Controls: that is, to deter
undesirable event from occurring.
Detective Controls: This is aimed at detecting
undesirable event which have occurred.
Corrective Controls: To remedy any
undesirable event that has occurred.

SERVICE EXCELLENCE
 IC Measures and Procedures
S – Segregation of Duties
O – Organisation
A – Authorization
P – Physical
S – Supervisory
P – Personal
A – Arithmetical and Accounting
M – Management

SERVICE EXCELLENCE
 Segregation of Duties
There should be a division or separation of
responsibilities in regards to authorizing or
initiating transactions, physical custody and
control of assets and recording the
transaction. Segregation of duties reduces the
risk of intentional manipulations or error and
increase the element of checking.

SERVICE EXCELLENCE
 Organizational Structure
Enterprises should have a plan of their
organization, defining and allocating
responsibilities and identifying lines of
reporting for all aspects of the enterprises
operations, including the controls.
The delegation of authority and responsibility
should be clearly specified

SERVICE EXCELLENCE
 Authorization or Approval
All transactions should require authorization or
approval by an appropriate responsible person.

The threshold limits for these authorizations

should be clearly specified.

SERVICE EXCELLENCE
 Physical Custody
These are concerned mainly with the custody
of assets and involve procedures and security
measures designed to ensure that access to
assets is limited to authorized personnel. For
example, the custody of the keys to the safe
should be limited to only the cashier and
possibly a highly placed responsible official.

SERVICE EXCELLENCE
 Supervision
Any system of internal control should include
the supervision by a responsible officials of
the day-to-day transactions and recording
thereof.

SERVICE EXCELLENCE
 Personnel
There should be procedures to ensure that
personnel have capabilities commensurate with
their responsibilities. Inevitably, the proper
functioning of any system depends on the
competence and integrity of those operating it.
The qualification, selection and trainings as well
as the innate personal characteristics of the
personnel involved are important features to be
considered in setting up any control system.

SERVICE EXCELLENCE
 Arithmetic or Accounting
These are the controls within the recording
functions which check that the transactions to
be recorded and processed have been
authorized, that they are all included and that
they are correctly recorded and accurately
processed. Such controls include checking the
arithmetical accuracy of the records, the
maintenance and checking of totals,
reconciliations, control accounts and trial
balance and accounting for documents.
SERVICE EXCELLENCE
 Management
These are the controls exercised by
management outside the day-to-day routine of
the system. They include the overall
supervisory controls exercised by
management, the review of management
accounts, and comparisons thereof with
budget, the internal audit function and any
other special review procedures.

SERVICE EXCELLENCE
 Limitations on the effectiveness of
internal controls
No internal control system however elaborate,
can by itself guarantee efficient administration
and the completeness and accuracy of the
records, nor can it be proof against fraudulent
collusions, especially on the part of those
holding positions of authority or trust. Internal
controls depending on separation of duties can
be avoided (side stepped) by collusion.

SERVICE EXCELLENCE
 Limitations on the effectiveness of
internal controls
 Authorization controls can be abused by the persons
in whom the authority is vested, whilst the
competence and integrity of the personnel operating
the controls may be ensured by selection and training,
these qualities may alter due to pressure exerted both
within and outside the enterprise.
 Human error due to errors of judgment or
interpretation, or misunderstanding, carelessness,
fatigue or distraction may undermine the effective
operation of internal controls.

SERVICE EXCELLENCE
 Why IC should interest the auditor
 If the auditor wishes to place reliance on any internal
controls, he should ascertain and evaluate these controls
and perform compliance tests on their operation.

 The Auditors objective in evaluating and testing internal

controls is to determine the degree of reliance which he
may place on the information contained in the accounting
records. If he obtains reasonable assurance by means of
compliance test that the internal controls are effective in
ensuring the completeness and accuracy of the accounting
records and the validity of entries therein, he may limit the
extent of his substantive testing
SERVICE EXCELLENCE
SERVICE EXCELLENCE