Internal

control
systems
Internal control systems
The auditors must understand the accounting system and control environment in order to
determine their audit approach.
Internal control is
process designed, implemented and maintained by those charged with governance,
management, and other personnel to provide reasonable assurance about the reliability of
financial reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations.
understanding of internal control assists the auditor in identifying types of potential
misstatements and factors that affect the risks of material misstatement and in designing the
nature, timing and extent of further audit procedures.
Many of these controls will relate to financial reporting, operations and compliance, but NOT
ALL of the entity's objectives and controls will be relevant to the auditor's risk assessment.
auditor can then decide whether it is more efficient to seek reliance on those controls and
perform tests of controls in that area, OR more efficient to perform substantive testing over
that area
5 Components of Internal control
systems
C: Control activities
R: Entitys Risk assessment process
I: Information system
M: Monitoring of controls
E: Control Environment
Components of Internal Control
Internal control components ISA 315 Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment considers the
components of an entitys internal control. It identifies the following components:
1. Control Environment
Is a culture, attitude and awareness and actions of those charged with governance and
management concerning the entitys internal control
Read pg 172 BPP text book for further understanding
assess whether these elements of the control environment have been implemented using a
combination of enquiries of management and observation and inspection
Components of Internal Control
2. Entitys Risk assessment process
is the process how management
Identifying business risks relevant to financial reporting objectives
Estimating the significance of the risks
Assessing the likelihood of their occurrence
Deciding on actions to address those risks

auditor shall obtain an

understanding of it
YES
established risk
assessment procedures? auditor shall discuss with
NO management whether relevant
business risks have been identified
and how they have been addressed
Components of Internal Control
3. Information system
is the processes related to financial reporting system (accounting system)
consists of the procedures designed and established to initiate, record, process, and report
entity transactions and to maintain accountability for the related assets, liabilities, and
equity
4. Control activities
are the policies and procedures which help ensure that management directives are carried out
include those activities designed to prevent or to detect and correct errors.
authorisation
performance reviews
information processing
physical controls
segregation of duties.
Components of Internal Control
5. Monitoring of controls
is a process to assess the effectiveness of internal control on a timely basis and taking
necessary remedial actions
Management accomplishes the monitoring of controls through ongoing activities, separate
evaluations, or a combination of the two. Ongoing monitoring activities are often built into the
normal recurring activities of an entity and include regular management and supervisory
activities.
Examples of Control activities
Approval and control of Transactions should be approved by an
documents : appropriate person. For example, overtime should
Authorisation be approved by departmental managers.

Controls over computerized

We shall look at computer controls later in
applications : Information
this chapter.
processing
Examples of Control activities
Checking the arithmetical accuracy For example, checking to see if individual
of records : Information invoices have been added up correctly
processing

eg: in a physical count of petty cash, the

Comparing the results of cash balance shown in the cash book should be the
counted and inventory counts same as the amount held in hand.
with accounting records :
Performance review
Reconciliations is a comparison of a specific
balance in the accounting records with another
Reconciliations : Information source says what the balance should be; eg, a
processing bank reconciliation.
Differences between the two figures should
only be reconciling items (resulting from eg
timing differences).
Examples of Control activities
Comparing internal data with Eg: comparing records of goods despatched to
external sources of information : customers with customers acknowledgement of
Performance review goods that have been received.

Only authorised personnel should have access

to certain assets (particularly valuable or
Limiting physical access to assets
portable ones), eg ensuring that the inventory
and records : Physical control
stores locked are unless store personnel are
there.

Segregation of duties : Assigning different people the responsibility of

Segregation of duties authorising transactions, recording transactions
and maintaining custody of assets
Segregation of duties
implies a number of people being involved in the accounting process.

this makes it more difficult for fraudulent transactions to be processed (since a

number of people would have to collude in the fraud)

it is also more difficult for accidental errors to be processed (since the more
people are involved, the more checking there can be)
Segregation of duties
Segregation should take place in various ways:
(a) Segregation of function:
carrying out a transaction
recording that transaction in the accounting records
maintaining custody of assets that arise from the transaction.

(b) Segregation in various steps in carrying out the transaction

(c) segregation in carrying out of various accounting operations

Eg: the same staff should not record transactions and carry out the reconciliations at
the period end.
Limitations of internal control
components
Collusion from staff
May result in fraud no matter how strong the controls are

Practice is different from theory

The specific circumstances of the entity make some controls unworkable or be manipulated
in practice by those involved in the system
Recording
accounting and
control systems
Recording accounting and control
systems
The auditors must keep a record of the client's systems which must be updated each year
There are several technique for recording the assessment of control risk:
Narrative notes
Questionnaires
Flowcharts
Checklist
Narrative notes

ADVANTAGES DISADVANTAGES
relatively simple to record and can a lot more time consuming than,
facilitate understanding by all audit representing it as a simple flowchart,
team members especially if the system is complex

can be used for any system due to difficult to update if written

the method's flexibility manually.

