Introduction to Internal Control

Certificate Level
Course - Assurance
Chapter - 05

Masud Alam Chowdhury ACA, MBA (IBA, DU)

Partner, Nexia Bangladesh (MABS & J Partners)

01672-482008
[email protected]
 Contents

 What is internal control?

 Limitations of Internal Control

 Components of internal control

 Information about controls

 Recording of Internal control

 Sample Questions and Answers

01672482008
[email protected]
 Internal Control Definition

Internal control is the process designed to mitigate risk to the business

and ensure that the business operates efficiently and effectively.
System of Internal Control:
The system designed, implemented and maintained by those charged with
governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to
o reliability of financial reporting,
o effectiveness and efficiency of operations and
o compliance with applicable laws and regulations.
(Those Charge with Governance is a technical term used by the ISA. This means people responsible for the
‘strategic oversight’ of the entity).

01672482008
[email protected]
 Reason for Internal Control

Reasons can be seen in example below:

• Minimizing the company’s business risks

• Ensuring the continuing effective functioning of the company

• Ensuring the company complies with relevant laws and regulations

01672482008
[email protected]
 Limitation of Internal Control
Human element
Most controls can only function as well as the people that are implementing them. Controls are
not necessarily fool-proof. If a human being makes a mistake implementing a control, then that
control might be ineffective. Controls may also be bypassed very effectively and secretly by two or
more people working together, that is, colluding in fraud.

Collusion
Staff members may want to avoid controls in order to defraud the company. Controls may be
bypassed very effectively and secretly by two or more people working together, that is, colluding
in fraud.
Unusual transactions
Finally, a limitation of internal controls is that they are generally designed to deal with what
normally or routinely happens in a business. However, it may be the case that an unusual
transaction may occur which does not fit into the normal routines, in which case standard controls
may not be relevant to the unusual transaction, and hence mistakes may be made in relation to
that unusual transaction. e.g. abnormally large or small transactions, transactions that are
inconsistent with company’s established polices and procedures etc.
01672482008
[email protected]
 Components of Internal Control

01672482008
[email protected]
Control Environment
If the control environment is strong, then auditors will be more motivated to rely on the
controls system in the entity than if it is weak.

Control environment and audit committee: The audit committee is a subsection of

the board of directors which has a particular interest in the finance and accounting
activities of the company. The audit committee is comprised of non-executive directors.

The Code requires the committee to have written terms of reference which are likely to
include the following:
• To review the integrity of the financial statements and formal announcements
relating to the company's performance
• To review the company’s internal financial controls and the company’s risk
management systems (unless there is a separate risk management committee)
• To monitor and review the effectiveness of the company’s internal audit function
• To make recommendations to the board in relation to the external auditor
• To monitor the independence of the external auditor
• To implement policy on the provision of non-audit services by the external auditor.

01672482008
[email protected]
Entity’s Risk Assessment Process
The process by which management in a business identifies Business Risks relevant to
financial reporting objectives and decides what actions to take to address those risks (for
example, implementing internal controls).
Business risk: The risk inherent to the company in its operations. It is risks at all levels of the
business.

Assessing the risk assessment process will also take place by auditor during audit risk
assessment. In terms of internal control, the auditors will have to evaluate each aspect of this
process. If, during the audit, the auditors identify a risk that the entity did not identify, the
auditors will evaluate what this means for the effectiveness of the entity’s risk assessment
process.

01672482008
[email protected]
Information System relevant to
Financial Reporting Objectives

This includes the procedures and records designed to initiate,

record, process and report entity transactions and to maintain
accountability for the related assets, liabilities and equity.

The auditors will be interested in:

• The classes of transactions that are significant to the entity
• The procedures by which these transactions are recorded and
reported
• The related accounting records and supporting information
• How the information system captures events other than
transactions that are relevant to the financial statements
• The process of preparing the financial statements

01672482008
[email protected]
Control Activities
Control activities: The policies and procedures that help ensure that management directives are carried out.
Control activities are the most tangible internal controls that the auditor will concentrate on to a large degree.

