A401

Internal Controls
INTERNAL CONTROL:
COSO Definition

A process, effected by an entity’s board of

directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in
the following categories:
Effectiveness & efficiency of operations
Reliability of financial reporting
Compliance with applicable laws & regulations
COSO, 1992, p. 9
INTERNAL CONTROL:
PSA 315 Definition

The process designed and effected by

those charged with governance,
management, and other personnel to
provide reasonable assurance about the
achievement of the entity’s objective
with regard to reliability of financial
reporting, effectiveness, and efficiency
of operations and compliance with
applicable laws and regulations.
Four Essential Concepts
#1
Internal control is a process.
#2
Internal control is effected by those
charged with governance,
management, and other personnel.
#3
Internal control can be expected to
provide reasonable assurance of
achieving the entity’s objectives.
 Limitations:
 Cost – benefit concerns
 Directed at routine transactions
 Human error
 Possibility of collusion
 Possibility of control override
 Inadequacy of procedures due to changes
#4
Internal control is designed to help
achieve the entity’s objectives.
 Categories of the objectives:
 Effectiveness and efficiency of operations
 Compliance with laws and regulations
 Reliability of financial reporting
Control categories according
to business objectives
Operational controls
Operational controls are controls that help
to reduce operational risks, or identify
failures in operational systems when these
occur. The nature of operational risks
varies between companies, because their
operations differ widely.
In general terms, operational risks are
risks of failures in operations due to
factors such as human error, a failure in
processes, a failure in systems, and so on.
Compliance controls
Compliance controls are concerned with making
sure that an entity complies with all the
requirements of relevant legislation and
regulations.
When regulations are specific, compliance controls
often involve detailed procedures for checking that
every regulation has been properly complied with,
and that there is documentary evidence that the
checks have been made. This is often called a box-
ticking approach to compliance.
 A box-ticking approach to compliance control is more
usually associated with a rules-based approach to
regulation rather than a principles-based approach.
Financial controls
Financial controls have been explained as internal
accounting controls that are sufficient to provide
reasonable assurance that:
 transactions are made only in accordance with the general
or specific authorisation of management
 transactions are recorded so that financial statements can
be prepared in accordance with accounting standards and
generally-accepted accounting principles
 transactions are recorded so that assets can be accounted
for
 access to assets is only allowed in accordance with the
general or specific authorisation of management
 the accounting records for assets are compared with actual
assets at reasonable intervals of time, and appropriate
action is taken whenever there are found to be differences.
SPAMSOAP
Some years ago, a guideline of the UK Auditing Practices
Board identified eight categories of internal (financial)
controls, which can be remembered by the mnemonic
SPAMSOAP.

Segregation of Duties Where possible, duties should be

divided between two or more people

Physical Controls These are measures to protect assets

against theft, loss or physical damage

Authorization & These are controls over spending decisions

approval controls and decisions to enter into transactions.

Management controls Controls applied by management.

An example is the system of budgeting.
SPAMSOAP
Some years ago, a guideline of the UK Auditing Practices
Board identified eight categories of internal (financial)
controls, which can be remembered by the mnemonic
SPAMSOAP.

Supervision Controls can be applied by supervising the

work done by employees

Organization Controls There should be lines of reporting from

junior to senior staff

Arithmetical & Examples are control total checks and

accounting controls bank reconciliation checks

Personnel controls There should be controls over the selection

and training of employees
Reflection:
Observe USJR. What examples can you
give for each of the three control
categories?
 Operational controls
__________________________________
 Compliance controls

