CHAPTER SIX

INTERNAL CONTROL

6.1 Meaning and Objectives of internal controls

Introduction
Internal control is not only essential to maintaining the accounting and financial records of an
organization, it is essential to managing the entity. For that reason everyone, from the external
auditors to management to the board of directors to the stockholders of large public companies to
government, is interested in internal controls. Recently corporate governance discussion has
centered on effective internal controls and professional institutes are in the process of updating
their standards on internal control to bring them more into l9ine with recent developments. This
chapter will concentrate on the meaning and objective of internal control, type of internal
control, element of internal control and auditor’s consideration of internal control.

6.1.1. Meaning of Internal Control

Internal control is a process, used by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
 Effectiveness and efficiency of operations,
 Reliability of financial reporting,
 Compliance with applicable laws and regulations, and
 Safeguarding of assets against unauthorized acquisition, use or disposition.

The above meaning reflects certain fundamental concepts:

Internal control is a process: Internal control is not one event or circumstance, but a series of
actions that permeate an entity’s activities. These actions are persuasive and are inherent in the
way management runs the business.

Internal control is effected by people: Internal control is effected by a board of directors,

management and other personnel in the entity. It is accomplished by the people of an
organization, by what they do and say. People establish the entity’s objectives and put control
mechanisms in place.

1
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to
an entity’s management and board that the company’s objectives are achieved.

Internal control is geared to the achievement of objectives in one or more separate overlapping
categories.

On the other hand, internal control system means all the policies and procedures adopted by the
directors and management of an entity to assist in achieving their objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including:
- adherence of internal policies,
- the safeguarding of assets,
- the prevention and detection of fraud and error,
- the accuracy and completeness of the accounting records, and
- the timely preparation of reliable financial information.

6.1.2 Objectives of Internal Control

Some studies suggest that management typically has the following objectives in setting up a
good system of internal control.

a) Orderly and efficient conduct of its business

An organization which is efficient and conducts its affairs in an orderly manner is much more
likely to be able to supply the auditors with sufficient appropriate audit evidence on which to
base their audit opinion. More importantly, the level of inherent and control risk will be lower,
giving extra assurance that the financial statements do not contain material errors.

b) Adherence to Internal Policies

Management is responsible for setting up an effective system of internal control and
management policy provides the broad framework within which internal controls have to
operate. Unless management does have a pre-determined set of policies, then it is very difficult
to imagine how the company could be expected to operate efficiently. Management policy will
cover all aspects of the company's activities and will range from broad corporate objectives to
specific areas such as determining selling prices and wage rates.

2
Given that the auditors must have a sound understanding of the company's affairs generally, and
of specific areas of control in particular, then the fact that management policies are followed will
make the task of the auditors easier in that they will be able to rely more readily on the
information produced by the systems established by the management.

c) Safeguarding of Assets
This objective may relate to the physical protection of assets (for example by locking monies in a
safe at night) or to less direct safeguarding (for example ensuring that there is adequate
insurance, cover for all assets). It can also be seen as relating to the maintenance of proper
records in respect of all assets.

The auditors will be concerned to ensure that the company has properly safeguarded its assets so
that they can form an opinion on existence of specific assets and, more generally, on whether the
company's records can be taken as a reliable basis for the preparation of financial statements.
Reliance on the underlying records will be particularly significant where the figure in the
financial statements is derived from such records rather than as the result of physical inspection.

d) Prevention and Detection of Fraud and Error

The directors are responsible for taking reasonable steps to prevent and detect fraud. They are
also responsible for preparing financial statements, which give a true and fair view of the entity's
affairs. However, the auditors must plan and perform their audit procedures and evaluate and
report the results thereof, recognizing that fraud or error may materially affect the financial
statements. A strong system of internal control will give the auditors some assurance that frauds
and errors are not occurring, unless management are colluding to overcome that system.

e) Accuracy and completeness of the accounting records

This objective is most clearly related to statutory requirements relating to both management and
auditors. The auditors must form an opinion on whether the company has fulfilling this
obligation and also conclude whether the financial statements are in agreement with underlying
records.

3
f) Timely preparation of reliable financial information

Types of Internal Control

Internal control may be characterized as two types: administrative controls and accounting
controls.

1. Administrative controls
Administrative controls are primarily concerned with the promotion of operational efficiency and
the adherence to prescribed managerial policies. Administrative controls are related to
operational audits and compliance audits.

2. Accounting controls
Accounting controls are principally concerned with safeguarding assets and providing assurance
that the financial statements and the underlying accounting records are reliable. Internal
accounting controls relate to external and internal financial audits. The independent auditor is
primarily concerned with the accounting controls, which generally bear directly and importantly
on the reliability of financial records.

