Chapter Five

Internal Control, internal and External Auditing.

Contents
• Meaning &Definition
• The control process
• Types and classification of controls
• Components of internal control
• Limitations of internal control
• Evaluating internal control
• Internal Control and Auditors
• Internal Auditing and External Auditing
 Meaning of IC

Any organization wishing to conduct its business in an orderly and

efficient manner and to produce reliable financial accounting
information, both for its own and for others’ use needs some controls
to minimize the effects of the endemic human failings(with the best
intentions or intentional falsification).
When such controls are implemented within the organization’s
systems they are described as internal controls.
Internal controls are mechanisms designed to control all of an
entity’s functions, not just its accounting function.
2
Meaning of IC
• An internal control system encompasses the
policies, processes, tasks, behaviors and other
aspects of a company that, taken together:
• Facilitate its effective and efficient operation by
enabling it to respond appropriately to significant
business, operational, financial, compliance and other
risks to achieving the company’s objectives
• Help ensure the quality of internal and external
reporting
• Help ensure compliance with applicable laws and
regulations

3
Definition of I C * COSO

•Internal control is ‘a process, effected by an entity’s board of

directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in
the following categories:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations’. (COSO)
•Internalcontrol system is any policy& procedure set by
management in order to control problems that can
prevent the organization from achieving its goal.

* Committee of Sponsoring Organizations of the Tread way Commission

4
Definition of ICS cont…

Internal control is an activity what we do to see that

the things we want to happen will happen …

 And the things we don’t want to happen won’t

happen.

5
Internal Controls Are Common Sense

What do you worry

about going wrong?

What steps have been taken

to assure it doesn’t?

How do you know

things are under control?

6
 Internal control is a process; it is a means to an end,
not an end itself.
 Internal control is effected by people; it’s not merely
policy manuals and forms but people at every level of
an organization.
 Internal control can be expected to only provide
reasonable assurance, not absolute assurance.

7
Objectives of IC
Internal control is geared to the achievement of
objectives in one or more separate overlapping
categories. Objectives fall into four categories:
1. Operations – relating to effective and efficient use
of the entity’s resources
2. Financial reporting – relating preparation of reliable
published financial statements
3. Compliance – relating to the entity’s compliance
with applicable laws and regulations; and
4. Safeguarding of assets
8
• ICS contains accounting and administrative
controls. The internal accounting controls’,
are designed, in particular, to ensure that
transactions which give rise to the
accounting data are;
1. properly recorded; that is, all relevant details of
transactions are recorded at the time the transactions
take place;
2. properly authorized; that is, all transactions are
authorized by a person with the requisite authority;
9
3. valid; that is, transactions recorded in the accounting system
represent genuine exchanges with bona fide parties:
4. complete; that is, all genuine transactions are input to the
accounting system; none are omitted;
5. properly valued; that is, transactions are recorded in the correct
accounts;
6. Properly classified; that is, transactions are recorded in the correct
accounts;
7. Recorded in the correct accounting period
Categories of IC System
• Preventive control: Prevent some thing bad from
happening
• Detective Control : Detect problems that passed
through preventive control
• Corrective control: aimed at correcting problems
detected by detective control
The Control Process
Management designs systems of internal control to accomplish
all three objectives(Reliability of Financial Reporting ,
Efficiency and Effectiveness of Operations and Compliance
with Laws and Regulations).
 The auditor’s focus in both the audit of financial statements and
the audit of internal controls is to operations and to compliance
with laws and regulations objectives that could materially affect
financial reporting.
 Put another way, the entity’s accounting system is designed to
capture accounting data and to convert and output this data as
useful financial information.
In order for financial information to be useful, it must be
reliable. Thus, the underlying accounting data must be valid,
complete and accurate.
12
Common int. control acts in our
personal life
Lock-up valuable belongings
Keep copies of your tax returns, registration slip
Balance your checkbook
Keep your ATM/debit card PIN number separate from
your card
Lock-up your computer with pass word
Compare your book and bank balance

13
Why are Internal Controls Important?
Compliance with applicable laws and
regulations.
Accomplishment of the entity’s mission.
Relevant and reliable financial
reporting.
Effective and efficient operations.
Safeguarding of assets.

