CHAPTER 5

INTERNAL CONTROL
Internal Control Meaning & Objectives
 A system of internal control consists of:
– Policies and
– procedures
designed to provide management with
reasonable assurance that the company
achieves its objectives and goals
 Management typically has three broad
objectives in designing an effective internal
control system:
– Reliability of reporting
– Efficiency and effectiveness of operations
– Compliance with laws and regulations
Benefits of Internal Control
– Benefits of internal control : it helps organizations
 To make jobs easier and help people to do jobs
better- If policies and procedures are established,
authority and responsibility will be clearly defined,
expectations will be clear, so people know what to
do and not to do
 To meet their goals and objectives,
 To safeguard assets from waste, fraud and
inefficient use; -(only few trusted people can
modify IC)
 To promote efficiency (by making transactions
transparent to anyone who looks), reduce risk of
loss,
 To improve accountability and maintain public
trust
 To ensure accurate and reliable accounting
records
…internal control….

 To ensure compliance with company policies(can be

an early warning system, enabling early
identification and correction of deficiencies)
 To reduce legal liability
 In sum, internal control system consists of all
measures taken to assure management that
everything is functioning as it should
Weak Internal Control
Weak internal control can result in:
• Fraud, Embezzlement and Theft at various levels-
management, employees, customers, vendors, or the
public-at-large.
• Statutory Sanctions - penalties arising from failure to
comply with regulatory requirements, as well as
overt violations.

• Excessive Costs – results in expenses which could

have been avoided,
• Deficient Revenues – results in loss of revenues to
which the organization is entitled.
• Loss, Misuse or Destruction of Assets - unintentional
loss of physical assets such as cash, inventory, and
equipment.
• Business Interruption – it may cause system
breakdowns, excessive re-work to correct for errors.
Limitation of Internal Control
Limitations of internal control
 It provides reasonable, not absolute assurance ie:
– No system is perfect, internal control system cannot
provide absolute assurance because of the following
inherent limitations,
• its effectiveness depends on the behavior of those
who use it;
• it is affected by human factors such as error in
designing it, can be wrongly understood (lack of
understanding), carelessness and abuse or
override (employee collusion, management
override), its effectiveness depends on
competence of people designing and
implementing it
• Can be affected by resource limitations-since it
involves cost, smaller organizations may not
implement it
– The concept of reasonable assurance also recognizes that the cost
of an entity’s internal control should not exceed the benefits
1.Human error= tired, disturbed
2.Ineffective understanding of the control purpose= people many not
understand why control , perhaps forgetting to use a control step. Or,
the person does not understand how a control system
3.Collusion by two or more individuals to avoid control
4.Software progrrame control being overridden , disabled
5.Mgt decision about the nature and extent of control being
implemented
Management and Auditor Responsibilities for
Internal Control
– Management’s Responsibility
 Establish and maintain control system
 To publicly report on the operating
effectiveness of those controls (Serbanes-
Oxley Act of 2002)
• Two key concepts underlie management’s
design and implementation of internal
control:
 Reasonable assurance
 Inherent limitations
– Auditor’s Responsibility
 To understand and test internal control
over financial reporting
 Management’s Reporting Responsibilities
 Management of all public companies are to issue:
Internal control report that includes the following:
– A statement that management is responsible for
establishing and maintaining an adequate internal
control structure and procedures for financial
reporting
– An assessment of the effectiveness of the internal
control structure and procedures for financial reporting
as of the end of the company’s fiscal year
 Management’s assessment of internal control over
financial reporting consists of two key aspects:
– Management must
 Evaluate the design of internal control over
financial reporting
 Test the operating effectiveness of those controls
Auditor Responsibilities for
Understanding Internal Control
• Auditors are required to:
– Obtain an understanding of internal control
relevant to the audit on every audit
engagement
– Report on the effectiveness of internal control
over financial reporting, if the client is an
accelerated filer
• Auditors are primarily concerned about:
– Controls over the reliability of financial
reporting
– Controls over classes of transactions
Example Management Report on Internal
Control over Financial Reporting
 Internal Control and Internal
Audit
Internal controls –
=Are systems, policies & procedures designed to
address risks and provide reasonable assurance
whether the following objectives are achieved”:
– Accountability obligations are fulfilled,
– Operations are executed orderly, ethically,
economically, efficiently and effectively
– Rules and regulations are complied with
– Resources are safeguarded from loss, misuse and
damage
 Internal controls - are policies and procedures designed to
control all of an entity’s functions. They are built in the operations