6.2. Basic Elements of Internal Control

Internal control consists of five interrelated components. These are derived from the way
management runs a business, and are integrated with the management process. The components
are given as follows:
 Control environment
 Risk assessment
 Information and communication
 Control activities/procedures
 Monitoring
1. Control Environment
The control environment means the overall attitude, awareness, and actions of directors and
management regarding the internal control system and its importance in the entity. It is the
foundation for all other components of internal control, providing discipline and structure. The
attitude of an organization’s management, its management style, corporate culture and values are
the essence of an efficient control. If management beliefs control is important, others in the

4
company will observe the control policies and procedures. If employees in the organization feel
control is not important to top management, it will not be important to them. The control
environment has a pervasive influence on the way business activities are structured, the way
objectives are established, and the way risks are assessed. The control environment is influenced
by the entity’s history and culture.

The auditor should obtain an understanding of the control environment sufficient to assess the
directors and management’s attitudes, awareness and actions regarding internal controls and their
importance in the entity.

Elements Contributing to a Successful Control Environment

There are a number of specific elements that usually contribute to a successful control
environment and which may be used as indicators of the quality of the control environment of a
particular organization. These elements are:

a) Integrity and Ethical values

The effectiveness and efficiency of the internal control structure depends directly upon the
integrity and ethical values of the personnel who are responsible for creating, administrating, and
monitoring that structure. Management should establish behavioral and ethical standards that
discourage employees from engaging in activities that would be considered dishonest, unethical
or illegal. The standards must be communicated by appropriate means and also remove and
reduce the temptations and incentives to engage in such behavior.

b) Commitment to Competence
The employees employed must be competent enough to perform the assigned tasks. They must
possess the skills and knowledge essential for the performing the jobs and also in applying the
internal control policies and procedures. The employees appointed should have adequate
education and experience and also should provide adequate training and supervision.

c) Board of Directors or Audit Committee

The effectiveness of the Board of Directors or Audit Committee will significantly influence the
control environment. The extent of its independence from the management, the experience and
stature of its members, the extent to which it raises and pursue the difficult questions with the
management and its interaction with the internal and external auditors will improve the
5
effectiveness of the internal control system. The independence of the Board of Directors or the
Audit Committee enables it to be effective at overseeing the quality of the organization’s
financial reports, and act as a deterrent to management override of internal controls and to
management fraud.

d) Management’s Philosophy
Management philosophies will differ towards financial reporting and towards taking business
risks. Some may be very aggressive in financial reporting and may be willing to take great risks,
while others may be conservative and risk adverse. The differing attitudes and styles may have
an impact on the overall reliability of the financial statements. The internal control in an informal
organization will be implemented by face to face contact with employees and in formal
organization, it will establish written policies, performance reports, and exception reports to
control its various activities.

e) Organizational Structure
Another factor affecting the control environment is the organizational structure. A well-designed
organizational structure provides a basis for planning, directing, and controlling operations. It
divides authority, responsibilities and duties among members of the organization by dealing with
such issues as centralized versus decentralized decision-making and appropriate segregation of
duties among the various departments. When the management decision-making is centralized
and dominated by one individual, that the individual’s moral character is extremely important to
the auditors. When decentralized style is used, procedures to monitor the decision making of the
many managers involved become equally important.

f) Human resource Policies and Procedures

The effectiveness of the internal control is affected by the nature and characteristics of the people
working in the organization. The management’s policies and practice of hiring, training,
evaluating, promoting and compensating employees have a significant effect on the effectiveness
of the control environment. Effective human resource policies often can reduce or sometimes
remove other weaknesses in the control environment.

g) Assignment of Authority and Responsibility

6
The employees in the organization should have a clear understanding of their responsibilities and
rules and regulations that govern their actions. To enhance the control environment, the
management should develop employee job descriptions and should define clearly the authority
and responsibility within the organization. Policies should be established describing appropriate
business practices, knowledge and experience of the key personnel and the use of resources.

2. Risk assessment
When the auditor has obtained an understanding of the entity, (s)he shall assess the risks of
material misstatement in the financial statements, also identifying significant risks.
Identifying and assessing the risks of material misstatement: GAAS says that the auditor
shall identify and assess the risks of material misstatement at the financial statement level and at
the assertion level for classes of transactions, account balances and disclosures. It requires the
auditor to take the following steps:
• Identify risks throughout the process of obtaining an understanding of the entity and its
environment
• Assess the identified risks and evaluate whether they relate more widely to the financial
statements as a whole
• Relate the risks to what can go wrong at the assertion level
• Consider the prospect of the risks causing a material misstatement

Significant risks: Significant risks are complex or unusual transactions that may indicate fraud,
or other special risks.

