CHAPTER 5

INTERNAL CONTROLS
Internal Control- Meaning & Objectives
• A system of internal control consists of:
–Policies and procedures designed to provide
management with reasonable assurance that
the company achieves its objectives and
goals
• Management typically has three broad
objectives in designing an effective internal
control system:
–Reliability of reporting
–Efficiency and effectiveness of operations
–Compliance with laws and regulations
 Benefits of Internal Control
• Internal control helps organizations
– To make jobs easier and help people to do jobs better- If
policies and procedures are established, authority and
responsibility will be clearly defined, expectations will be
clear, so people know what to do and not to do
– To meet their goals and objectives,
– To safeguard assets from waste, fraud and inefficient use;
– To promote efficiency, reduce risk of loss,
– To improve accountability and maintain public trust
– To ensure accurate and reliable accounting records
– To ensure compliance with company policies
– To reduce legal liability
In sum, internal control system consists of all measures taken to
assure management that everything is functioning as it should
 Weak Internal Control
Weak internal control can result in:
• Fraud, Embezzlement and Theft at various levels-
management, employees, customers, vendors, or the
public-at-large.
• Statutory Sanctions - penalties arising from failure to
comply with regulatory requirements, as well as overt
violations.
• Excessive Costs – results in expenses which could have
been avoided,
• Deficient Revenues – results in loss of revenues to which
the organization is entitled.
• Loss, Misuse or Destruction of Assets - unintentional loss
of physical assets such as cash, inventory, and
equipment.
• Business Interruption – it may cause system breakdowns,
excessive re-work to correct for errors.
 Limitation of Internal Control
• It provides reasonable, not absolute assurance ie:
– No system is perfect, internal control system cannot provide
absolute assurance because of the following inherent
limitations,
 its effectiveness depends on the behavior of those who use it;
 it is affected by human factors such as error in designing it,
can be wrongly understood (lack of understanding),
carelessness and abuse or override (employee collusion,
management override), its effectiveness depends on
competence of people designing and implementing it
 Can be affected by resource limitations-since it involves cost,
smaller organizations may not implement it
– The cost of an entity’s internal control should not exceed the
benefits expected to be derived.
 Management/Auditor Responsibilities for Internal Control
– Management’s Responsibility
 Primary responsibility to establish and maintain control
system
 To publicly report on the operating effectiveness of those
controls Serbanes-Oxley Act of 2002)
• Two key concepts underlie management’s design and
implementation of internal control:
 Reasonable assurance
 Inherent limitations
– Auditor’s Responsibility
 To understand and test internal control over financial
reporting
 To annually issue an audit report on the operating
effectiveness of those controls (applies to auditor’s of
larger public companies, since 2004)
 Management’s Reporting Responsibilities
• Management of all public companies are to issue an
internal control report that includes the following:
– A statement that management is responsible for
establishing and maintaining an adequate internal
control structure and procedures for financial reporting
– An assessment of the effectiveness of the internal
control structure and procedures for financial reporting
as of the end of the company’s fiscal year
• Management’s assessment of internal control over
financial reporting consists of two key aspects:
– Management must
 Evaluate the design of internal control over financial
reporting
 Test the operating effectiveness of those controls
COSO Components of Internal Control

