CHAPER FIVE

INTERNAL CONTROL

Prepared and
presented by:
Getnet Bekalu
 Learning objectives:

I. Introduction of internal control

II. Meaning and Objectives of internal
controls
III. The Basic Elements of internal controls
IV. Recording Internal Control System
V. Internal Control and External Auditor
VI. Internal Control and Internal Auditor
VII. Inherent Limitations
 I. Introduction of Internal Control

• Internal control is not only essential to

maintaining the accounting and financial
records of an organization, it is essential to
managing the entity.
• Everyone from the external auditors to
management to the board of directors to the
stockholders of large public companies to
government, have an interest in internal
controls.
 …Introduction continued.

• In many parts of the world, regulators

have emphasized the importance of
internal control by requiring management
to make annual public statements about
the effectiveness of internal controls.
• Reinforcing internal controls is generally
seen as one of the most important steps in
avoiding negative surprises.
 II. Meaning of internal controls
• Internal control, according to the
Committee of Sponsoring Organizations of
the Treadway Commission (COSO), is a
process, effected by an entity’s board of
directors, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
 …Meaning of internal controls continued.

a. effectiveness and efficiency of operations;

b. reliability of financial reporting;

c. compliance with applicable laws and

regulations;

d. safeguarding of assets against

unauthorized acquisition and

e. use or disposition.
 …Meaning of internal controls continued.
 This definition reflects certain fundamental
concepts:
• Internal control is a “process.” Internal control
is not one event or circumstance, but a series of
actions that permeate an entity’s activities. These
actions are persuasive and are inherent in the way
management runs the business.
• Internal control is effected by people. A board of
directors, management, and other personnel in an
entity effect internal control.
 …Meaning of internal controls continued
• Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to
an entity’s management and board that the
company’s objectives are achieved.
• Internal control is geared to the achievement of
objectives in one or more separate overlapping
categories:
• The American Institute of Certified Public
Accountants (AICPA) defines internal control as;
 …Meaning of internal controls continued.
• ‘The plan of an organization and all the
coordinate methods and measures established
within the organization in order to safeguard
its assets against loss or fraud, promote
operational efficiency, ensure adherence to
prescribed policies and procedures,
compliance to applicable laws and regulations
and ensure reliability of accounting data.’
 …Meaning of internal controls continued
• Generally:-

• Internal controls are the integration of the

activities, plans, attitudes, policies and efforts
of the people of an organization working
together to provide reasonable assurance
that the organization will achieve its mission.
• Internal Controls are actions taken to make
sure the right things happen and the wrong
things don’t.
 II. Objectives of Internal control
• A system of internal control consists of policies
and procedures designed to provide
management with reasonable assurance that
the company achieves its objectives and goals.
• These policies and procedures are often called
controls, and collectively, they make up the
entity’s internal control.
• Management typically has three broad
objectives in designing an effective internal
control system:
 …Objectives of Internal control continued.
1)Reliability of financial reporting: Management
is responsible for preparing statements for
investors, creditors, and other users.
• Management has both a legal and professional
responsibility to be sure that the information is
fairly presented in accordance with reporting
requirements of accounting frameworks such as
GAAP and IFRS.
• The objective of effective internal control over
financial reporting is to fulfill these financial reporting
responsibilities.
 …Objectives of Internal control
2) Efficiency and effectiveness of
operations.
• Controls within a company encourage
efficient and effective use of its resources
to optimize the company’s goals.
• An important objective of these controls
is accurate financial and nonfinancial
information about the company’s
operations for decision making.
 …Objectives of Internal control

3) Compliance with laws and regulations:

Under Section 404 requires management of
all public companies to issue a report about
the operating effectiveness of internal
control over financial reporting.
• In addition to the legal provisions of Section
404, public, nonpublic, and not-for-profit
organizations are required to follow many
laws and regulations.
 …Compliance with laws and
regulations.
• Some relate to accounting only indirectly,
such as environmental protection and civil
rights laws.
• Others are closely related to accounting,
such as income tax regulations and anti-
fraud legal provisions.
• Generally, Management designs systems of
internal control to accomplish all three
objectives.
 …Objectives of Internal control
• The auditor’s focus in both the audit of
financial statements and the audit of
internal controls is on controls over the
reliability of financial reporting plus those
controls over operations and compliance
with laws and regulations that could
materially affect financial reporting.
III. The Basic Elements of internal controls
• COSO’s Internal Control—Integrated Framework,
the most widely accepted internal control
framework in the United States, describes five
components of internal control that management
designs and implements to provide reasonable
assurance that its control objectives will be met.
• Each component contains many controls, but
auditors concentrate on those designed to prevent
or detect material misstatements in the financial
statements.
 …Elements of internal controls.
• The COSO internal control components
include the following:

i. Control environment

ii.Risk assessment

iii.Control activities

iv.Information and communication

v.Monitoring
 …Elements of internal controls.
• Elements of Internal Control
• The essence of an effectively controlled
organization lies in the attitude of its
management.
• If top management believes that control is
important, others in the organization will sense
this commitment and respond by carefully
observing the controls established.
• If members of the organization believe that,
control is not an important concern to top
management, it is almost certain that
management’s control objectives will not be
effectively achieved.
 i. Control environment
• The control environment consists of the
actions, policies, and procedures that
reflect the overall attitudes of top
management, directors, and owners of an
entity about internal control and its
importance to the entity.
• To understand and assess the control
environment, auditors should consider the
most important control subcomponents.
 …Control environment
• Integrity and Ethical Values፡ Integrity
and ethical values are the product of the
entity’s ethical and behavioral standards, as
well as how they are communicated and
reinforced in practice.
• Commitment to Competence፡
Competence is the knowledge and skills
necessary t accomplish tasks that define an
individual’s job.
 …Control environment
• Board of Director or Audit Committee
Participation፡
• The board of directors is essential for
effective corporate governance because it
has ultimate responsibility to make sure
management implements proper internal
control and financial reporting processes.
• An effective board of directors is
independent of management, and its
members stay involved in and scrutinize
management’s activities.
 …Control environment
• Management’s Philosophy and Operating
Style፡
• Management, through its activities, provides
clear signals to employees about the
importance of internal control.
• Organizational Structure፡

• The entity’ organizational structure defines the

existing lines of responsibility and authority.
• Human Resource Policies and Practices፡
• The most important aspect of internal control
is personnel.
 ii. Risk assessment
• Risk Assessment is an element of internal
control within the risk management process that
allows management to identify and assess key
risks to achieving its objectives; this assessment
forms the basis upon which control activities are
determined.
• It is management’s identification and analysis of
risks relevant to the preparation of financial
statements in conformity with appropriate
accounting standards.
 …Risk assessment.
• Similarly, failure to meet prior objectives,
quality of personnel, geographic
dispersion of company operations,
significance and complexity of core
business processes, introduction of new
information technologies, economic
downturns, and entrance of new
competitors are examples of factors that
may lead to increased risk.
 …Risk assessment.
• Auditors obtain knowledge about
management’s risk assessment process
using questionnaires and discussions with
management to determine how
management identifies risks relevant to
financial reporting, evaluates the
significance and likelihood of the risks
occurring, and decides the actions needed
to address the risks.
 …Risk assessment.
• Risk assessment is critical especially when
agencies are facing constrained resources
because it allows for targeted and strategic use of
available resources.

