CHAPTER FOUR

4. INTERNAL CONTROL

Chapter Outline
 Key Internal control Concepts
 Meaning and Types of internal control
 Internal control and Internal audit
 Components of Internal control
 Procedures to Obtain an Understanding of Internal Control
 The Auditor’s Consideration of Internal control
 Internal Control Questionnaire
 Limitations of Internal control

Introduction

Internal Controls are to be an integral part of any organization's financial and business
policies and procedures. Internal controls consists of all the measures taken by the
organization for the purpose of; (1) protecting its resources against waste, fraud, and
inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3)
securing compliance with the policies of the organization; and (4) evaluating the level of
performance in all organizational units of the organization. An understanding of internal
control, especially those controls related to the reliability of financial reporting, is important
to the auditor’s purposes.

4.1 Key concepts

Three key concepts underlie the study of internal control and assessments of control risk are:

Management’s Responsibility - Management, not the auditor, must establish and maintain
the entity’s controls. In contrast, the auditor’s responsibilities include understanding and
testing internal control over financial reporting. This concept is consistent with the
requirement that management, not the auditor, is responsible for preparation of financial
statements in accordance with GAAP.

1
Reasonable Assurance – A company should develop internal controls that provide
reasonable, but not absolute, assurance that the financial statements are fairly stated. Internal
controls are developed by management after considering both the costs and benefits of the
controls.

Inherent Limitations - Internal controls can never be completely effective, regardless of the
care followed in their design and implementation. Even if management can design an ideal
system, its effectiveness depends on the competency and dependability of the people using it.

For example, assume that a procedure for counting inventory is carefully developed and
require two employees to count independently. If neither of the employees understands the
instructions or if both are careless in doing the counts, the inventory count is likely to be
wrong. Even if the count is right, management might override the procedure and instruct an
employee to increase the count of quantities to improve reported earnings. Similarly, the
employees might decide to overstate the counts intentionally to cover up a theft of inventory
by one or both of them. An act of two or more employees to steal assets or misstate records is
called collusion.

4.2 Meaning and Types of Internal Control

Internal control is the process, established by an entity's management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:

i. Reliability of financial reporting

Management is responsible for preparing financial statements for investors, creditors, and
other users. Management has both a legal and professional responsibility to be sure that the
information is fairly prepared in accordance with reporting requirements such as GAAP.

ii. Effectiveness and efficiency of operations

Controls within an organization are meant to encourage efficient and effective use of its
resources, including personnel, to optimize the company’s goals. Another important part of
effectiveness and efficiency is safeguarding assets and records. The physical assets of a
company can be stolen, misused, or accidentally destroyed unless they are protected by

2
adequate controls. Safeguarding of accounting records also affects the reliability of financial
reporting.

iii. Compliance with applicable laws and regulations.

Organizations are required to follow many laws and regulations. Some are only indirectly
related to accounting. Examples include environmental protection and civil rights laws.
Others are closely related to accounting, such as income tax regulations and fraud.

Internal Controls can be (1) detective, that is, designed to detect errors or irregularities that
may have occurred; (2) corrective, that is, designed to correct errors or irregularities that
have been detected; or (3) preventive, that is, designed to keep errors or irregularities from
occurring in the first place.

4.3 Internal Control and Internal Audit

Internal control is not organized as a distinct department within the entity, but is present in
the structure of each function of the management and falls in charge of each employee. The
internal auditing, as different from the internal control, is organized as distinct structure
responding to the general company management.

The Institute of Internal Auditors defines internal auditing as an independent, objective

assurance and consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.

Between the concepts of internal control and internal auditing there are similarities and
differences.

◦ Both are components of the control forms established at company level.

◦ Both represent managerial control types.
◦ Both aim at all components (financial, accounting, production, human
resources, administration, information technology, etc).

On the other hand, internal auditing also referred to as “control of controls’’ supposes
analysis, diagnosis and evaluation of internal activities. Internal Audit is a function while

3
Internal Control is a system. An internal audit function aids management by improving the
quality of the control environment. The internal audit activity evaluates the adequacy and
effectiveness of controls encompassing the organization's governance, operations, and
information systems.

Internal control, as a system, is meant to ensure that there are clear policies and procedures
that guide operations and activities. An essential part of internal control is the internal audit.
Internal audit, when conducting an audit engagement, looks at the existence, adequacy, and
application of internal controls by an entity. The internal control is not a function but a
system that can be characterized through its five components: control environment, risk
assessment, control activities, information and communication and monitoring.

