Overview of Internal Control

NATURE AND PURPOSE OF INTERNAL CONTROL

Internal control is the process designed and effected by those charged with governance, management and other personnel
to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial
reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. It follows that
internal control is designed and implemented to address identified business risks that threaten the achievement of any of
these objectives.

Those objectives fall into three categories:

 Reliability of the entity’s financial reporting

 Effectiveness and efficiency of operations
 Compliance with applicable laws and regulations

Whether an entity achieves its objectives relating to financial reporting and compliance is determined by activities within
the entity's control. However, achieving its objectives relating to operations will depend not only on management's
decisions but also on competitor's actions and other factors outside the entity.

INTERNAL CONTROL SYSTEM DEFINED

Internal control system means all the policies and procedures (internal controls) adopted by the management of an entity
to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its
business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud
and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial
information.

ELEMENTS OF INTERNAL CONTROL

 the control environment;

 the entity's risk assessment process;
 the information system, including the related business processes, relevant to financial reporting, and
communication;
 control activities;
 monitoring of controls.

Control Environment

The control environment which means the overall attitude, awareness and actions of directors and management regarding
the internal control system and its importance in the entity.

Factors reflected in the control environment include:

 The function of the board of directors and its committees;

 Management’s philosophy and operating style;
 The entity’s organizational structure and methods of assigning authority and responsibility;
 Management's control system including the internal audit function, personnel policies and procedures and
segregation of duties.

The environment in which internal control operates has an impact on the effectiveness of the specific control procedures.
Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Values

2. Commitment to Competence
3. Participation by those Charged with Governance
4. Managements Philosophy and Operating Style
5. Organizational Structure
6. Assignment of Authority and Responsibility
7. Human Resources Policies and Procedures

Entity’s Risk Assessment Process

An entity’s risk assessment process is its process for identifying and responding to business risks and the results thereof.
Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they
should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to
accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the
following:

 Changes in operating environment. Changes in the regulatory or operating environment can result in changes in
competitive pressures and significantly different risks.
 New personnel. New personnel may have a different focus on or understanding of internal control.
 New or revamped information systems. Significant and rapid changes in information systems can change the risk
relating to internal control.
 Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a
breakdown in controls.
 New technology. Incorporating new technologies into production processes or information systems may change
the risk associated with internal control.
 New business models, products, or activities. Entering into business areas or transactions with which an entity has
little experience may introduce new risks associated with internal control.
 Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and
segregation of duties that may change the risk associated with internal control.
 Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique
risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
 New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may
affect risks in preparing financial statements.

The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but the risk
assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should
have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in small
entities. Management may be aware of risks related to these objectives without the use of a formal process but through
direct personal involvement with employees and outside parties.

Information System, including the Business Processes, Relevant to Financial Reporting and Communication

An information system consists of infrastructure (physical and hardware components), software, people, procedures, and
data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily
manual. Many information systems make extensive use of IT.

The Information System, Including Related Business Processes, Relevant to Financial Reporting

The information system relevant to financial reporting objectives, which includes the accounting system, consists of the
procedures and records designed and established to:

 Initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities, and equity;
 Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to
clear suspense items out on a timely basis;
 Process and account for system overrides or bypasses to controls;
 Transfer information from transaction processing systems to the general ledger;
 Capture information relevant to financial reporting for events and conditions other than transactions, such as the
depreciation and amortization of assets and changes in the recoverability of accounts receivables; and
 Ensure information required to be disclosed by the applicable financial reporting framework is accumulated,
recorded, processed, summarized and appropriately reported in the financial statements.

Journal Entries

An entity's information system typically includes the use of standard journal entries that are required on a recurring basis
to record transactions. Examples might be journal entries to record sales, purchases, and cash disbursements in the general
ledger, or to record accounting estimates that are periodically made by management, such as changes in the estimate of
uncollectible accounts receivable.

An entity’s financial reporting process also includes the use of non-standard journal entries to record non-recurring,
unusual transactions or adjustments. Examples of such entries include consolidating adjustments and entries for a business
combination or disposal or nonrecurring estimates such as the impairment of an asset. In manual general ledger systems,
non-standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation.
When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may
exist only in electronic form and may therefore be more easily identified through the use of computer-assisted audit
techniques.
Related Business Processes

An entity’s business processes are the activities designed to:

 Develop, purchase, produce, sell and distribute an entity’s products and services;
 Ensure compliance with laws and regulations; and
 Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the information system.
Obtaining an understanding of the entity’s business processes, which include how transactions are originated, assists the
auditor obtain an understanding of the entity's information system relevant to financial reporting in a manner that is
appropriate to the entity’s circumstances. Accordingly, an information system encompasses methods and records that:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for
financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements.
 Determine the time period in which transactions occurred to permit recording of transactions in the proper
accounting period.
 Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control
over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting
information system relate to the work of others and the means of reporting exceptions to an appropriate higher level
within the entity. Open communication channels help ensure that exceptions are reported and acted on.

Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda.
Communication also can be made electronically, orally, and through the actions of management.

Control Activities

Control activities are the policies and procedures that help ensure that management directives are carried out, for example,
that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities,
whether within IT or manual systems, have various objectives and are applied at various organizational and functional
levels.