__________________________________
 Financial controls

__________________________________
Internal Control System, Defined
Means all the policies and procedures
(internal controls) adopted by the
management of an entity to assist in
achieving management’s objective of
ensuring, as far as practicable, the orderly
and efficient conduct of its business, including
adherence to management policies, the
safeguarding of assets, the prevention and
detection of fraud and error, the accuracy
and completeness of the accounting records,
and the timely preparation of reliable financial
information.
Components of internal
control
The components:
Control Environment
Risk Assessment
Information and Communication
Systems
Control activities
Monitoring
CONTROL ENVIRONMENT
Management’s & board of director’s
attitude, awareness, & actions
regarding internal control
Captures importance of control in
management’s operating style
“Tone at the top”
Foundation for effective internal control,
providing discipline and structure.
Control Environment (cont’d)
Factors reflected in the control
environment include:
 Communication and enforcement of
integrity and ethical values
 Commitment to competence
 Management philosophy and operating style
 Active participation of those charged with
governance
 Personnel policies and procedures
 Assignment of responsibility and authority
 Organizational structure
RISK ASSESSMENT
Risk assessment is the process used by
companies to identify and assess the risks
that the company faces, and changes in
those risks. The risk assessment process
involves prioritising the risks, and (if possible)
putting a quantitative measurement to them.
Risk assessment
Business risk – the risk that the entity’s
business objectives will not be attained as a
result of internal and external factors such as
 Technological developments
 Changes in operating environment
 New personnel
 New or revamped information systems
 Rapid growth
 New business models, products, or activities
 Corporate restructurings
 Expanded foreign operations
 New accounting pronouncements
 Changes in customer demands
 Economic changes
Risk assessment: an example
A manufacturing company might categorise
its operational risks as: selling and markets,
delivery, production, and purchasing and
resources. Most of these risk categories
involve more than one function or
department within the company. Selling and
markets is an aspect of operations that
affects not just the marketing department,
but also research and development, quality
control and customer services, and so on.
Risk assessment: a reflection
If you were to assess the risks for USJR,
identify at least three risk categories,
preferably spread across the different
company objectives.

________________________________
________________________________
________________________________
________________________________
________________________________
________________________________
________________________________
INFORMATION AND
COMMUNICATION SYSTEMS
Within a system of internal control, there
must be a system for reporting to
management information about risks, the
effectiveness of controls, failures in control
and the success of action to remove
weaknesses in controls and reduce risks.
The information provided needs to be
timely, relevant and reliable.
Information and
communication systems
Information system
 Financial reporting system
 Consists of the procedures and records established
to initiate, record, process, and report entity
transactions and to maintain accountability for the
related assets, liabilities, and equity.
 CLASSIFY, MEASURE, SUMMARIZE, DISCLOSE
Communication
 Involves providing an understanding of
individual roles and responsibilities pertaining
to internal control over financial reporting.
 Can be made electronically, orally, and
through the actions of management.
CONTROL ACTIVITIES
Are the policies and procedures that help ensure
that management directives are carried out.
 Performance Reviews
 Information Processing
 Proper authorization of transactions and activities
 Segregation of duties
 Adequate documents and records
 Safeguards over access to assets
 Independent checks on performance
 Physical Controls
 Segregation of Duties
 Management (authorization)
 Custody (transaction execution)
 Accounting (recording transactions)
 Monitoring (independent checks on performance)
CONTROL ACTIVITIES
Categories