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication
Figure 5.2 COSO Internal Control Objectives and Components
 1. Control environment
–Consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an
entity about internal control and its importance to the entity
• It is the foundation for all other components of internal control
• It has pervasive influence on all the decisions and activities of an
organization.
• It sets the tone of an organization, it influences the control
consciousness of the staff
• Effective organizations set a positive “tone at the top”, it means:
• If top management believes that control is important, others in the
organization will sense this commitment and respond by strictly
observing the controls established.
• If members of the organization believe that control is not an
important concern to top management, it is almost certain that
management’s control objectives will not be effectively
achieved.
• How do auditor’s understand and assess the control
environment of an entity? They consider important factors
(elements of the CE).
• Factors considered in assessing the control environment:
– Integrity and ethical values- Auditors assessment include
whether the entity has ethical and behavioral standards; If it
has, are these standards communicated to employees? Are
they enforced? What is management’s reaction for unethical
behavior? Does it encourage/discourage illegal practices and
unethical behaviors?
– Commitment to competence – this is related to the human
resource policy of the organization. Eg. Is management
committed for better result by assigning the right person for
the job? Is management committed for continuous
improvement of staff’s knowledge and skill-to develop the
human capital in the entity?
The functioning of BoD’s and Audit committee
• Auditors collect information about the composition of the BoDs, the audit
committee(AC), their independence from management since it provide an
insight about the effectiveness of the governance of the organization.
• If AC is composed of individuals with knowledge of financial reporting issues,
they will be able to effectively evaluate the internal control system, the internal
audit functions and the financial statement prepared by the management, thus,
– the likely hood that material misstatement exists in financial statement will
be low.
 Management’s philosophy and operating style- Management, through its
activities, provides clear signals to employees about the importance of
internal control. If management is a type that override internal controls,
employees will follow he same, so the risk that misstatements exist will be
high
 Organizational Structure- The entity’s organizational structure shows the
lines of responsibility and authority, it gives an insight as to how controls are
implemented.
 Human resource Policies & Practices- The human resource policy is integral
part of the internal control system of the organization that auditors assess its
strength/weakness
 2. Risk assessment
–Involves a process for identifying and analyzing risks that may
prevent the organization from achieving its objectives
 The process includes identifying, evaluating, and deciding how to
manage these events… What is the likelihood of the event
occurring? What would be the impact if it were to occur? What
can we do to prevent or reduce the risk?
• Risk assessment for financial reporting is management’s
identification and analysis of risks relevant to the preparation of
financial statements in conformity with appropriate accounting
standards.
• Factors that may lead to increased risk include:
– Poor quality of personnel, Geographic dispersion of company
operations, Complexity of core business processes,
Introduction of new information technologies, Economic
downturns, and Entrance of new competitors
 – Once management identifies a risk, it estimates the significance of that
risk (it evaluates as high, medium, low), assesses the likelihood of the
risk occurring, and develops specific actions that need to be taken to
reduce the risk to an acceptable level. It is clear that management
addresses the high category risk
• Based on the assessment, management will respond to the risk eg.
– by transferring it to third party (insurance);
– by tolerating it-deciding to live with the risk (tolerable risk) if it is too
expensive to treat it;
– by terminating the risk- deciding to terminate/discontinue the activity
involving a high risk
 If management effectively assesses and responds to risks, the risk
of misstatement of financial statement will reduce, thus the auditor
will typically accumulate less evidence than when management fails
to identify or respond to significant risks.
Purpose of Management’s & Auditor’s Assessment of Risk:
• Management -it assesses risks as a part of designing and
operating internal controls to minimize errors and fraud
• Auditors -they assess risks to decide the evidence needed in the
audit to satisfy various audit objectives.
How Auditors obtain knowledge about management’s risk
assessment?
• Through questionnaires and discussions with management
What information they collect in relation to management’s risk
assessment?
– Information about how management identifies risks relevant to
financial reporting,
– how it evaluates the significance and
– likelihood of the risks occurring, and how it decides the
actions needed to address the risks.
 3.Control activities
Policies and procedures that help ensure that necessary actions are taken
to address risks to the achievement of the entity’s objectives
• Control activities include both manual and automated controls.
• Control activities generally fall into the following five types:

1. Adequate separation of duties

2.Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
1. Adequate separation of duties -Adequate internal control
exists when the following duties are separated:
– Custody of assets from accounting
– Authorization of transactions from the custody of related
assets
– Operational responsibility from record keeping responsibility
– IT duties from user departments
2. Proper authorization of transactions and activities
– Every transaction must be properly authorized if controls are
to be satisfactory. (Eg. If any person in an organization could
acquire or expend assets at will, complete chaos would
result).
– The distinction between authorization and approval is also
important; authorization is about the decision on the policies
& procedures; but approval is about implementation of the
authorized policies & procedures.
3. Adequate documents and records
• Documents showing the occurrence of transactions
should be adequately documented. This means,
documents should be:
 Pre-numbered to identify if there are missing
documents;
 Prepared at the time a transaction takes place, or as
soon as possible thereafter, to minimize timing errors
 Designed for multiple use, when possible, to
minimize the number of different forms. (one form
can be designed in a way that it can provide many
related information)
 Constructed in a manner that encourages correct
preparation. (Eg well designed chart of account
ensure accurate classification of accounts)
 4. Physical control over assets and records
– To maintain adequate internal control, assets and records
must be protected.
– If assets are left unprotected, they can be stolen.
– If records are not adequately protected, they can be stolen,
damaged, altered, or lost, which can seriously disrupt the
accounting process and business operations.
– When a company is highly computerized, its computer
equipment, programs, and data files must be protected. The
data files are the records of the company and, if damaged,
could be costly or even impossible to reconstruct.
– The most important type of protective measure for
safeguarding assets and records is the use of physical
precautions.
Example of physical safeguards include:
• Use of storerooms for inventory to guard against theft.
• Use of Fireproof safes and safety deposit vaults for the protection of assets
such as currency and securities ;
• Off site back-up of computer software and data files.
5. Independent checks on performance
• This last category of control activities is the careful and
continuous review of the other four, it is called independent
checks or internal verification (eg. It can be achieved
through strict application of separation of duties (least costly
method); or having internal audit department that performs
independent review).
• What justify the need for internal verifications?
– Internal controls tend to change over time, unless there
is frequent review.
– Personnel are likely to forget or intentionally fail to follow
procedures, or they may become careless unless
someone observes and evaluates their performance.
– Regardless of the quality of the controls, personnel can
make errors or commit fraud.
 4. Information and Communication
 Adequate internal control require an entity to maintain an
information system:
 That allow the flow of information across organizations