4.4 Components of Internal Control

Internal control includes five categories of controls that management designs and
implements to provide reasonable assurance that management’s control objectives will be
met. These are control environment, risk assessment, control activities, information and
communication and monitoring as represented in the figure below.

Figure 4-1 Internal control components

4.4.1 CONTROL ENVIRONMENT

The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about internal control
and its importance to the entity. To understand and assess the control environment, auditors
should consider the most important control subcomponents. The seven factors are:

4
A) Integrity and Ethical Value: Integrity and ethical values are the product of the entity’s
ethical and behavioral standards and how they are communicated and reinforced in
practice. They include management’s actions to remove or reduce incentives and
temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts.
They also include the communication of entity values and behavioral standards to
personnel through policy statements and codes of conduct and by example. If
management is committed to reduce such wrong activities, its internal control will be
strong.

B) Commitment to Competence: Competence is the knowledge and skills necessary to

accomplish tasks that define the individual’s job. Commitment to competence includes
management’s consideration of the competence levels for specific jobs and how those
levels translate into requisite skills and knowledge. If employees are lacking in skill or
knowledge, they may be ineffective in performing their duties.

C) Board of Directors or Audit Committee Participation: An effective board of directors

is independent of management, and its members are involved in and scrutinize
management’s activities. An active and objective board can often effectively reduce the
likelihood that management overrides existing controls. To assist the broad in its
oversight, the board often creates an audit committee that is charged with oversight
responsibility for the financial reporting process. The audit committee is also responsible
for maintaining ongoing communication with both external and internal auditors. If the
board of directors and audit committee are effective and strong to challenge the
management, internal control system will be effective and financial statement will be
fairly stated.

D) Management’s Philosophy and Operating Style: Management, through its activities,

provides clear signals to employees about the importance of internal control. For
example, does management take significant risks, or are they risk averse? Are profit plans
and budget data set as “best possible” plans or “most likely” targets? Can management be
described as ‘‘fact and bureaucratic,” “lean and mean,” dominated by one or a few
individuals, or is it “just right”? Understanding these and similar aspects of
management’s philosophy and operating style gives the auditor a sense of management’s
attitude about internal control.

5
E) Organizational Structure: The entity’s organizational structure defines the existing lines
of responsibility and authority. By understanding the client’s organizational structure, the
auditor can learn the management and functional elements of the business and perceive
how controls are implemented.

F) Assignment of Authority and Responsibility: A well-designed organizational structure

provides a basis for planning, directing and controlling operations. It divides authorities,
responsibilities and duties among members of an organization. This provides existence of
strong internal control.

G) Human Resource Policies and Practices: The most important aspect of internal control
is personnel. If employees are competent and trustworthy, other controls can be absent
and reliable financial statements will still result. Honest, efficient people are able to
perform at a high level even when there are few other controls to support them. Even if
there are numerous other controls, incompetent or dishonest people can reduce the system
to a shambles. Even though personnel may be competent and trustworthy, people have
certain innate shortcomings. For example, they can become bored or dissatisfied,
personnel problems can disrupt their performance, or their goal may change. Thus,
management's policies and practices for hiring, orientation, training, evaluating,
counseling, promoting, and compensating employees have a significant effect on
effectiveness of the control environment.

4.4.2 RISK ASSESSMENT

Risk assessment for financial reporting is management’s identification, analysis and
management of risks relevant to the preparation of financial statements in conformity with
appropriate accounting standards.

An entity's risk assessment process considers external and internal events and
circumstances that may adversely affect its ability to record, process, summarize, and
report financial data consistent with management's assertions in the financial statements.
Examples of such risks include:

 Failure to meet prior objectives,

 Quality of personnel,
 Geographic dispersion of company operations,

6
  Complexity of core business processes,
 Introduction of new information technologies,
 Changes in the operating environment (e.g. increased competition),

 Changing customer needs or expectations,

 Rapid growth,

 New lines, products, or activities,

 New personnel,

 Economic downturns,
 Entrance of new competitors,
 Foreign operations,
 Accounting pronouncements, etc.
 Once management identifies a risk, it estimates the significance of that risk, assesses
the likelihood of the risk occurring, and develops specific actions that need to be taken
to reduce the risk to an acceptable level.

 Management’s risk assessment differs from but is closely related to the auditor’s risk
assessment. While management assesses risks as a part of designing and operating
internal controls to minimize errors and fraud, auditors assess risks to decide the
evidence needed in the audit. If management effectively assesses and responds to
risks, the auditor will typically accumulate less evidence than when management fails
to identify or respond to significant risks.