Preventive controls
 Intended to prevent misstatement
Detective controls
 Detect misstatements that have occurred
Control Activities
Categories
General Controls
 Control activities that prevent or detect irregularities for all
accounting systems
 Policies and procedures that relate to many applications and
support the functioning or application controls by helping to
ensure the continued proper operation of information
systems.
 Examples: Controls over data center and network
operations; system software acquisition, change, and
maintenance; access security; application system acquisition,
development, maintenance
Application Controls
 Controls that pertain to the processing of certain types of
transaction.
 Controls that apply to the processing of individual
applications. These controls help ensure that transactions
occurred, are authorized, and are completely and accurately
recorded and processed.
 Examples: Checking the arithmetical accuracy of records,
maintaining and reviewing accounts and trial balances,
automated controls such as edit checks of input data and
numerical sequence checks, and manual follow up of
exception reports.
Control Activities
Authorization
All transactions should be authorized
by responsible personnel acting
within scope of prescribed authority,
responsibility
 Specific authorization
 Required for each transaction
 Typically unusual transactions
 General authorization
 Policies, procedures for typical transactions
Segregation Of Duties
Optimum segregation of duties exists when
collusion is necessary to circumvent controls
Separate functions for
 Custody (transaction execution)
 Authorization (management)
 Recording (accounting)
 Monitoring (independent checks on performance)
Design, Use Documents &
Records
Evidence of executed transactions
 Represent an audit trail
Impact efficiency
 Designed for multiple use
 Prenumbered consecutively
 Easy to complete
Access To Assets &
Records
Access limited to authorized personnel
by
 Locks for physical protection
 Limits on employee access online
 Codes to authorize access
Example of control activities
Example of control activities
Monitoring
Process of assessing the quality of internal
control performance over time.
Involves assessing the design and operation
of controls on a timely basis.
 Ongoing monitoring
 For recurring activities
 Separate monitoring
 Self-assessment performed by managers over the
controls in their areas of responsibility
 Independent checks performed by outsiders such as
internal or independent auditors.
CASE ANALYSIS
CASE 1
In Yaya Company, operations director Ben Janoon
recently realised there had been an increase in
products failing the final quality checks. These
checks were carried out in the QC (quality control)
laboratory, which tested finished goods products
before being released for sale. The product failure
rate had risen from 1% of items two years ago to
4% now, and this meant an increase of hundreds
of items of output a month which were not sold on
to Yaya's customers. The failed products had no
value to the company once they had failed QC as
the rework costs were not economic. Because the
increase was gradual, it took a while for Mr Janoon
to realise that the failure rate had risen.
A thorough review of the main production
operation revealed nothing that might explain the
increased failure and so attention was focused
instead on the QC laboratory. For some years, the
QC laboratory at Yaya, managed by Jane Goo, had
been marginalised in the company, with its two
staff working in a remote laboratory well away
from other employees. Operations director Ben
Janoon, who designed the internal control systems
in Yaya, rarely visited the QC lab because of its
remote location. He never asked for information on
product failure rates to be reported to him and did
not understand the science involved in the QC
process. He relied on the two QC staff, Jane Goo
and her assistant John Zong, both of whom did
have relevant scientific qualifications.
The two QC staff considered themselves
low paid. Whilst in theory they reported to
Mr Janoon, in practice, they conducted
their work with little contact with
colleagues. The work was routine and
involved testing products against a set of
compliance standards. A single signature
on a product compliance report was
required to pass or fail in QC and these
reports were then filed away with no-one
else seeing them.
It was eventually established that Jane
Goo had found a local buyer to pay her
directly for any of Yaya's products which
had failed the QC tests. The increased
failure rate had resulted from her signing
products as having 'failed QC' when, in
fact, they had passed. She kept the
proceeds from the sales for herself, and
also paid her assistant, John Zong, a
proportion of the proceeds from the sale
of the failed products.
Required:
 (a) Explain the internal control deficiencies
that led to the increased product failures at
Yaya.
 (b) Propose recommendations to address
the internal control deficiencies noted.
CASE 2
SouthLea Co is a construction company
(building houses, offices and hotels)
employing a large number of workers
on various construction sites. The
internal audit department of SouthLea
Co is currently reviewing cash wages
systems within the company.
The following information is available concerning
the wages systems:
 (i) Hours worked are recorded using a clocking in/out
system. On arriving for work and at the end of each
days work, each worker enters their unique employee
number on a keypad.
 (ii) Workers on each site are controlled by a foreman.
The foreman has a record of all employee numbers
and can issue temporary numbers for new employees.
 (iii) Any overtime is calculated by the computerised
wages system and added to the standard pay.
 (iv) The two staff in the wages department make
amendments to the computerised wages system in
respect of employee holidays, illness, as well as setting
up and maintaining all employee records.
The following information is available
concerning the wages systems:
 (v) The computerised wages system calculates
deductions from gross pay, such as employee
taxes, and net pay. Finally a list of net cash
payments for each employee is produced.
 (vi) Cash is delivered to the wages office by
secure courier.
 (vii) The two staff place cash into wages
packets for each employee along with a
handwritten note of gross pay, deductions and
net pay. The packets are given to the foreman
for distribution to the individual employees.
Required:
 (i) Identify and explain deficiencies in
SouthLea Co's system of internal control
over the wages system that could lead to
misstatements in the financial statements;
 (ii) For each deficiency, suggest an internal
control to overcome that deficiency.
end