14
Risks of Weak Internal Controls
 Weak Internal Controls Increase Risk
Through…
 Business Interruption

system breakdowns or catastrophes, excessive

re-work to correct for errors.
 Erroneous Management Decisions
based on erroneous, inadequate or misleading
information.
 Fraud,Embezzlement and Theft
by management, employees, customers,
vendors, or the public-at-large.
15
 Statutory Sanctions
penalties arising from failure to comply
with regulatory requirements, as well as
overt violations.
 Excessive Costs/Deficient Revenues
expenses which could have been avoided,
as well as loss of revenues to which the
organization is entitled.
 Loss,Misuse or Destruction of Assets
unintentional loss of physical assets such
as cash, inventory, and equipment.

16
Benefits of Strong Internal Controls
 Reducing and preventing errors in a cost-
effective manner.
 Ensuring priority issues are identified and
addressed.
 Protecting employees & resources.

 Providing appropriate checks and balances.

 Having more efficient audits, resulting in

shorter timelines, less testing, and fewer
demands on staff.
 Contribute to the effectiveness of control
system
17
Effective Internal Controls
 Makesense within each organization’s unique
operating environment.

 Benefit
rather than encumber(hinder)
management.

 Arenot stand-alone practices; they are woven

into day-to-day responsibilities.

 Are cost-effective.

18
 Basic Internal Control Structure

The most widely accepted internal control framework

in the United States, describes internal control as
consisting of five components that management
designs and implements to provide reasonable
assurance that its control objectives will be met.
Each component contains many controls, but auditors
concentrate on those designed to prevent or detect
material misstatements in the financial statements.
The internal control components include the following
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication systems support
5. Monitoring
19
Internal Control Framework…
Five Inter-Related Standards: COSO’S
components-of-internal-control-system.png

Risk
Monitoring
Assessment

Control
Environment

Information & Control

Activities
Communication

20
 1. Control Environment

 Foundation for all other standards of internal control.

 Pervasive influence on all the decisions and activities

of an organization.

 Effective organizations set a positive “tone at the

top”.
 Factors include the integrity, ethical values and
competence of employees, and, management’s
philosophy & operating style.

21
The Control Environment
• The control environment serves as the umbrella for
the other four components.
• With out an effective control environment, the other
four are unlikely to result in effective internal control,
regardless of their quality.
• The essence of an effectively controlled organization
lies in the attitude of its management.

22
The Control Environment
The control environment consists of the actions, policies, and
procedures that reflect the overall attitudes of top management,
directors, and owners of an entity about internal control and its
importance to the entity.
 To understand and assess the control environment, auditors should
consider the most important control subcomponents, which are:
1. Integrity and Ethical Values
2. Commitment to competence
3. Board of Directors of Audit Committee Participation
4. The audit committee’s independence
5. Organizational Structure
6. Human resource polices and practices

23
 2. Risk Assessment
 Risks are internal & external events (economic
conditions, staffing changes, new systems, regulatory
changes, natural disasters, etc.) that threaten the
accomplishment of objectives.
 Risk assessment is the process of identifying,
evaluating, and deciding how to manage these
events… What is the likelihood of the event
occurring? What would be the impact if it were to
occur? What can we do to prevent or reduce the risk?

24
 3. Control Activities
 Tools - policies, procedures, processes -designed and
implemented to help ensure that management directives
are carried out.

 Help prevent or reduce the risks that can impede the

accomplishment of objectives.
 Occur throughout the organization, at all levels, and in all
functions.

 Includes approvals, authorizations, verifications,

reconciliations, security of assets, reviews of operating
performance, and segregation of duties.
25
 4. Communication & Information
 Pertinent information must be captured, identified
and communicated on a timely basis.

 Effective information and communication systems

enable the organization’s people to exchange the
information needed to conduct, manage, and
control its operations.

26
 5. Monitoring
 Internal control systems must be monitored to assess
their effectiveness… Are they operating as intended?

 Ongoing monitoring is necessary to react dynamically

to changing conditions…Have controls become
outdated, redundant, or obsolete?

 Monitoring occurs in the course of everyday

operations, it includes regular management &
supervisory activities and other actions personnel
take in performing their duties.

27
 Key I C Activities/Components
1. Separation of Duties

 Divide responsibilities between different employees

so one individual doesn’t control all aspects of a
transaction.
 Reduce the opportunity for an employee to commit
and conceal errors (intentional or unintentional) or
perpetrate fraud.