4.4.3 CONTROL ACTIVITIES

Control activities are the policies and procedures that help ensure that necessary actions are
taken to address risks affecting achievement of entity’s objectives. There are potentially
many such control activities in any entity, including both manual and automated controls.
The control activities generally fall into the following five types:

A) Adequate separation/segregation of duties - Helps to prevent both fraud and errors.

The objective is to ensure that duties are assigned to individuals in a manner that ensures
that no one individual can control both the recording function and the procedures relative to
processing the transaction.

7
 The guidelines to this control activity are:
◦ Separation of the custody of assets from accounting
◦ Separation of the authorization of transactions from the custody of related assets
◦ Separation of operational responsibility from record-keeping responsibility

B) Proper Authorization of Transactions and Activities - Every transaction must be

properly authorized. The objective is to ensure that all transactions are approved by
responsible personnel in accordance with specific or general authority before the transaction
is recorded.

What is the difference between authorization and approval?

 Authorization is a policy decision for either a general class of transactions or specific

transactions.
 Approval is the implementation of management’s general authorization decisions.

C) Adequate Documents and Records - Are essential for correct recording of transactions
and control of assets. The objective is to ensure that all valid transactions are accurate,
consistent with the originating transaction data and information is recorded in a timely
manner.

D) Physical Control Over Assets and Records - The objective is to ensure that access to
physical assets and information systems are controlled and properly restricted to authorized
personnel.

E) Independent Checks on Performance – The last category of control activities is the

careful and continuous review of the other four, often called independent checks or internal
verification. The performance of one person must be evaluated and verified by another
independent person.

4.4.4 INFORMATION AND COMMUNICATION

This component encompasses both the information system used to produce financial
information and the communication of that information. The purpose of an entity's
accounting information and communication system is to identify, assemble, classify,
analyze, record, and report the entity's transactions and to maintain accountability for the
related assets and liabilities.

8
 An effective financial reporting function attempts to establish methods and records that will
accomplish the following objectives.

i. Identify and record all valid transactions: This objective is concerned with the
financial statement assertion of existence or occurrence and completeness.

ii. Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial report. This objective is concerned with
the financial statement assertion of presentation and disclosure.

iii. Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statements. This objective is concerned
with the financial statement assertion of valuation or allocation.

iv. Determine the time period in which transaction occurred to permit recording of
transactions in the proper accounting period. This objective is concerned with the
financial statement assertion of existence or occurrence and completeness.

v. Present properly the transactions and related disclosures in the financial

statements. This objective is concerned with the financial statement assertion of right
and obligation and presentation and disclosure.

vi. Communicate responsibilities to employees. Communication involves providing

information generated by financial reporting information system to the appropriate
parties in the entity on timely basis.

4.4.5 MONITORING

Monitoring activities deal with ongoing or periodic assessment of the quality of internal
control performance by management to determine that controls are operating as intended
and that they are modified as appropriate for changes in conditions.

Monitoring can be done through ongoing activities or separate evaluation. These may
include:

 Regular management and supervisory activities,

 Reports of internal auditors regarding the functioning of the internal control structure,
 Feedback from operating personal, and

9
  Complaints from customers about billing charges.

For many companies an internal audit department is essential for effective monitoring. For
an internal audit function to be effective, it is essential that the internal audit staff be
independent of both the operating and accounting department and that they report directly to
a high level of authority within the organization, either top management or the audit
committee of the board of directors. In addition to its role in monitoring an entity's internal
control, an adequate internal audit staff can reduce external audit costs by providing direct
assistance to external auditors.

4.5 Procedures to Obtain an Understanding of Internal Control

Now that the various components of internal control have been discussed, we turn our
attention to considering these components when obtaining an understanding of internal
control and assessing control risk. The procedures used to gather evidence about design and
placement in operation during the understanding phase are called procedures to obtain an
understanding.

The following are procedures to determine the design and placement in operation.

i) Update and Evaluate Auditor’s Previous Experience with the Entity: Most audits of a
company are done annually by the same CPA firm. Except for initial engagements, the
auditor begins the audit with a great deal of information developed in prior years about
the client’s internal control. Because systems and controls usually do not change
frequently, this information can be updated and carried forward to the current year’s
audit.

ii) Make Inquiries of Client Personnel: A logical starting place for updating information
carried forward from the previous audit, or for obtaining information initially, is with
appropriate client personnel. Inquires of client personnel at the management, supervisory,
and staff level will usually be conducted as part of obtaining an understanding of internal
control.

iii) Read Client’s Policy and Systems Manuals: To design, implement, and maintain
internal controls, an entity must have extensive documentation of its own. This includes
policy manuals and documents (such as a corporate code of conduct) and systems

