CHAPTER 4

Internal Controls
Gashahun 1
Chapter Objectives
 After completing this chapter, you
should be able to:
 Define internal control
 Identify the purposes of internal controls
 Explain the key concepts of internal
controls & control procedures
 Identity the two types of internal controls
 Describe the elements of internal
controls

Gashahun 2
 Meaning of Internal Controls

•Internal control consists of the

policies & procedures
established & maintained by
management to assist in orderly &
efficient conduct of business.
•It’s the system of checks and balances

Gashahun 3
Meaning of Internal Controls
 Internal control is a process designed
to provide reasonable assurance
regarding the achievement of
management’s objectives regarding:
- Reliability of financial reporting
- Efficiency and effectiveness of
operations
- Compliance with related laws, rules, &
regulations

Gashahun 4
Why is an understanding of Internal
Controls important?
 A sufficient understanding of
internal control should be
obtained to plan the audit.
(as per the second Examination
Standard of GAAS)
 Internal control affects audit
risk (AR =IR x CR x DR

Gashahun 5
Key concepts of Internal Controls
 Internal control is the client’s
responsibility and should be designed to
help the client attain goals
 Internal control should provide
reasonable but not absolute assurance;
cost/benefit must be considered.
 Internal control has inherent limitations
(e.g., misunderstandings, mistakes,
fatigue, carelessness, collusion,
management override, cost
considerations etc)

Gashahun 6
Key concepts of Internal Controls
 Internal control is a process. It is a
means to an end, not an end in itself
 Internal control is affected by people.
It's not merely policy manuals and
forms, but people's actions at every
level of the organization.

Gashahun 7
Types of Internal Controls
1. Detective controls are designed to detect errors or
irregularities that may have occurred. Examples:
 Regular supervisory review of account
activity, reports, reconciliations
 Routine spot-checking of transactions,
records and reconciliations (do things make
sense and look reasonable)
 Variance analysis, including budget to
actual comparisons
 Physical inventories
 reconciliation
 Internal audit review of business unit’s
controls
Gashahun 8
Types of Internal Controls
2. Preventive controls are designed to
keep errors or irregularities from
occurring in the first place. Examples
of preventive controls are:
 separation of duties
 proper authorizations
 adequate documentation
 physical security

Gashahun 9
 Who is responsible for Internal
Controls?
 Five responsible parties:
􀂾 Board of Directors
􀂾 Senior Management
􀂾 Financial Management
􀂾 Internal Audit Staff
􀂾 Independent Auditor

Gashahun 10
Elements of Internal Controls

Gashahun 11
The Control Environment
 The control environment is concerned with the
actions, policies, and procedures that reflect
the overall attitude of the client’s top
management, directors, and owners of an entity
about internal control and its importance
 The control environment sets the tone of the
organization by influencing the control
consciousness of people.
 Control environment is viewed as the
foundation for the other components of the
internal control

Gashahun 12
The Control Environment

All of these controls are unnecessary!

Gashahun 13
 Factors relating to the control
environment
1. Management’s philosophy and
operating style
 their approach to taking and
monitoring business risk
 their attitude and actions toward
financial reporting
 their emphasis on meeting financial
and operating goals

Gashahun 14
 Factors relating to the control
Environment
 Manifestations of management
philosophy:
a. Risk takers
 Extremely aggressive in financial
reporting
 Place great emphasis on meeting or
exceeding earnings projections
 Willing to undertake activities of high
risk with the prospect of high return
Gashahun 15
 Factors relating to the control
Environment
b. Risk averters
 Extremely conservative
Management philosophy can also be
manifested in whether the organization
is formal or informal.
Informal: controls implemented by faced to
face contact between employees &
management
Formal: controls implemented by
establishing written policies,
performance reports, & exception
reports
Gashahun 16
Factors relating to the control
environment

...our bonuses
are based on net income.
We all want fat bonuses!
What can we do?

Gashahun 17
 Factors relating to the
control Environment
2. Effectiveness of Board of directors &
audit committee
 The audit committee maintains

communication between the Board of

Directors and internal and external
auditors.
 The audit committee should be

composed of independent auditors

who are not employees or officers of
the entity.
Gashahun 18
 Factors relating to the control
Environment
 Factors affecting the effectiveness of
audit committee:
 Extent of its independence from
management
 Experience & stature of members
 The extent to which it pursues difficulty
questions with management
 Its interaction with the internal &
external auditors

Gashahun 19
 Factors relating to the
control Environment
3. Organizational structure
 The auditor should consider lines

of responsibility and authority.