 Internal audit - is an independent function that: checks

whether internal control systems are working well or not.
 Internal control - and internal audit are related but not the same.
 COSO Components of Internal Control
(Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication
Figure 11.2 COSO Internal Control
Objectives and Components
1. Control environment
Consists of the
– actions,
– policies, and
–procedures
- that reflect the overall attitudes of top management,
directors, and owners of an entity about internal control
and its importance to the entity
 It is the foundation for all other components of
internal control
 It has pervasive influence on all the decisions and
activities of an organization.
 It sets the tone of an organization, it influences the
control consciousness of the staff
 Effective organizations set a positive “tone at the
top”, it means:
(If top management believes that control is important,
others in the organization will sense this commitment
and respond by strictly observing the controls
established).
 ..Control env… (CE)
• How do auditor’s understand and assess the control
environment of an entity?
• By consider important factors (-Elements of the CE).
Factors considered in assessing the Control
Environment:
– Integrity and ethical values- Auditors assessment include
whether the entity has ethical and behavioral
standards;
– If it has, are these standards communicated to
employees?
– Are they enforced?
– What is management’s reaction for unethical
behavior?
– Does it encourage/discourage illegal practices and
unethical behaviors?
– Commitment to competence – this is related to the
..Control env… (CE)
– The functioning of BOD’s and Audit committee
 Auditors collect information- about the
=composition of the BODs, the audit
committee, their independence from
management
( since it provide an insight about the effectiveness of
the governance of the organization).
 If the audit committee - is composed of
individuals with knowledge of financial
reporting issues,
- they will be able to effectively evaluate the
internal control system, the internal audit
functions and the financial statement prepared by
the management, thus, the likely hood that material
misstatement exists in financial statement will be
low.
 ..Control env…. (CE)
 Management’s philosophy and operating style
Management, through its activities, provides clear
signals to employees about the importance of internal
control.
(If management is a type that override internal
controls, employees will follow the same, so the risk that
misstatements exist will be high
 Organizational Structure
– The entity’s organizational structure shows the lines of
responsibility and authority,
– it gives an insight as to how controls are implemented.
Human resource Policies & Practices
– The human resource policy is integral part of the
internal control system of the organization that auditors
assess its strength/weakness.
– If the human resource policy of an organization enables
the company to attract and retain competent and
 2. Risk assessment

 Involves a process for identifying and analyzing risks that

may prevent the organization from achieving its objectives
 The process includes:
-identifying,
-evaluating, and
-deciding how to manage these events…
Management will assess:
A. What is the likelihood of the event occurring?
B. What would be the impact if it were to occur?
C. What can we do to prevent or reduce the risk?
 Risk assessment for financial reporting is -management’s identification and
analysis of risks relevant to the preparation of financial statements in conformity
with appropriate accounting standards.
• Factors that may lead to increased risk include:
– Poor quality of personnel(eg. Not know
revenue recognition),
– Geographic dispersion of company
operations,
– Complexity of core business processes,
– Introduction of new information
technologies(affects production process and
information system) ,
– Economic downturns, and
– Entrance of new competitors
 …Risk ass…
 Once management identifies a risk,:
o it estimates the significance of that risk (it evaluates as
high, medium, low)
o assesses the likelihood of the risk occurring, and
o develops specific actions that need to be taken to reduce
the risk to an acceptable level. (management addresses
the high category risk); How?
 management will respond to the risk:

eg. -by transferring it to third party (insurance);

– by tolerating it-deciding to live with the risk (tolerable
/accept risk) if it is too expensive to treat it;
– by terminating the risk- (terminate/discontinue the
activity) involving a high risk
 If management effectively assesses and responds to
risks:
=the risk of misstatement of financial statement will
 …Risk ass….
Purpose of Management’s & Auditors’ assessment
of risk:
• Management -it assesses risks as a part of designing and
operating internal controls (to minimize errors and fraud)
• Auditors -they assess risks to-( decide the evidence needed
in the audit (to satisfy various audit objectives. –timing,
extent, and audit guide)
How Auditors obtain knowledge about management’s risk
assessment?
• -Through (questionnaires and discussions) with management

What information they collect in relation to management’s risk

assessment?
 Information about :
– how management identifies risks relevant to financial
reporting,
 3.Control activities
Are policies and procedures - that help ensure that
necessary actions are taken to address risks to the achievement
of the entity’s objectives
• Control activities include both manual and automated controls.
 Control activities generally fall into the following five
types:

1. Adequate separation of duties

2.Proper authorization of transactions and
activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
 ….Control activities

1. Adequate separation of duties -Adequate internal control

exists when the following duties are separated:
– Custody of assets from accounting
– Authorization of transactions from the custody of related
assets
– Operational responsibility from record keeping responsibility
– IT duties from user departments