The major categories of control procedures are:

 Performance Review
 Information Processing Controls
 Proper authorization of transactions and activities
 Segregation of duties
 Adequate documents and records
 Safeguards over access to assets; and
 Independent checks on performance
 Physical controls

A brief discussion of these control procedures follows:

Performance Review

 In a performance review management uses accounting and operating data to assess performance, and it then takes
corrective action. Such reviews include:
o comparing actual performance (or operating results) with budgets, forecasts, prior period performance, or
competitors' data or tracking major initiatives such as cost-containment or cost-reduction programs to
measure the extent to which targets are being met.
o investigating performance indicators based on operating or financial data, such as quantity or purchase
price variances or the percentage of returns to total orders.
o reviewing functional or activity performance, such as relating the performance of a manager responsible
for a bank's consumer loans with some standard, such as economic statistics or targets. Personnel at
various levels in an organization may make performance reviews. Performance reviews may be used by
managers for the sole purpose of making operating decisions. For example, managers may analyze
performance data and base operating decisions on them because the data are consistent with their
expectations. This type of review improves the reliability of the data. However, when managers follow up
on unexpected results determined by a financial reporting system, performance reviews become a useful
control over financial reporting.
Information Processing Controls

 Information processing controls are policies and procedures designed to require authorization of transactions and
to ensure the accuracy and completeness of transaction processing. Control activities may be classified according
to the scope of the system they affect. General controls are control activities that prevent or detect errors or
irregularities for all accounting systems. General controls affect all transaction cycles and apply to information
processing as a center, hardware and systems software acquisition and maintenance, and backup and recovery
procedures. Application controls are controls that pertain to the processing of a specific type of transaction, such a
payroll, or sales and collections. These controls help ensure that transactions occurred, are authorized, and are
completely and accurately recorded and processed. Examples of application controls include checking the
arithmetical accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such
as input data and numerical sequence checks, and manual follow-up of exception reports. General IT controls are
policies and procedures that relate to many applications and support the effective functioning of application
controls by helping to ensure the continued proper operation of information systems. General IT-controls
commonly include controls over data center and network operations; system software acquisition, change and
maintenance; access security; and application system acquisition, development, and maintenance. These controls
apply to mainframe, miniframe, and end-user environments. Examples of such general IT-controls are program
change controls, controls that restrict access to programs or data, controls over the implementation of new
releases of packaged software applications, and controls over system software that restrict access to or monitor the
use of system utilities that could change financial data or records without leaving an audit trail.
 Internal controls relating to the accounting system are concerned with achieving objectives such as:
o Transactions are executed in accordance with management's general or specific authorization.
o All transactions and other events are promptly recorded in the correct amount, in the appropriate accounts
and in the proper accounting period so as to permit preparation of financial statements in accordance with
an identified financial reporting framework.
o Access to assets and records is permitted only in accordance with management’s authorization.
o Recorded assets are compared with the existing assets at reasonable intervals and appropriate action is
taken regarding any differences.
 Control activities related to the processing of transactions may be grouped as follows: (1) proper authorization, (2)
design and use of adequate documents and records, and (3) independent checks on performance.

Proper authorization of transactions and activities

 As suggested earlier, authorization for the execution of transactions flows from the stockholders to management
and its subordinates. Before a transaction is entered into with another party, certain conditions must usually be
met. As part of the evaluation of the potential transaction, documentation will be created. The auditor uses this
documentation to determine whether business transactions are properly authorized. For example, the purchase of
inventory may create a purchase order, a receiving report, and a vendor invoice. By inspecting these documents
and comparing them with company policy, the auditor may be reasonably satisfied that a business transaction was
authorized and executed in a manner consistent with company policy.

Segregation of duties

 An important element in designing an internal accounting control system that safeguards assets and reasonably
ensures the reliability of the accounting records is the concept of segregation of responsibilities. No one person
should be assigned duties that would allow that person to commit an error or perpetuate fraud and to conceal the
error or fraud. For example, the same person should not be responsible for recording the cash received on account
and for posting the receipts to the accounting records.

Adequate documents and records

 The use of adequate documents and records allow the company to obtain reasonable assurance that all valid
transactions have been recorded.

Access to assets

 The resources of a client can be protected by the establishment of physical barriers and appropriate policies. For
example, inventories may be kept in a storeroom, or negotiable instruments may be placed in a safe deposit box.
Appropriate company policies are adopted so that only authorized persons have access to company resources.
Safeguarding of assets is more than establishing physical barriers. A client should design its internal accounting
control system so that documents authorizing the movement of assets into an organization or out of an
organization are adequately controlled.

Independent checks on performance

  The objective of a well-designed internal accounting control system is the adoption of procedures that periodically
compare the actual asset with its recorded balance. Regardless of the effectiveness of an internal control system,
some transactions may not be accurately recorded, and some assets may be misappropriated. An important part of
an internal accounting control system is to determine the effectiveness of recording policies and asset access
policies. This is accomplished by periodic counts of assets by the client and comparing the counts to the balances
in the general ledger account. Examples are the count of inventory and the preparation of monthly bank
reconciliation.

Physical Controls

 Controls that encompass:

o The physical security of assets, including adequate safeguards such as secured facilities over access to
assets and records.
o The authorization for access to computer programs and data files.
o The periodic counting and comparison with amounts shown on control records (for example, comparing
the results of cash, security and inventory counts with accounting records).

Monitoring of Controls

Monitoring, the final component of internal control, is the process that an entity uses to assess the quality of internal
control over time. Monitoring involves assessing the design and operation of controls on a timely basis and taking
corrective action as necessary. Management monitors controls to consider whether they are operating as intended and to
modify them as appropriate for changes in conditions. In many entities, internal auditors evaluate the design and operation
of internal control and communicate information about strengths and weaknesses and recommendations for improving
internal control. Some monitoring activities may include communications from external parties. For example, customers
implicitly corroborate sales data by paying their bills or raising questions. Also, bank regulators, other regulators, and
outside auditors may communicate about the design or effectiveness of internal control.

Monitoring activities may include using information from communications from external parties that may indicate
problems are highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their
invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters
that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory
agencies. Also, management may consider communications relating to internal control from external auditors in
performing monitoring activities.