• Risk Assessment Categories to help identify

and assess risks:

1)Strategic Risk—political risk, talent and

succession planning risk, risk from
dependence on other organizations;
 …Risk assessment

1)Financial Risk—risk of audit findings and other

things that would undermine reporting integrity;

2)Compliance Risk—fraud, theft, embezzlement

and/or noncompliance with regulations and
requirements and

3)Operational Risk—risk that Programs may fail

to meet their objectives, mishandle federal grant
funds, natural disasters, lack of accessible
technology, etc.
 Risk Assessment
• Strategies
 iii. Control Activities
• Control activities are the policies and
procedures, in addition to those included in the
other four control components, that help ensure
that necessary actions are taken to address risks
to the achievement of the entity’s objectives.
• There are potentially many such control
activities in any entity, including both manual
and automated controls.
• The control activities generally fall into the
following five types, which are discussed next:
 …Control Activities
1.Adequate separation of duties

2.Proper authorization of transactions and

activities

3.Adequate documents and records

4.Physical control over assets and records

5.Independent checks on performance

 1. Adequate separation of duties
• Four general guidelines for adequate separation
of duties to prevent both fraud and errors are
especially significant for auditors.
i. Separation of the Custody of Assets from
Accounting

• To protect a company from embezzlement, a

person who has temporary or permanent custody
of an asset should not account for that asset.
• Allowing one person to perform both functions
increases the risk of that person disposing of the asset
for personal gain and adjusting the records to cover up
the theft.
 …Adequate separation of duties
ii. Separation of the Authorization of
Transactions from the Custody of Related

Assets: It is desirable to prevent persons

who authorize transactions from having

control over the related asset, to reduce the
likelihood of embezzlement.
• For example, the same person should not
authorize the payment of a vendor’s invoice
and also approve the disbursement of funds
to pay the bill.
 …Adequate separation of duties
iii. Separation of Operational Responsibility from

Record-Keeping Responsibility: To ensure

unbiased information, record keeping is
typically the responsibility of a separate
department reporting to the controller.
• For example, if a department or division
oversees the creation of its own records
and reports, it might change the results to
improve its reported performance.
 …Adequate separation of duties
iv. Separation of IT Duties from User Departments: As

the level of complexity of IT systems increases,

the separation of authorization, record keeping,
and custody often becomes blurred.
• For example, sales agents may enter customer
orders online.
• The computer authorizes those sales based on
its comparison of customer credit limits to the
master file and posts all approved sales in the sales
cycle journals.
2. Proper Authorization of Transactions and
Activities
• Every transaction must be properly authorized if
controls are to be satisfactory.
• If any person in an organization could acquire or
expend assets at will, complete chaos would result.
• Authorization can be either general or specific.

• Under general authorization, management

establishes policies and subordinates are
instructed to implement these general
authorizations by approving all transactions within
the limits set by the policy.
…Proper Authorization of Transactions and
Activities
• General authorization decisions include the
issuance of fixed price lists for the sale of
products, credit limits for customers, and fixed
reorder points for making acquisitions.
• Specific authorization applies to individual
transactions.
• For certain transactions, management prefers to
authorize each transaction.
• An example is the authorization of a sales
transaction by the sales manager for a used-car
company.
…Proper Authorization of Transactions and
Activities

• The distinction between authorization and

approval is also important.
• Authorization is a policy decision for
either a general class of transactions or
specific transactions.
• Approval is the implementation of
management’s general authorization
decisions.
 3. Adequate Documents and Records
• Documents and records are the records upon
which transactions are entered and summarized.
• They include such diverse items as sales
invoices, purchase orders, subsidiary records,
sales journals, and employee time cards.
• Many of these documents and records are
maintained in electronic rather than paper
formats.
• Adequate documents are essential for correct
recording of transactions and control of assets.
 …Adequate Documents and Records

• For example, if the receiving department

completes an electronic receiving report
when material is received, the accounts
payable computer application can verify
the quantity and description on the
vendor’s invoice by comparing it with the
information on the receiving report, with
exceptions resolved by the accounts
payable department.
 …Adequate Documents and Records
• Documents and records should be:

• Prenumbered consecutively to facilitate control over

missing documents and records and as an aid in
locating them when they are needed at a later date.
• Prenumbered documents and records are important
for the completeness transaction-related audit
objective.
• Prepared at the time a transaction takes place, or as
soon as possible thereafter, to minimize timing
errors.
 …Adequate Documents and Records

• Designed for multiple use, when possible, to

minimize the number of different forms.
• For example, a properly designed electronic
shipping record can be the basis for
releasing goods from storage to the shipping
department, informing billing of the quantity
of goods to bill to the customer and the
appropriate billing date, and updating the
perpetual inventory records.
4. Physical Control Over Assets and Records
• To maintain adequate internal control, assets and
records must be protected.
• If assets are left unprotected, they can be stolen.

• If records are not adequately protected, they can

be stolen, damaged, altered, or lost, which can
seriously disrupt the accounting process and
business operations.
• When a company is highly computerized, its
computer equipment, programs, and data files
must be protected.
…Physical Control Over Assets and Records

• The data files are the records of the

company and, if damaged, could be costly
or even impossible to reconstruct.
• The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.
5. Independent Checks on Performance
• The last category of control activities is the careful
and continuous review of the other four, often
called independent checks or internal
verification.
• The need for independent checks arises because
internal controls tend to change over time, unless
there is frequent review.
• Personnel are likely to forget or intentionally fail to
follow procedures, or they may become careless
unless someone observes and evaluates their
performance.
…Independent Checks on Performance

• Regardless of the quality of the controls,

personnel can make errors or commit fraud.
• Personnel responsible for performing internal
verification procedures must be independent of
those originally responsible for preparing the
data.
• The least expensive means of internal
verification is the separation of duties in the
manner previously discussed.
…Independent Checks on Performance

• For example, when the bank reconciliation is

done by a person independent of the
accounting records and handling of cash, there
is an opportunity for verification without
incurring significant additional costs.
• Computerized accounting systems can be
designed so that many internal verification
procedures can be automated as part of the
system.
 iv. Information and Communication

• Information and communication system is to

initiate, record, process, and report the
entity’s transactions and to maintain
accountability for the related assets.
• An accounting information and
communication system has several
subcomponents, typically made up of classes
of transactions such as sales, sales returns,
cash receipts, acquisitions, and so on.
 …Information and Communication
• For example, the sales accounting system
should be designed to ensure that all
shipments of goods are correctly recorded as
sales (completeness and accuracy objectives)
and are reflected in the financial statements in
the proper period (timing objective).
• The system must also avoid duplicate recording
of sales and recording a sale if a shipment did
not occur (occurrence objective).
• To understand the design of the accounting
information system, the auditor determines
 …Information and Communication
1)the major classes of transactions of the entity;

2)how those transactions are initiated and recorded;

3)what accounting records exist and their nature;

4)how the system captures other events that are

significant to the financial statements, such as
declines in asset values; and

5)the nature and details of the financial reporting

process followed, including procedures to enter
transactions and adjustments in the general
ledger.
 v. Monitoring
• Monitoring: activities deal with ongoing
or periodic assessment of the quality of
internal control by management to
determine that controls are operating as
intended and that they are modified as
appropriate for changes in conditions.
 …Monitoring

• The information being assessed comes from

a variety of sources, including studies of
existing internal controls, internal auditor
reports, exception reporting on control
activities, reports by regulators such as
bank regulatory agencies, feedback from
operating personnel, and complaints from
customers about billing charges.
• For many companies, especially larger ones, an
internal audit department is essential for
effective monitoring of the operating
performance of internal controls.
• To be effective, the internal audit function must
be performed by staff independent of both the
opera ting and accounting departments and
report directly to a high level of authority within
the organization, either top management or the
audit committee of the board of directors.
 IV. Recording Internal Control System

• Internal controls or an internal control

system are the integration of the
activities, plans, attitudes, policies and
efforts of the people of an organization
which, working together, provide a
reasonable assurance that the
organization will achieve its mission.
 Internal Control System