2. Proper authorization of transactions and activities

– Every transaction must be properly authorized if controls are
to be satisfactory.
(Eg. If any person in an organization could acquire or expend
assets at will, complete chaos would result).
– The distinction between authorization and approval is also
important; =authorization is about the - decision on the
policies & procedures; but =approval is about
implementation of the authorized policies &
….Control act…

3. Adequate documents and records

 Documents showing the occurrence of transactions
should be adequately documented. This means,
Documents should be:
 Pre-numbered to identify if there are missing
documents;
 Prepared at the time a transaction takes place, or as
soon as possible thereafter, to minimize timing errors
 Designed for multiple use, when possible, to minimize
the number of different forms. (one form can be designed
in a way that it can provide many related information)
 Constructed in a manner that encourages correct
preparation. (Eg well designed chart of account ensure
accurate classification of accounts)
 ….Control act…

4. Physical control over assets and records

– To maintain adequate internal control, assets and
records must be protected. (If assets are left
unprotected, they can be stolen).
– If records are not adequately protected, they
can be (stolen, damaged, altered, or lost, seriously
disrupt the accounting process and business
operations).
– When a company is highly computerized, its
(computer equipment, programs, and data
files must be protected.)
– The data files are the records of the company and,
if damaged, could be (costly or even impossible to
reconstruct).
– The most important type of protective
measure- for safeguarding assets and records is
 ….Control act….
Example of physical safeguards include:
–Use of storerooms for inventory to guard against theft. When the
storeroom is under the control of a competent employee, there is further
assurance that theft is minimized.
-Use of Fireproof safes and safety deposit vaults for the
protection of assets such as currency and securities ;
- Off site back-up of computer software and data files.

- Management should (follow up) :

– Secure and restrict access to -equipment, cash, inventory,
confidential information, etc.(essential to reduce the risk of
loss or unauthorized use).
– Perform periodic physical inventories- (to verify
existence, quantities, location, condition, and
utilization).
– Base the level of security on the riskiness of items
being secured, the likelihood of loss, and the potential
impact should a loss occur.
 If such protections are adequate, the level of risk for
 ….Control act…
5. Independent checks on performance
• This is the careful and continuous review of the other four,
• ( independent checks or internal verification -eg. It can be
achieved)
=through strict application of separation of duties (least
costly method);
or
=(having internal audit department that performs
independent review).
• What justify the need for internal verifications?
i) Internal controls tend to change over time, unless there is
frequent review.
ii) Personnel are likely to forget or intentionally fail to
follow procedures, or they may become careless unless
someone observes and evaluates their performance.
 ….Control act…

 Control activities - can be summarized as Directive,

preventive, detective and corrective controls
Directive controls-are designed to establish outcomes eg. Laws,
policies, procedures, manuals
Preventive controls: These are measures that occur before a
transaction or action is performed to prevent a risk from
occurring. (eg training, pre-authorization, physical control
over assets, system access control etc)
Detective controls: these are measures that occur after a
transaction or action is performed to detect
misdeeds/something that had gone wrong. (eg reviews and
comparisons, reconciliations, physical count of inventories
and post audits ).
Corrective controls : are controls designed to correct errors
that have been discovered. (Controls that restore the system or
process back to the state prior to a harmful event. Eg. Restoring
 ….Control act…

 As general rule, preventive controls are better than

detective controls, any good system of internal control
should have a good mixture of both.
– However, it is not advisable to place excessive reliance
only on preventive control and ignoring detective
control, because, once preventive controls are compromised
there is no way of detecting the illegal act that has occurred
 Controls can also be categorized as Soft Controls and Hard
Controls
– Soft Controls include tone at the top: performance
evaluations, and training programs
– Hard controls include segregation of duties, reviews and
approvals and reconciliations
 4. Information system and Communication
 Adequate internal control requires an entity to-
maintain an information system:
 That allow the flow of information across
organizations
 That clearly communicate employees duties and

responsibilities
 That incorporate channels to report suspected

improprieties, and encourage employees suggestions

for improvement
 That provide relevant and reliable information

 That provide timely, understandable and usable

information to ensure accountability for the related

assets (eg. it requires an entity to maintain a proper
accounting system).
 Effective information and communication systems
enable the right people to get information on time
to allow appropriate action (to conduct, manage, and
 5. Monitoring the internal control

= is an ongoing/periodic assessment of- the quality of

internal control by management to determine that:
=For many companies(by internal audit) : specially larger
ones, an internal audit department is essential for effective
monitoring of the operating performance of internal controls
 Internal control systems must be monitored –
-to assess their effectiveness…
-to know if they operating as intended.