 Consider tall or flat structure

Flat Structure
Gashahun 20

Tall structure
 Factors relating to the control
Environment
 How does the organization structure
affect the control environment?
 A well-designed structure provides

a basis for planning, directing, &

controlling operations
 It divides authority, responsibility,

and duties among members of the

organization

Gashahun 21
 Factors relating to the control
Environment
 Separation of responsibilities for:
 Authorization of transactions
 Execution of transactions
 Recordkeeping
 Custody of assets

Gashahun 22
 Factors relating to the
control Environment
4. Assignment of authority and responsibility
 Clear understanding of responsibilities by

employees and rules & regulations governing

their actions
 Common methods of communicating internal

controls to employees:
 Job description
 Memos
 Company policies
 Employee handbook
Gashahun 23
 Factors relating to the control
Environment
-
5. Systems development methodology

Does management have a

methodology for developing
and modifying systems and
procedures?

Gashahun 24
 Factors relating to the
control Environment
6. Personnel policies and practices
 Management should ensure that

competent, trustworthy, & motivated

personnel are employed to meet client
goals and objectives.
 Employees are the critical component

of effective internal control.

 With competent, trustworthy, &

motivated personnel, even a poorly

designed system of internal control
may function adequately.
Gashahun 25
 Factors relating to the control
Environment
 Management's policies and practices
for hiring, orientation, training,
evaluating, counseling, promoting,
and compensating employees have a
significant influence on the
effectiveness of the control
environment.

Gashahun 26
 Factors relating to the control
Environment

Without such personnel, even a well-

designed system will probably fail.
Gashahun 27
 Factors relating to the
control Environment
7. Management’s reaction to external
influences
 Is management aware of external

influences such as changes in the

economy and technology?
8. Internal audit
 Does an internal audit department

exist? Does it…?

 Does internal audit assist the

external auditors and reduce audit

fees?
Gashahun 28
 Factors relating to the control
Environment
9. Integrity & Ethical values
 For the internal control to be effective,

those who create, administer, and monitor

controls should have integrity & ethical
values
 Means of reducing improper behavior:

a. Establish behavioral & ethical standards

that discourage employees from engaging
in acts that would be considered dishonest,
unethical, or illegal.

Gashahun 29
 Factors relating to the control
Environment
 Means of communicating ethical
standards: official policies, codes of
conduct, and examples
b. Reduce or remove the incentives and
temptations to engage in such behavior.
Examples:
 Undue pressure to meet unrealistic
performance goals
 Tying management’s compensation to
reported income
 Inadequate or ineffective controls

Gashahun 30
Control Activities
 Policies and procedures that help
ensure that management
directives are carried out and
that necessary actions are taken
to address risks to achievement
of entity objectives
(Accomplishment of objectives
and Mitigation of Risks)
Gashahun 31
Key Factors of Control Activities
1. Adequate Segregation of Duties
 It reduces the risk of both erroneous
and inappropriate actions
 It is a deterrent to fraud
 When it is extremely difficult to
separate related functions, a detailed
supervisory review of related
activities or transactions is required
as a compensating control activity.

Gashahun 32
What should be segregated?
 Separate custody (keeping)
of assets from accounting
 Separate custody of assets from
authorization of transactions
 Separate operational
responsibility from record-
keeping responsibility

Gashahun 33
Key Factors of Control Activities
 What kind of company typically has
difficulty accomplishing adequate
segregation of duties?
 Small companies frequently have
difficulty with segregation of duties
because of fewer employees and
cost constraints

Gashahun 34
Key Factors of Control Activities
2. Proper authorization of transactions
and activities
a. General authorization: management
establishes authorization policies
such as cash receipt policies &
procedures, personnel policies &
procedures etc

Gashahun 35
Key Factors of Control Activities
b. Specific authorization– management
makes authorizations on a case-by-
case basis.

I’m the
president and
I want to approve
every cash
payment!

Gashahun 36
Key Factors of Control Activities
3. Adequate documents and records
 should provide reasonable assurance that

all assets are properly controlled and all

transactions are correctly recorded
 Should be prenumbered & accounted for

 Documents should be prepared during or

soon after the related transaction

 Documents should be understandable &

correctly designed
 Documents should be designed for

multiple purposes

Gashahun 37
Key Factors of Control Activities
4. Adequate safeguards over assets and records
 physical: locking rooms, fenced areas,

fireproof safes, safe deposit boxes, security

guards; access; backup files and recovery
5. Independent checks on performance
 those reviewing performance should be

independent of those performing a task

 Segregation of duties is the least

expensive method of performing independent

checks.