 That clearly communicate employees duties and

responsibilities
 That incorporate channels to report suspected improprieties,
and encourage employees suggestions for improvement
 That provide relevant and reliable information

 That provide timely, understandable and usable information to

ensure accountability for the related assets (eg. it requires an
entity to maintain a proper accounting system).
 Effective information and communication systems enable the
right people to get information on time to allow appropriate
action (to conduct, manage, and control operations).
 Effective information and communication system reduces
risks of financial misstatements
 5. Monitoring
• It deals with ongoing or periodic assessment of the quality of
internal control by management to determine that:
– Controls are operating as intended and that
– they are modified as appropriate for changes in conditions.
• For many companies, especially larger ones, an internal audit
department is essential for effective monitoring of the
operating performance of internal controls
 Internal control systems must be monitored to assess their
effectiveness… to know if they operating as intended.
 Ongoing monitoring is necessary to react dynamically to
changing conditions…Have controls become outdated,
redundant, or obsolete?
 The board, audit committee, the risk assessment process
and internal audit are key components of entity level
control
Indicators of good internal control
– Documented policies and procedures
– Physical safeguarding of assets
– Systems to track employees activities, systems to follow up
problems and ensure resolution
– Existence of code of conduct, Job description
– BOD’s timely communications of organization’s objectives,
strategy, assignment of responsibilities
– Policies to hire, train, promote and compensate employees
– Positive atmosphere in the work environment
– Safeguards for employees exposing wrong acts (protection for
whistle blowers)
– Clear chin of command, adequate segregation of duties
– Approvals of transactions setting different levels of approvals
for transactions)
Internal Controls Specific to Information Technology

• Technology can strengthen a company’s

system of internal control but can also provide
challenges
–To address risks associated with reliance
on technology, organizations often
implement specific IT controls
• Auditing standards describe two
categories of controls for IT systems:
–General controls
–Application controls
• General Controls
• are those that relate to all aspects of the IT function.
• They include controls related to the following six categories:
– Administration,
– Separation of IT duties,
– Systems development,
– Physical and on-line security,
– Backup and contingency planning, and Hardware controls.
• Application Controls
• relate to the processing of individual transactions.
• Application controls are specific to certain software
applications and typically do not affect all IT functions.
• These controls may be manual or automated and include:
– Input controls
– Processing controls
– Output controls
Process for Understanding Internal Control and
Assessing Control Risk
Auditors need to understand the design and implementation of
controls that are relevant to the audit to identify and assess the
risks of material misstatements
There are four steps in this process:
 Step 1: Obtain and Document Understanding of
Internal Control
• Auditors commonly use three types of documents to
obtain and document their understanding of the design of
internal control:
– Narratives-written descriptions of control
– Flowcharts-diagrams showing an overview of control
systems
– Internal control questionnaires-series of yes/no questions
• Auditors use the following methods to evaluate whether
the controls are implemented:
– System walkthrough
– Make inquiries of client personnel
– Inspect documents and records
– Observe entity activities and operations
 Step 2: Assess Control Risk
• Obtaining an understanding of the design and implementation of
internal control (step 1) helps the auditor to:
– Make a preliminary assessment of control risk- a measure of the
auditor’s expectation that internal controls will prevent material
misstatements from occurring or detect and correct them if they
have occurred
How do auditors assess control risk?
• The starting point for most auditors is the assessment of entity-level
controls.
– Entity-level controls include controls related to control environment,
management override, risk assessment process, and monitoring
components (audit committee & internal audit), etc
– By nature, entity-level controls have an overarching impact on most
major types of transactions in each transaction cycle.
– Eg. an ineffective board of directors or management’s failure to have
any process to identify, assess, or manage key risks, has the potential to
undermine controls for most of the transaction-related audit objectives.
Thus, auditors generally assess entity-level controls before assessing
transaction specific controls.
• Auditors must evaluate whether key controls are absent in the
design and implementation of internal control over financial
reporting as a part of evaluating control risk and the likelihood of
financial statement misstatements
• Auditing standards define three levels of the absence of internal
controls:
– Level 1: Control deficiency
– Level 2: Significant deficiency
– Level 3: Material weakness