10
 manuals and documents (such as an accounting manual and an organization chart). This
information is read by the auditor and discussed with company personnel to ensure that it
is properly interpreted and understood.

iv) Examine Documents and Records: The five components of internal control all involve
the creation of many documents and records. By examining completed documents,
records, and computer files, the auditor can bring the contents of the manuals to life and
better understand them. Examination of the documents and records also provide evidence
that the control policies and procedures have been placed in operation.

v) Observe Entity Activities and Operations: In addition to examining completed

documents and records, the auditor can observe client personnel in the process of
preparing them and carrying out their normal accounting and control activities. This
further enhances understanding and knowledge that controls have been placed in
operation.

4.6 The Auditor’s Consideration of Internal Control

In all audits, the auditor should obtain an understanding of each of the five components of
internal control to plan the audit. A sufficient understanding is obtained by performing
procedures to understand the design of controls relevant to an audit of financial statements
and determining whether they have been placed in operation.

In planning the audit, such knowledge should be used to:

 Identify types of potential misstatement.

 Consider factors that affect the risk of material misstatement.
 Design tests of controls, when applicable.
 Design substantive tests.

4.7 Internal Control Questionnaire

An internal control questionnaire asks a series of questions about the controls in each
audit area as a means of indicating to the auditor aspects of internal control that may be

11
inadequate. In most instances, it is designed to require a “yes” or a “no” responses
indicating potential internal control deficiencies.

The primary advantage of using a questionnaire is the ability to thoroughly cover each audit
area reasonably quickly at the beginning of the audit. The primary disadvantage is that
individual parts of the client’s systems are examined without providing an overall view. In
addition, a standard questionnaire is often inapplicable to some audit clients, especially
smaller ones.

The table below illustrates part of an internal control questionnaire for the sales and
collection cycle. The questionnaire is also designed for use with the six transaction-related
audit objectives. Notice that each objective (A through F) is a transaction-related audit
objective as it applies to sales transactions (see shaded portions). The same is true for all
other audit areas.

4.8 Limitations of Internal Controls

Internal control, no matter how well designed, implemented and conducted, can provide
only reasonable assurance to management and the board of directors of the achievement of
an entity’s objectives.

Some limitations are inherent in all internal control systems.  These include:

Judgment: The effectiveness of controls will be limited by decisions made with human
judgment under pressures to conduct business based on the information at hand.

Breakdowns: Even well designed internal controls can break down. Employees sometimes
misunderstand instructions or simply make mistakes. Errors may also result from new
technology and the complexity of computerized information systems.

Management Override: High level personnel may be able to override prescribed policies
and procedures for personal gain or advantage. This should not be confused with
management intervention, which represents management actions to depart from prescribed
policies and procedures for legitimate purposes.

12
 Collusion: Control systems can be circumvented by employee collusion. Individuals acting
collectively can alter financial data or other management information in a manner that
cannot be identified by control systems.

Partial Internal Control Questionnaire for Sales

Client ___________________________________ Audit date ___________________

Auditor ________________________________ Date Completed _______________
Reviewed by ___________________________ Date Completed _______________

Objective(shaded) and question Answer Remark

Yes No N/A
A. Recorded sales are for shipments actually made to existing
customers.
1. Is the recoding of sales supported by authorized shipping
documents and approved customer orders? 
2. Is customers’ credit approved by a responsible official and
is access to change credit limit master files restricted? 
3. Is a pre-numbered written shipping order required for
merchandise to leave the premises? 
B. Existing sales transactions are recorded.
1. Is a record of shipments maintained? 
2. Is the shipping document controlled from the office in a
manner that helps ensure that all shipments are billed? 
3. Are shipping documents pre-numbered and accounted for? 
4. Are sales invoices pre-numbered and accounted for? 
C. Recorded sales are for the amount of goods shipped and are
correctly billed and recorded.
1. Is there independent comparison of the quality on the
shipping documents to the sales invoices? 
2. Is an authorized price list used and is access to change
the price master file restricted? 
3. Are monthly statements sent to customers? 
D. Recorded sales transactions are properly classified.
1. Is there independent comparison of recorded sales to the
chart of accounts? 
E. Sales are recorded on the correct dates.
1. Is there independent comparison of dates on shipping
documents to dates records? 
F. Sales transactions are properly included in the master files
and correctly summarized.
1. Are journals independently footed and traced to the general
ledger and printout of master file? 
2. Is there a comparison of customer names on shipping

13
 documents to posting in the printout of the master file? 

End of chapter four notes!

14