Gashahun 38
Risk Assessment
 The process used to identify, analyze and
manage the relevant risks which may affect
the achievement of the entity’s objectives,
including the preparation of financial
statements that conform to GAAP.
 The central theme of internal control is
identification, analysis, & handling risks
with the purpose of proactively reducing
unwanted surprises

Gashahun 39
Key Factors in Risk Assessment
 Changes in the Operating Environment
 New Personnel
 New or revamped (restored) information
systems
 Rapid Growth
 New Technology
 New Lines, Products or Activities
 Corporate Restructuring
 Foreign Operations
 Accounting Pronouncements

Gashahun 40
 Information and Communication
System
 Methods used to initiate, record, process,
and report an entity’s transactions and to
maintain accountability for related assets.
 For a small company with active
involvement by the owner, a simple
computerized accounting system that
involves one honest, competent accountant
may provide an adequate accounting
system.
 A larger company requires a more complex
system that includes carefully defined
responsibilities and written procedures

Gashahun 41
 Information and Communication
System
 Information to be communicated:
organization’s plan, control environment,
control activities, & performance
 Direction of communication: upward,
downward, & across in the organization
 Information systems produce reports about
operations, financial, and compliance with
laws, rules, & regulations
 Information system may be formal or
informal

Gashahun 42
 Monitoring
 The assessment of internal control performance
over time.
 Methods of assessment: ongoing monitoring and
periodic evaluation (e.g. peer review, self-
assessment, & internal audit) of the quality of
internal control performance to determine whether
controls are operating as intended and modified
when needed.
 For many companies, especially larger ones, an
internal audit department is essential for effective
monitoring.
Gashahun 43
 Monitoring
 To maintain internal audit
independence, it is imperative that
they be independent of operating
and accounting departments; and
that they report to a high level of
authority, preferably the audit
committee of the board of directors.

Gashahun 44
 Monitoring
 Is the process that assesses the
quality of internal control over time.
 Why monitoring? To determine
whether:
 Internal control is operating as intended
 Any modifications are necessary

Gashahun 45
 Monitoring
 Methods of monitoring internal controls
a. Ongoing monitoring: Regularly
performed supervisory & management
activities
b. Separate (periodic) evaluation:
performed on non-routine basis .e.g.
periodic audits by the internal auditors

Gashahun 46
The Auditor’s consideration
of Internal Controls

Gashahun 47
 Use of Internal control information
to the auditor

1. Plan the audit

 Understand the design and
implementation of internal
controls by the client
 Used to determine the nature,
extent, & timing of substantive
tests
Gashahun 48
 Use of Internal control information
to the auditor
2. Assess control risk
 May be high or low
 High control risk means the controls are
weak. This implies that the auditor must
increase the scope of substantive tests
 Low control risk means the controls are
strong. This implies that the auditor
must decrease the scope of substantive
tests

Gashahun 49
Obtain and Document Understanding of
Internal Control
 The independent auditor must also
evaluate whether the designed
controls are actually placed in
operation

Gashahun 50
 Methods of Studying Internal
Controls
 review prior year’s working
papers
 interview prior year auditors
 interview client personnel
 study client policies and
procedures
 study client documents, records,
information and communication
system
Gashahun 51
 Methods of Studying Internal
Controls
 Walkthrough: In a walkthrough, the
auditor selects one or a few
documents for the initiation of a
transaction type and traces them
through the entire accounting
process.

Gashahun 52
 Methods of Documenting
Understanding Internal controls
1. Narratives. Memoranda that
describes the flow of transaction
cycles, identifying the employees
performing the different tasks,
documents prepared, records
maintained, and the division of
duties.

Gashahun 53
 Methods of Documenting
Understanding Internal controls
2. Flow charts. A diagram or symbolic
representation of a system or series
of procedures with each procedure
shown in sequence.
3. Internal Control (IC) questionnaire

Gashahun 54
Internal Control Questionnaires
 a series of questions about
internal controls and their
application to groups of accounts
and cycles
 Generally, a “no” answer
indicates an internal control
weakness

Gashahun 55
Example of IC Questionnaire
 Is cash received deposited in time?
 Is person responsible for cash receipt
different from the one responsible for
recording?
 Is bank reconciliation prepared
monthly?

Gashahun 56
Advantages of IC Questionnaires
 can be designed to cover most
aspects of internal control
 is relatively applicable from one
engagement to another
 when complete, can be quickly
reviewed for weaknesses

Gashahun 57
Disadvantages of IC Questionnaires
 concentrates on pieces of
internal control rather than the
system as a whole
 has questionable reliability; oral
client responses should be
supported by other evidence
 May be too standardized for
some clients, especially smaller
clients
Gashahun 58
 When should internal control
weaknesses be reported to the client?

When there are significant

deficiencies in the design or
operation of internal control.

Gashahun 59
 Significant deficiencies
in the design or operation of
internal control

GAAS requires the

auditor to communicate
(oral or written) with the
audit committee
regarding the significant
deficiencies.
Gashahun 60