Types of Control Activity

Types Example Explanation

Authorization and Approval of Transactions/documents should be

Approval Transactions/Documents approved by an appropriate person

Physical or Logical Physical Security of Assets Only authorized personnel should have
Controls access to certain assets.

01672482008
[email protected]
Control Activities
Segregation of duties
Segregation implies a number of people being involved in the
accounting process. Segregation should take place in various ways:
• Segregation of function. The key functions that should be segregated
are the carrying out of a transaction, recording that transaction in the
accounting records and maintaining custody of assets that arise from
the transaction.
• The various steps in carrying out the transaction should also be
segregated. We shall see how this works in practice when we look at the
major control cycles in the following chapters.
• The carrying out of various accounting operations should be
segregated. For example, the same staff should not record transactions
and carry out the related reconciliations at the period-end.

01672482008
[email protected]
Control Activities

IT controls
The internal controls in a computerized environment includes two
types of control.

Information Processing Controls: Are manual or automated

procedures that apply to the processing of individual applications to
ensure that transactions occurred, are authorized and are
completely and accurately recorded and processed.

General IT Controls: Are policies and procedures that relate to

many applications and support the effective function of application
controls by helping to ensure the continued proper operation
of information systems.

01672482008
[email protected]
Control Activities
Difference between these:

 Information processing controls focus on specific transactions or processes within an

application, ensuring accuracy and completeness. General IT controls are broader and
address the overall IT environment, including infrastructure and security.

 Information processing controls specific to individual applications, while general controls provide
a framework for the entire IT system.

Example:

An example of an Information processing control would be validation checks within an

accounting software to ensure that entered financial transactions meet certain criteria,
such as valid account numbers or proper authorization.

In contrast, an IT general control example could involve the implementation of an access

control policy across the entire IT environment, ensuring that only authorized individuals
have appropriate access to systems and data.

01672482008
[email protected]
Control Activities
Information Processing Controls
• Controls over input: completeness
• Controls over input: accuracy
• Controls over input: authorization
• Controls over processing
• Controls over master files and standing data (that is held in the system for long-
term use and is not expected to change frequently)

General Controls
• Development of computer Applications
• Prevention or detection of unauthorized changes to programs
• Testing and documentation of program changes
• Controls to prevent wrong programs or files being used
• Controls to prevent unauthorized amendments to data files
• Controls to ensure continuity of operations
01672482008
[email protected]
Control Activities
Cyber Security Risk-Key Aspects for Internal Control

Types of Cyber Risks that an organization may face:

 Human Threats: Hackers can break into a company’s internal systems to steal
data or cause damage. Cyber-terrorism is a rising concern.
 Fraud: Using computers to steal funds or commit dishonest acts.
 Deliberate Sabotage: Examples include spying on competitors or intentionally
damaging systems.
 Viruses and Corruptions: Harmful programs that spread across the network
and disrupt operations.
 Malware: Harmful software like spyware, worms, and trojans that attack
systems.
 Denial of Service (DoS) Attack: Blocking legitimate users from accessing
services by overwhelming the system with requests.

01672482008
[email protected]
Control Activities
Challenges in Managing Cyber Risks and Suggestions:
 Communication Barriers: Technical language makes it hard for management and
staff to understand security issues. Clear communication between technical teams
and management is essential.
 Clear Roles and Responsibilities: Large organizations need well-defined roles for
managing cyber risks.
 Board-Level Accountability: It must be clear who at the top is responsible—like
the CEO, Risk Officer, or Chief Information Security Officer.
 Involvement of Non-Executive Directors: Audit committees and non-executive
directors should ensure management puts proper security controls in place.

Takeaway for Small Organizations: Smaller companies often struggle to afford specialized security teams,
making it harder to fully manage cyber risks. Some security gaps may still remain despite efforts.