 Ongoing monitoring is necessary to react dynamically to

changing conditions…
 The board, audit committee, the risk assessment process
and internal audit are key components of entity level control
 Indicators of good internal control
Include:
– Documented policies and procedures
– Physical safeguarding of assets
– Systems to track employees activities, systems to follow up
problems and ensure resolution
– Existence of code of conduct, Job description
– BOD’s timely communications of organization’s objectives,
strategy, assignment of responsibilities
– Policies to hire, train, promote and compensate employees
– Positive atmosphere in the work environment
– Clear chain of command, adequate segregation of duties
– Approvals of transactions setting different levels of approvals
for transactions)
 Effective internal control allow organizations to
achieve its goals effectively and efficiently
 Internal Controls Specific to Information
Technology

 Technology can strengthen a company’s system of

internal control but can also provide challenges
– To address risks associated with reliance on
technology, organizations often implement
specific IT controls
 Auditing standards describe two categories
of controls for IT systems:
– General controls
– Application controls
General Controls
 General controls- are those that relate to all aspects of
the IT function.
• They include controls related to the following six
categories:
– Administration,
– Separation of IT duties,
– Systems development,
– Physical and on-line security,
– Backup and contingency planning, and
– Hardware controls.
cont..
• Application controls - relate to the
-processing of individual transactions.
-software applications and (typically do not affect all IT
functions).
 These controls may be manual or automated
and include:
– Input controls
– Processing controls
– Output controls
COSO Internal control Objectives
• Operations objectives,- such as performance
goals and securing the organization's assets
against fraud, focus on the effectiveness and
efficiency of your business operations.
• Reporting objectives,- including both internal and
external financial reporting as well as non-financial
reporting, relate to transparency, timeliness and
reliability of the organization's reporting habits.
• Compliance objectives - are internal control goals
based around adhering to laws and regulations
that the organization must comply with.
Process for Understanding Internal Control and
Assessing Control Risk
Auditors need to understand the design and
implementation of controls that are relevant to the
audit to identify and assess the risks of material
misstatements
There are four steps in this process:
 Step 1: Obtain and Document Understanding of Internal
Control

 Auditors commonly use three types method of

documenting -to obtain and document their
understanding of the design of internal control:
– Narratives-written descriptions of control-is a big story
(Rich , long)
– Flowcharts-diagrams- overview of control systems in
symbols
(pictures convey meaning ,
Condense)
- preferred on
- Internal control questionnaires-series of yes/no
questions/list of questions you ask (any one can use
them,. Clients do not like them, not customized)
• Auditors use the following methods to evaluate
whether the controls are implemented:
– System walkthrough/perform again
– Make inquiries of client personnel
– Inspect documents and records
– Observe entity activities and operations
 Step 2: Assess Control Risk-how it works
 Obtaining an understanding of the design and
implementation of internal control helps the auditor
to:
– Make a preliminary assessment of control risk
 It is a measure of the auditor’s expectation that
internal controls will prevent material
misstatements from occurring or detect and correct
them if they have occurred
 How do auditors assess control risk?
a) Starting by the assessment of entity-level controls .
Which includes:
– Control environment,
– Management override,
– Risk assessment process,
– Monitoring components (audit committee & internal audit),
Eg. .
• An ineffective board of directors or management’s
failure to have any process to identify, assess, or
manage key risks, has the potential to
undermine controls for most of the
transaction-related audit objectives.
• (Thus, auditors generally assess entity-level
controls before assessing transaction specific
controls.)
 ..Step

b) make a preliminary assessment for each transaction-

related audit objectives for each major type of transaction in
each transaction cycle. (Top down approach)
– Many auditors use a control risk matrix to assist in the control risk
assessment process at the transaction level
– The purpose:
= to provide a convenient way to organize assessing control risk for each audit
objective

 Components of the control risk matrix include:

– Audit objectives (transaction related )
– Key controls
– Associate controls with related audit objectives
 Key controls (the five key controls: Separation of duty,
Authorization, Documentation, Physical control, & Independent
review ) are sufficient to achieve the transaction-related audit
objectives.
..Step ..
 Auditors must evaluate whether key controls are
absent in the design and implementation of
internal control over financial reporting as a part
of evaluating control risk and the likelihood of
financial statement misstatements
 Auditing standards define three levels of the
absence of internal controls:
– Level 1: Control deficiency
– Level 2: Significant deficiency
– Level 3: Material weakness
..cont …
Level 1: Control deficiency
A control deficiency exists -if the
design/operation of controls does not permit
company personnel to prevent or detect
misstatements on a timely basis in the normal
course of performing their assigned functions.
A design deficiency exists- if a necessary
control is: -
-missing or
-not properly designed.
An operation deficiency exists- if:
-a well-designed control does not operate as
designed or
- the person performing the control is
insufficiently qualified or authorized.
..cont ….

