CHAPTER 4

AUDITS OF INTERNAL CONTROL AND

CONTROL RISK

Internal control consists :

 Policies & procedures designed to
provide management with reasonable
assurance that the company achieves its
objectives and goals
 Internal Control Objectives
To check:
• Reliability of financial reporting
• Efficiency and effectiveness of operations
• Compliance with laws and regulations
Management designs systems of internal
control to accomplish all three objectives
•
Types of Controls
There are two types of controls. These are detective controls
and preventive controls.
a. Detective controls are designed to detect errors or
irregularities that may have occurred. Examples:
• Routine spot-checking of transactions, records and
reconciliations (do things make sense and look
reasonable?)
• Variance analysis, including budget to actual comparisons
• Physical inventories
• Internal audit review of business unit’s controls
• Regular supervisory review of account activity, reports,
reconciliations
b. Preventive controls are designed to keep errors or
irregularities from occurring in the first place. Examples of
preventive controls are
 separation of duties,
 proper authorizations,
 adequate documentation, and
 physical security
b. corrective internal controls?
Corrective internal controls are typically those controls
put in place after the detective internal controls
discover a problem. These controls could include
disciplinary action, reports filed, software patches or
modifications, and new policies prohibiting practices
such as employee tailgating.
 Management and Auditor Responsibilities Related
to Internal Control
• Management is responsible for establishing and maintaining
the entity’s internal controls
• Management establishes and maintains control system by:
 Reasonable assurance - Internal controls need only provide
reasonable, not absolute assurance
 Inherent limitations- No internal control system is perfect; only
as good as the employees using the system
• Design of Internal Control– management must evaluate
internal control whether the controls are designed and put in
place to prevent or detect material misstatements
• Operating Effectiveness of Controls - management must test
to determine whether the controls are operating as designed
 AUDITOR RESPONSIBILITIES
 Controls over the reliability of financial reporting
 Control over classes of transactions
For example, if products sold, units shipped, or unit
selling prices are wrong in billing customers for sales,
both sales and accounts receivable will be misstated.
On the other hand, if controls are adequate to ensure
correct billings, cash receipts, sales returns and
allowances, and write-offs, the ending balance in
accounts receivable is likely to be correct
 Auditors are responsible for testing internal control
 Sales Transaction-related Audit Objectives

Sales Transaction-related Audit

Objectives ensure:
• Recorded transactions exist (occurrence)
• Existing transactions are recorded
(completeness)
• Transactions are stated correctly
(accuracy)
Cont.
These five components may be divided in to two
categories according to whether they are
performed at
organizational (high level) controls and
functional (activity/transactional) level controls.
Five Components of Internal Control

Risk Control Information and

Monitoring
assessment activities communication
 Control Environment
• The control environment serves as the umbrella for the other
four components.
• Without an effective control environment, the other four are
unlikely to result in effective internal control, regardless of
their quality
• Control environment consists
- actions,
- policies
- and procedures that reflect the overall attitudes of
- top management
- directors
- and owners of an entity about internal control
and its importance to the entity
Auditors should consider the most
important control subcomponents

Integrity and ethical values

Commitment to competence

Board of directors or audit

committee participation

Management’s philosophy
and operating style
Organizational structure

Assignment of authority
and responsibility

Human resources
policies and practices
 1. Risk Assessment

• Management’s identification and analysis of risks

relevant to the preparation of financial statements in
conformity with appropriate accounting standards
• To do this first step is Identifying factors that may
increase risk
E.g. - Failure to meet prior objectives
- Quality of personnel,
- Geographic Dispersion of company operations,
- Introduction of new information technologies,
- Economic downturns
- Entrance of new competitors
These are examples of factors that increase risk
 Once management identifies a risk, it
estimates the significance of risks and
likelihood of occurrence
 Develop specific actions that need to
reduce the risk to the an acceptable level
Note : Auditors obtain knowledge about
management’s risk assessment process
using questionnaires and discussions with
management.
 2. Control Activities
• Policies and procedures, that help ensure that
necessary actions are taken to address risks to
the achievement of the entity’s objectives
Types of control activities
a. Adequate separation of duties
b. Proper authorization of transactions and
activities
c. Adequate documents and records
d. Physical control over assets and records
e. Independent checks on performance
 A. Adequate Separation of Duties

Custody of assets Accounting

Authorization The custody of
of transactions related assets
Operational Record-keeping
responsibility responsibility
IT Duties User departments
 B. Proper Authorization of
Transactions and Activities
General authorization – Management
established policies for organization to
follow (all transactions of a particular type
are approved automatically)

Specific authorization- apply to individual

transactions (each transaction requires
approval)
For example, the same person should not authorize
the payment of a vendor’s invoice and also
approve the disbursement of funds to pay the bill.
C. Adequate Documents and Records

Pre numbered consecutively

Prepared at the time of transaction

Simple enough to ensure understanding

Designed for multiple uses

Constructed to encourage correct preparation
 D. Physical Control Over Assets and
Records
• To maintain adequate internal control
over assets and records; Assets and
records must be protected
E.g. Safeguarding assets and records
from theft, damage, lost and alter
=> use of storerooms for inventory to
protect against theft.
 E. Independent Checks on Performance
• Careful and continuous review of
the other four types of control
activities
• Internal verification
• Internal control tends to change over
time unless there is a mechanism for
frequent review
 3. Information and communication
• The purpose of an entity’s accounting
information and communication
system is to initiate, record, process,
and report the entity’s transactions
and to maintain accountability for the
related assets
To understand the design of the accounting
information system, the auditor determines
a. The major classes of transactions of the entity;
b.How those transactions are initiated and recorded
c. What accounting records exist and their nature
d. How the system captures other events that are
significant to the financial statements, such as
declines in asset values
e. The nature and details of the financial reporting
process followed
 4. Monitoring
• Deal with ongoing or periodic assessment of the
quality of internal control by management to
determine that controls are operating as intended
and that they are modified as appropriate for
changes in conditions
E.g.
An internal audit department is essential for effective
monitoring of the operating performance of internal
controls.
-Quality assurance department
 END OF
CHAPTER FOUR
THANK YOU
VERY MUCH!!!