• Preventive controls, the first line of

defense, are designed to keep errors and
irregularities from occurring in the first
place - stops something from happening.
• Detective controls are designed to detect
errors or irregularities that may have
occurred finds out what happened, alerts
you as it happens or shortly after.
 …Internal Control System
• Corrective controls are designed to correct
errors or irregularities that have been detected
follow detective controls, recovery from
consequences of an error or unexpected event.
• Directive controls are those designed to
establish the desired outcomes tells you what
should happen.
• Compensating controls are those used to
compensate for controls that are otherwise
lacking.
• Generally, close supervision is used to compensate for
lack of separation of duties.
 Internal Control System

Definition
Purpose 1 Internal controls or an internal
To promote orderly, economical, control system are the integration Purpose 3
efficient, and effective operations of the activities, plans, attitudes, To ensure adherence to laws,
and to produce quality products and regulations, contracts and
services consistent with the
policies and efforts of the people
of an organization which, working management directives.
organization’s mission.
together, provide a reasonable
assurance that the organization Purpose 4
Purpose 2 To develop and maintain
will achieve its mission.
To safeguard resources against loss reliable financial and
due to waste, abuse, management data and to
mismanagement, errors, and fraud. accurately present that data
in timely reports.

Purpose 5
Accomplishment of the campus’ mission,
pulling together all the goals and
objectives throughout the campus.
 V. Internal Control and External Auditor
• Internal controls are the mechanisms, rules, and
procedures implemented by a company to
ensure the integrity of financial and accounting
information, promote accountability, and
prevent fraud.
• Internal controls minimize risks and protect
assets, ensure accuracy of records, promote
operational efficiency, and encourage adherence
to policies, rules, regulations, and laws.
 ….internal control and auditor continued.

• Independent (external auditors): - these are

the auditors ‘of private audit firm.
• The audit firm will sign audit contract in
order to examine evidence and provide
audit report to the concerned party.
• Thus, the independent auditors received a
fee from the audited organization and they
are primarily responsible to third parties
(shareholders).
 VI. Internal Control and Internal Auditor

• Internal controls are the integration of the

activities, plans, attitudes, policies and efforts
of the people of an organization working
together to provide reasonable assurance that
the organization will achieve its mission.
• Internal control is a process integrated with all
other processes within an agency.
• Internal control is established, maintained, and
monitored by people at all levels within an
agency.
 …internal control and auditor continued.

• Internal control increases the possibility of an

agency achieving its strategic goals and objectives.
• Internal auditors are employees of the company
who evaluate on a continuous basis the
effectiveness of the company’s system of internal
control.
• Internal auditors periodically review the activities
of departments and individuals to determine
whether prescribed internal controls are being
followed.
 VII. Limitations of an entity’s internal
control
• There is no such thing as a perfect internal control
system.
• Internal controls no matter how well designed,
implemented and operated, can provide only
reasonable assurance, not absolute assurance
regarding the achievement of the entity’s financial
reporting objective due to inherent limitations.
• Limitations which may hinder the effectiveness of
an otherwise adequate system if internal controls
include:
 …limitations continued.

i. Collusion

• Controls can be circumvented by collusion of

two or more people; ie collusion. An act of
two or more employees who conspire to
steal assets, commit fraud or misstate
records is called collusion.

ii. Resource constraints

• Staff size limitations may obstruct efforts
to properly segregate duties.
 …limitations continued.
iii. Management override
• Even more important to recognize,
management has the ability to override
(overrule/make ineffective) the internal control
system. Because of the authority of officials
high up in the organization structure, the risk
pervade that they can easily override the
internal control system.
iv.Undetected or unintentional errors
• The element of human error, fatigue , stress
and misunderstandings may hinder internal
controls.
 …limitations continued

v. Complexity

An increasingly complex internal control

system can lead to operational
inefficiencies, because employees are
unable to cope with the system.
• Internal Control System Like This
 Thank You for Your Attention

Any Questions?