01672482008
[email protected]
Monitoring Control Activities
An entity should review its overall control system to ensure that it
still meets its objectives, it still operates effectively and efficiently
and that necessary corrections to the system are made on a timely
basis. If it does not, then the control system may not be operating
optimally. This is often a role undertaken by a company’s internal audit
department.

In smaller companies that do not have an internal audit function, the

company may make use of auditor feedback to ensure that controls
continue to operate efficiently. Auditors will often produce a
management report at the end of an audit, outlining any weaknesses
they have observed in internal controls. Auditors are also required by ISAs
to identify control weaknesses observed to those charged with governance.

However, this does not remove the onus/responsibility from the company
itself to monitor its own internal controls.

01672482008
[email protected]
Information about Internal Control
Auditors will obtain information about internal controls from a variety of sources.

The company may have manuals of internal controls and copies of internal controls
policies, or minutes of meetings of the risk assessment group. These will be useful
documents for the auditors to read. In addition, in recurring audits, the auditors should
have a record of what the controls were in previous years and therefore will only be
looking for new policies in the current year.

The auditors will also obtain knowledge by talking to the people involved with internal
control at all stages and asking them what the controls are and why they have been
implemented. Again, where auditors have a record of what the controls were last year,
inquiry will be useful in updating the picture to what they are now.

Lastly, an important tool for auditors in determining what internal controls exist in
an organization. The auditor will watch operations at a company to identify the control
activities being put into action.

01672482008
[email protected]
Recording-Internal Control
Auditors will record the internal controls that they see. There are broadly
three types of document which are used for recording the understanding
of the business:
• Narrative notes
• Questionnaires/checklists and
• Diagrams

Narrative notes
These are good for things like:
• Short notes on simple systems
• Background information

They are less good when things get more complex when diagrams tend to
take over.

01672482008
[email protected]
 Sample Questions
1. Internal control is the process designed and effected by those charged with
governance, management, and other personnel
a) True
b) False

2. Internal Controls is designed and effected by Those Charged with Governance

to provide
a) Absolute assurance
b) No assurance
c) Reasonable assurance
d) Reliable assurance
3. Auditors will not obtain information about internal controls from a variety of
sources.
a) True
b) False

01672482008
[email protected]
 Sample Questions
4. Which of these are regarding internal control
a) Identification and detection of fraud
b) Preparation of accurate balance sheet
c) Reliability of financial reporting
d) Compliance with applicable laws and regulations.
5. Which are not the reason for Internal Control
a) Reducing management cost
b) Ensuring job satisfaction of employees
c) Minimizing the company’s business risks
d) Maximizing profit of the company
6. In smaller companies that do not have an internal audit function, the company may make use
of auditor feedback to ensure that controls continue to operate efficiently.
a) True
b) False

01672482008
[email protected]
 Sample Questions
7. There is no limitation of Internal control
a) True
b) False

8. The audit committee is not a subsection of the Board of Directors

a) True
b) False

9. Which are not the components of internal control

a) Test of Control
b) Test of Details
c) Control Environment
d) Monitoring of Control

01672482008
[email protected]
Question & Answers
10. Which one of the following is a reason that organizations have effective systems of
control?
To assist the organization in:
A. Maximizing profitability
B. Maximizing operating efficiency
C. Reducing time required for the statutory audit
D. Minimizing audit risk

11

01672482008
[email protected]
Question & Answers

12. Most entities use IT systems for financial reporting and operational
purposes. Controls operating in an IT environment can be split into general
controls and application controls.

Which two of the following are application controls?

a) Document counts
b) Digit verification
c) Passwords
d) Virus checks

01672482008
[email protected]
Question & Answers
13. IT general controls are manual or automated procedures that apply to the
processing of individual applications to ensure that transactions occurred, are
authorized and are completely and accurately recorded and processed.

a) True
b) False

14. IT application controls are not policies and procedures that relate to many
applications and support the effective function of application controls by helping to
ensure the continued proper operation of information systems.

a) True
b) False

01672482008
[email protected]
Question & Answers
15

01672482008
[email protected]
Any Question!

01672482008
[email protected]