• Level 1: Control deficiency

A control deficiency exists if the design or operation of controls does not permit
company personnel to prevent or detect misstatements on a timely basis in
the normal course of performing their assigned functions.
– A design deficiency exists if a necessary control is missing or not properly
designed.
– An operation deficiency exists if a well-designed control does not operate
as designed or if the person performing the control is insufficiently
qualified or authorized.
Level 2. Significant deficiency
A significant deficiency exists if one or more control
deficiencies exist that is less severe than a material
weakness (defined below), but important enough to
merit attention by those responsible for oversight of the
company’s financial reporting.

Level 3. Material weakness

A material weakness exists if a significant deficiency, by
itself, or in combination with other significant
deficiencies, results in a reasonable possibility that
internal control will not prevent or detect material
financial statement misstatements on a timely basis
• A five-step approach can be used to identify
deficiencies, significant deficiencies, and material
weaknesses:
– Identify existing controls
– Identify the absence of key controls
– Consider the possibility of compensating controls- a
control elsewhere in the system that offsets the
absence of a key control, ex. Owner manager).
– Decide whether there is a significant deficiency or
material weakness
– Determine potential misstatements that could result

– In some cases, management can correct deficiencies

and material weaknesses before the auditor does
significant testing, which may permit a reduction in
control risk.
 Step 3: Design, perform and evaluate Tests of Controls
• Tests of controls are procedures to test effectiveness of
controls in support of a reduced assessed control risk.
• If the results of tests of controls support the design and
operations of controls as expected, the auditor uses
the same control risk as the preliminary assessment
• The auditor is likely to use four types of
procedures to support the operating effectiveness
of internal controls:
 Make inquiries of appropriate client personnel
 Examine documents, records, and reports
 Observe control-related activities
 Re-perform client procedures
Step 4: Decide Planned Detection Risk and
Substantive Tests

– The auditor uses control risk assessment and results

of tests of controls to determine planned detection
risk and the related substantive tests for the financial
statement audit.
– The auditor links the inherent risk assessments to
the balance-related audit objectives.
– The audit risk model is used determine the level of
audit risk
– Control risk is generally set at high for smaller public
companies and nonpublic companies as they face
challenge in implementing effective internal control
due to inadequate separation of duty.
 Communicating Internal Control Related Matters
• An auditor can issue one of the three types
of opinions on the effectiveness of internal
control over financial reporting:
Unqualified- when no material weakness
found
Disclaimer of opinion-When the audit team
cannot perform all of the procedures
considered necessary
Adverse opinion-When one or more
material weaknesses found
Communications to those Charged With
Governance & Management Letter
The auditor must communicate significant deficiencies and
material weaknesses in writing to those charged with
governance as soon as he becomes aware of their existence.
– The communication is usually addressed to the audit
committee and to management.
– Timely communications may provide management an
opportunity to address control deficiencies before
management’s report on internal control must be issued.
– In some instances, deficiencies can be corrected sufficiently
early such that both management and the auditor can
conclude that controls are operating effectively as of the
balance sheet date.
– Regardless, these communications must be made no later
than 60 days following the audit report release.
 Management Letter
• Auditors often identify less significant internal
control-related issues, as well as opportunities
for the client to make operational improvements.
– These issues should also be communicated to
the client.
– The form of communication is often a
separate letter for that purpose, called a
management letter.
– Although management letters are not required
by auditing standards, auditors generally
prepare them as a value-added service of the
audit.
THE END