INTERNAL CONTROL

CHAPTER 4
 Internal Control Defined
Internal control is a process, effected by an entity’s board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in
the following three categories:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Safeguarding of assets
• Compliance with applicable laws and regulations

5-2
 Characteristics of Internal Control
Internal controls are

• Built into operations

Continuous • Not one single event
• Dynamic

• “Only you can prevent

Effected by people forest fires”

Able to provide • Not absolute assurance

reasonable assurance
• To the entire entity or to a
Adaptable particular division,
business process, etc.

3
 Components of Internal Control

1) The Control Environment

2) Risk Assessment
3) Information and Communication
4) Control Activities
5) Monitoring Activities
 1. The Control Environment

The control environment is concerned with the

actions, policies, and procedures that reflect
the overall attitude of the client’s top
management, directors, and owners of an entity
about internal control and its importance.
a) Integrity and ethical values
b) Commitment to competence
c) Board of directors and audit committee
d) Management’s philosophy and operating style
e) Organizational structure
f) Assignment of authority and responsibility
g) Human resource policies and practices
a) Integrity and Ethical Values

 Management actions
to remove incentives
that prompt a person
to behave improperly.
 Communication of
behavioral standards
by codes of conduct
and example.
 b) Commitment to Competence

Management’s
consideration of the
competence levels for
specific jobs and how
those translate into
requisite skills and
knowledge.
c) Board of Directors and Audit
Committee
 Board delegates responsibility
for internal control to
management and is charged
with regular independent
assessments of management-
established internal control.
 The major stock exchanges
require listed companies to have
an audit committee composed of
entirely independent directors
who are financially literate.
 d) Management’s Philosophy and
Operating Style

Management, through its activities, provides clear

signals to employees about the importance of
internal control. For example, are sales and earnings
targets unrealistic, and are employees encouraged to
take aggressive actions to meet those targets.
e) Organizational Structure

Understanding the
client’s organizational
structure provides the
auditor with an
understanding of how
the client’s business
functions and
implements controls.
 f) Assignment of Authority and
Responsibility

Formal methods of
communication
including: Em
De plo
 Top management sc yee
rip J
memoranda concerning tio ob
ns
internal control
 Organizational operating
plans
 Employee job
descriptions
g) Human Resource Policies and
Practices

 If employees are honest

and trustworthy, other
controls can be absent and
reliable financial
statements will still result.
 Methods by which persons
are hired, trained,
promoted, and
compensated are important
elements of internal
control.
 2. Risk Assessment
Involves a dynamic and iterative process for
identifying and assessing risks
Risk: the possibility that an event will occur
and adversely affect the achievement of
objectives.

Client management’s identification and

analysis of risks relevant to the preparation of
the financial statements in accordance with
IFRS.
 3. Control Activities
Policies and procedures that client management
has established to meet its objectives for financial
reporting.

1. Adequate segregation of duties

2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
 Control Activities
• The actions established through policies and
procedures that help ensure management’s
directives to mitigate risks are carried out.
• Performed at all levels within the entity

Types: Examples:
• Preventive and detective and • Approvals & Authorizations
corrective • Embedded verifications
• Compensating • Reconciliations
• Manual and automated • Independent Reviews
• Asset security
• Segregation of duties

15
Preventive Control
Prevents the occurrence of
a negative event in a
proactive manner

Examples:
• Approval for purchase >
$5,000
• Passwords for access to Detective Control
Banner Detect the occurrence of a negative event
• Petty cash held in after the fact in a reactive manner
lockbox
• Security and Examples:
surveillance systems • Supervisor review & approval
• Pre-numbered checks • Report run showing user activity
• Reconcile petty cash
• Physical inventory count
• Review missing/voided checks
16
Control Activities
• If a weakness or limitation exists within the control environment, a
compensating control may be relied upon to mitigate the risk
• Can be preventive or detective
• Example: A unit does not have the staff resources to establish an
adequate segregation of duties. Potential compensating controls could
include:
o Automation of certain transaction data that cannot be altered by the staff
o Manager review of detailed summary reports of the transactions initiated by
the staff
o Peer staff and/or manager selects a sample of transactions and vouches back
to supporting documentation

17
 COSO cube – 5 Integrated Components

Control Activities

Require action to be
taken by employees,
e.g., Built into network
• Obtain supervisor’s Manual infrastructure and
approval for software
Control
overtime applications, e.g.,
• Reconcile bank • Passwords
accounts Automated • Data entry
• Match receiving to Control validation checks
POs • Batch controls

18
1. Adequate Segregation of Duties

 Separation of the
functions of
authorization,
recordkeeping, and
custody.
 Separating IT duties
from User
Departments
2. Proper Authorization of Transactions
and Activities

 General authorization
is permissible for
routine events for
which there are
policies to follow.
 For some transactions
specific authorization
is needed on a case-
by-case basis.
3. Adequate Documents and Records

 Prenumbered
consecutive
documents so missing
items are noticed
 Prepared as near to
transaction time as
possible
 Good design with
instructions and
appropriate spaces
 4. Physical Control Over Assets and
Records

 Deterrents to prevent
physical access.
 Access controls to Incorrect
prevent getting into Password
computer system.
 Backup and recovery
procedures
5. Independent Checks on Performance

Personnel are likely to

forget or intentionally
fail to follow
procedures, or they
may become careless
unless someone
observes and evaluates
their performance.
 4. Information and Communication
• Information is necessary to carry out internal control
responsibilities to support achievement of objectives
• Communication: the continual, iterative process of
providing, sharing, and obtaining necessary information
• Internal and external
• Information should be timely, accessible, and allow for
successful control actions

Key: To communicate the right information to the

right people at the right time

24
 5. Monitoring Activities

Client management’s ongoing and periodic

assessment of the quality of internal control
performance to determine whether controls are
operating as intended and modified when needed.
 For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.
 To maintain internal audit independence, it is
imperative that they be independent of operating and
accounting departments; and that they report to a
high level of authority, preferably the audit
committee of the board of directors.
 Monitoring Activities
• Evaluations used to ascertain whether
components of internal control are
present and functioning
• Ongoing evaluations:
• Built into business processes
• Provide timely information
Findings are
• Separate evaluations: evaluated against
• Conducted periodically relevant criteria
• Vary in scope and frequency
• Dependent on assessment of Deficiencies are
risks, effectiveness of ongoing communicated to the
Board and Sr.
evaluations, other management Management
considerations

26
 Responsibility for Internal Control
• Management’s responsibility
– Responsibility for establishing and maintaining adequate internal
control over financial reporting
– Assess and report on the effectiveness of internal control over
financial reporting
• Auditors’ responsibility
– For public companies, must audit and issue an opinion about the
effectiveness of the internal control over financial reporting
– For each fraud risk, must evaluate whether controls are in place to
mitigate the fraud risk
– Must assess control risk to determine the nature, timing and extent of
substantive procedures to be performed

5-27
 Limitations of Internal Control

• Human error
• Collusion
• Management override
• Cost/benefit analysis
– There is often a trade-off between the cost and the
effectiveness of internal controls.
– The concept of reasonable assurance recognizes that the
cost of an entity’s internal control should not exceed the
benefits that are expected to be derived.

5-28