28
Adequate Separation of Duties
Custody of assets Accounting

Authorization The custody of

of transactions related assets

Operational Record-keeping
responsibility responsibility

IT duties User departments

29
2. Documentation

Document & preserve evidence to substantiate:

 Critical decisions and significant events...typically
involving the use, commitment, or transfer of
resources.
 Transactions…enables a transaction to be traced
from its inception to completion.
 Policies & Procedures…documents which set forth
the fundamental principles and methods that
employees rely on to do their jobs.

30
Adequate Documents and Records
Pre numbered consecutively

Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple use

Constructed to encourage correct preparation

31
3. Authorization & Approvals
 Management documents and communicates
which activities require approval, and by whom,
based on the level of risk to the organization.
 Ensure that transactions are approved and
executed only by employees acting within the
scope of their authority granted by management.

32
Proper Authorization of Transactions and
Activities

General authorization

Specific authorization

33
4. Security of Assets
 Secure and restrict access to equipment, cash,
inventory, confidential information, etc. to reduce
the risk of loss or unauthorized use.
 Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
 Base the level of security on the vulnerability of
items being secured, the likelihood of loss, and the
potential impact should a loss occur.

34
Physical Control over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.

35
5. Reconciliation & Review

 Examine transactions, information, and events to

verify accuracy, completeness, appropriateness,
and compliance.
 Base level of review on materiality, risk, and
overall importance to organization’s objectives.
 Ensure frequency is adequate enough to detect
and act upon questionable activities in a timely
manner.

36
Independent Checks on Performance

The need for independent checks arises

because internal control tends to change
over time unless there is a mechanism
for frequent review.

37
6. Information and Communication

The purpose of an accounting information

and communication system is to…

initiate, record, process, and report

the entity’s transactions and to maintain
accountability for the related assets.

38
Limitations of IC
• Internal control; no matter how well designed, implemented and
conducted, can provide only reasonable assurance to management
and the board of directors of the achievement of an entity’s
objectives.
• In considering limitations of internal control, two distinct concepts
must be recognized. The first set of limitations acknowledges that
certain events or conditions are simply beyond management’s
control.
Limitations of IC
• The second acknowledges that no system of internal control will
always do what it is designed to do.
• The best that can be expected in any system of internal control is that
reasonable assurance be obtained
• The effectiveness of internal control is limited by the realities of
human frailty in the making of business decisions.
Limitations of IC
Internal control may not result in the intended objectives due to:
Human judgment;
External events;
Management override; and
Collusion.
Limitations of IC
• Human judgment: Some decisions based on human judgment may later,
with the clarity of hindsight, be found to produce less than desirable
results, and may need to be changed.
• External events: For objectives relating to the effectiveness and efficiency
of an entity’s operations—achieving its mission, value propositions (e.g.,
productivity, quality, and customer service), profitability goals, and the
like—
• internal control cannot provide reasonable assurance of the
achievement when external events may have a significant impact on the
achievement of objectives and the impact cannot be mitigated to an
acceptable level.
Limitations of IC
• Management override: The term “management override” is
used here to mean overruling prescribed policies or
procedures for illegitimate purposes with the intent of
personal gain or an enhanced presentation of an entity’s
performance or compliance. Examples include:
increase reported revenue to cover an unanticipated decrease in
market share
Enhance reported earnings to meet unrealistic budgets
 Boost the market value of the entity prior to a public offering or sale
Meet sales or earnings projections to bolster bonus payouts tied to
performance
 Appear to cover violations of debt covenant agreements
Hide lack of compliance with legal requirements
Limitations of IC
• Collusion: can result in internal control deficiencies. Individuals acting
collectively to perpetrate and conceal an action from detection often
can alter financial or other management information so that it cannot
be detected or prevented by the system of internal control
• Collusion can occur, for example, between an employee who
performs controls and a customer, supplier, or another employee.
Limitations of IC
Additionally,
Staff size limitations may obstruct efforts to properly segregate
duties, which requires the implementation of compensating controls
to ensure that objectives are achieved.
A limited inherent in any system is the element of human error,
misunderstandings, fatigue and stress.
 Employees are to be encouraged to take earned vacation time in
order to improve operations through cross-training while enabling
employees to overcome or avoid stress and fatigue.