Level 2. Significant deficiency

 A significant deficiency exists- if one or more
control deficiencies exist but that is less severe
than a material weakness (defined below), ( but -
needs attention by those responsible for oversight of
the company’s financial reporting.)
Level 3. Material weakness
 A material weakness exists- if a significant
deficiency, by itself, or in combination with other
significant deficiencies, results in a reasonable
possibility that internal control will not prevent or detect
material financial statement misstatements on a timely
basis
A five-step approach to Identify
deficiency
 to identify deficiencies, significant deficiencies, and
material weaknesses:
1st Identify existing control
2nd Identify the absence of key controls
3rd Consider the possibility of compensating controls- a
control elsewhere in the system that offsets the absence of a key
control, (ex. Owner manager).
4th Decide whether there is a significant deficiency or
material weakness
5th Determine potential misstatements that could result

 In some cases, management can correct deficiencies and

material weaknesses before the auditor does significant
testing, which may permit a reduction in control risk.
 Step 3: Design, perform and evaluate Tests of
Controls
• Tests of controls- are procedures to test
effectiveness of controls which support to reduce
assessed control risk.
• (see if auditor can rely on IC-if IC does not work, go to substantive
test-test FSs ratio, comparisons to budget, or details –
confirmations , vouching, tracing documents, journals))

• If the results of tests of controls support the design

and operations of controls as expected, the auditor
uses the same control risk as the preliminary assessment
 The auditor is likely to use four types of
procedures to support the operating
effectiveness of internal controls:
i. Make inquiries of appropriate client
personnel
 …Step …
 There is a significant overlap (similarity) between ;

-tests of controls and

-procedures to obtain an understanding

– Both include inquiry, inspection, and observation
 There are two primary differences in the application of these
common procedures in the area of:
 Application of procedures: Tests of controls are applied only when the
assessed control risk has not been satisfied by the procedures to obtain an
understanding
 Samples size and timing: Procedures to obtain an understanding are
performed only on one or a few transactions
Step 4: Decide Planned Detection Risk and
Substantive Tests
– The auditor uses -control risk assessment and results
of tests of controls to determine planned detection
risk and the related substantive tests for the
financial statement audit.
– The auditor links the inherent risk assessments to
the balance-related audit objectives.
– Control risk is generally set at high for smaller public
companies and nonpublic companies as they face
challenge in implementing effective internal
control due to inadequate separation of duty.
Communicating Internal Control Related
Matters
 An auditor can issue one of the three types of
opinions on the effectiveness of internal control
over financial reporting:
Unqualified- when no material weakness found
Disclaimer of opinion-When the audit team cannot
perform all of the procedures considered necessary
Adverse opinion-When one or more material
weaknesses found
 Communications to those Charged With
Governance & Management Letter
 The auditor must communicate:
 significant deficiencies and
 material weaknesses
-in writing to those charged with governance as soon as the
auditor becomes aware of their existence.
 The communication is usually addressed to:
- the audit committee and
-management.
 Timely communications may provide management an
opportunity to -
-address control deficiencies before management’s
report on internal control must be issued.
– In some instances, deficiencies can be corrected sufficiently
early such that both management and the auditor can conclude
that controls are operating effectively as of the balance sheet
date.
Management Letter

• Auditors often identify- less significant internal

control-related issues, as well as
opportunities for the client to make operational
improvements. (+ve-write to client )
– These issues should also be communicated to
the client.
– The form of communication is often a separate
letter for that purpose, called a management
letter.
– Although management letters are not required
by auditing standards, auditors generally
prepare them as a value-added service of the
audit.
END OF CHAPTER FIVE
• Adudit report

• Audit evidence

• Audit strategy =substatntive Audit procedure

• = Internal control /compliance

• Understanding client---

• ;

• ; =Sampling

• ; ‘’’’’’’’’’’’’’’’’Mixed’’’’’’’’’’’’’’’’

• Audit Strategy ‘’’’’’’’’’’’’Controls’’’’’’’’’’Evidence’’’’’’’’’’’’’Opinion

• ; ‘’’’’’’’’’’’’Substatntive ‘’’’’’’’’’’

• ; =procedures (in gathering evide nce we need 9 prpocedures and

samplinh as well)

• ;AR Model

• ; ; ;

• IR CR DR

• IR AND CR -Back to understanding client