Editing in future years can be difficult to identify missing internal

relatively easy if they are controls because only record the
computerised. detail of systems but not exceptions
Flowcharts
ADVANTAGES
can be prepared quickly. DISADVANTAGES

easy to follow and review as the Narrative notes will still be needed to
information is presented in a standard explain the flowchart and hence it can
form be time consuming

Standard controls symbols means missing Major amendment is difficult

controls are easy to spot without redrawing.

eliminate the need for extensive narrative Time can sometimes be wasted by
and can be of considerable help in charting areas that are of no audit
highlighting the salient points of control significance.
and any deficiencies in the system.
Questionnaires
Internal Control
Internal Control
Evaluation
Questionnaires
Questionnaires
(ICQs)
(ICEQs)

used to determine whether

used to ask whether there are controls which
controls exist which meet prevent or detect specified
specific control objectives. errors or omissions

For more example read BPP pg 180

Advantages of Questionnaires
If drafted thoroughly, they can ensure all controls are considered
They are quick to prepare
They are easy to use and control
Because they are drafted in terms of objectives rather than specific controls, ICEQs are easier
to apply to a variety of systems than ICQs
Answering ICEQs should enable auditors to identify the key controls which they are most likely
to test during control testing
ICEQs can highlight deficiencies where extensive substantive testing will be required.
Disadvantages of Questionnaires
The principal disadvantage is that they can be drafted vaguely, hence misunderstood and
important controls not identified
may contain a large number of irrelevant controls
may not include unusual controls, which are nevertheless effective in particular circumstances.
can give the impression that all controls are of equal weight. In many systems one NO answer
(for example lack of segregation of duties) will cancel out a string of YES answers
client may be able to overstate controls
Checklist
Checklists may be used instead of questionnaires to document and evaluate the internal
control system.
statements are made to 'mark off' and tick boxes are used to indicate where the statement
holds true.
Eg: a checklist may state
'Supplies are examined on arrival as to quantity and quality'
(ticked if this does actually occur, or crossed if not)

Checklists share many of the same advantages and disadvantages of ICQs and ICEQs.
Tests of
controls
Tests of control
performed to obtain audit evidence about the effectiveness of the:
design of the accounting and internal control systems, ie whether they are suitably
designed to prevent, or detect and correct, material misstatement at the assertion level
operation of the internal controls throughout the period.
Auditors should consider:
How controls were applied
The consistency with which they were applied during the period
By whom they were applied
Substantive test
Substantive Audit Procedures

Analytical Procedure Test of Account Balances

Proof in total, reasonable test, Verify, Inspection,
ratios analysis. Confirmation, Reconciliation,
Post year-end review, Physical
Inspection

Test of Transactions
Vouching, Tracing, Recalculation,
Sequential Test
Procedures for tests of control
Inspection of documents supporting controls or events to gain audit evidence that internal
controls have operated properly,
eg verifying that a transaction has been authorised
Enquiries about internal controls which leave no audit trail,
eg determining who actually performs each function, not merely who is supposed to
perform it
Reperformance of control procedures
eg reconciliation of bank accounts, to ensure they were correctly performed by the entity
Examination of evidence of management views
eg minutes of management meetings
Testing of internal controls operating on computerised systems or over the overall IT function,
eg access controls
Observation of controls to consider the manner in which the control is being operated
Communication of deficiencies in
internal control
A deficiency in internal control exists when:
(a) A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect and correct, misstatements in the financial statements on a timely basis
(b) A control necessary to prevent, or detect and correct, misstatements in the financial
statements on a timely basis is missing
Significant deficiencies in internal controls shall be communicated in writing to those charged
with governance and management
Impact of deficiencies on the auditor's
reliance on internal control pg 185
where significant deficiencies are identified, the auditor will have to use purely
substantive procedures to obtain sufficient appropriate audit evidence
auditor will not seek to place reliance on internal controls.
If deficiencies were not identified during planning and risk assessment, but only
become apparent later in the audit process. If this is the case, and the original
audit plan was based on a reliance on internal controls, that audit plan will need
to be amended, with the likely result that further audit procedures will need to
be performed.
Internal controls in a computerised
environment
GENERAL CONTROLS
Development/implementation of computer applications
Full testing procedures using test data
Segregation of duties so that those responsible for design are not responsible for testing
Installation procedures so that data is not corrupted in transition
when transferring data fr old system to new system
review report fr IT department on any deficiencies noted during the transfer of data
Training of staff in new procedures and availability of adequate documentation
Internal controls in a computerised
environment
GENERAL CONTROLS
Prevention or detection of unauthorised changes
Segregation of duties (person enter the transaction & amend the transaction)
Full records of program changes (Report)
Password protection of programs so that access is limited to computer operations staff
Restricted access to central computer by locked doors, keypads, password to enter the room
where central computer is located
Restricted access to authorised users only (password)
Virus checks on software: use of anti-virus software and policy prohibiting use of non-
authorised programs or files
Back-up copies of programs being taken and stored in other locations