As part of the risk assessment described above, the auditor shall determine whether any of the
risks are significant risks. The following factors indicate that a risk might be significant.

• Risk of fraud
• Its relationship with recent economic, accounting or other developments
• The degree of subjectivity in the financial information
• It is an unusual transaction
• It is a significant transaction with a related party
• The complexity of the transaction

7
Routine, non-complex transactions are less likely to give rise to significant risk than unusual
transactions or matters of management judgment. This is because unusual transactions are likely
to have more:

• Management intervention
• Complex accounting principles or calculations
• Manual intervention
• Opportunity for control procedures not to be followed

When the auditor identifies a significant risk, if they have not done so already, they shall obtain
an understanding of the entity's controls relevant to that risk.

3. Accounting Information and Communication System

Accounting information and communication systems capture, process, and report information to
be used by parties both within and outside the organization. An organization’s accounting
information system consists of the methods and records established to identify, assemble,
analyze, classify, record, and report an entity’s transactions and to maintain accountability for the
related assets. Accordingly, an accounting information system should:
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
5. Present properly the transactions and related disclosures in the financial statements.

In addition to the typical system of journals, ledger, and other recordkeeping devices, an
accounting information system should include a chart of accounts and a manual of accounting
policies and procedures as aids for communication of policies. Chart of accounts is a classified
listing of all accounts in use, accompanied by a detailed description of the purposes and content
of each. A manual of accounting policies and procedures states clearly in writing the methods of
treating transactions. In combination, the chart of accounts and manuals of accounting policies

8
and procedures should provide clear guidance that will allow proper and uniform handling of
transactions.

Open communication channels are essential to proper functioning of an information system.

Personnel that process information should understand how their activities relate to the work of
others, and the importance of reporting exceptions and other unusual items to an appropriate
level of management.

4. Control Activities
The policies and procedures that help the management to carry out the directives are known as
the control activities. These policies and procedures will help the management to ensure that the
actions are taken to address the risks that affect the organization. The following are the control
activities that are relevant to an audit of the organizations financial statements:
 Performance reviews
 Information processing
 Physical controls
 Segregation of duties

Performance review: these controls include reviews of actual performance as compared to

budgets, forecasts, and prior period performance: relating different sets of data to one another;
and performing overall review of performance. Performance review provides management with
an overall indication whether personnel at various levels are effectively pursuing the objectives
of the organization. By investigating the reasons for unexpected performance, management may
make timely changes in strategies and plans, or take other appropriate corrective actions.

Information processing: the control activities are performed to check the accuracy,
completeness, and authorization of transactions and information processing control is one of
them.

Physical controls: These control activities include the physical security over both records and
other assets. Safeguarding of records may include maintaining control at all times over an issued
renumbered documents, as well as other journals and ledgers, and restricting access to computer
programs and data files. Only individuals who are authorized should be allowed access to the
company’s assets. Direct physical access to assets may be controlled through the use of safes,
9
locks, fences, and guards. Improper indirect access to assets, generally accomplished by
falsifying financial records, must also be prevented. This may be accompanied by safeguarding
the financial records, as described above.

Periodic comparisons should be made between accounting records and the physical assets on
hand. Investigation as to the cause of any discrepancies will uncover weakness either in
procedures for safeguarding assets or in maintaining the related accounting and records. Without
these comparisons waste, loss, or theft of the related assets may go undetected.

Segregation of duties: a fundamental concept of internal control is that no one department or

person should handle all aspects of a transaction from beginning to end. In similar manner, no
one individual should perform more than one of the functions of authorizing transactions,
recording transactions, and maintaining custody over assets. Also, to the extent possible,
individuals executing the specific transaction should be segregated from these functions. The
goal is to reduce the opportunities for any one person to be in a position to both perpetrate and
conceal errors or irregularities in the normal course to his or her duties.

A credit sale transaction may be used to illustrate appropriate authorization and segregation
procedures. Top management may have generally authorized the sale of merchandise at specified
credit terms to customers who meet certain requirements. The credit department may approve the
sales transactions by ascertaining that the extension of credit and terms of sale are in compliance
with company policies. Once the sale is approved, the shipping department executes the
transaction by obtaining custody of the merchandise from the inventory stores department and
shipping it to the customer. The accounting department uses copies of the documentation created
by the sales, credit, and shipping departments as a basis for recording the transaction and billing
the customer. With this segregation of duties, no one department or individual can initiate and
execute an unauthorized transaction.

5. Monitoring
Monitoring is a process that assesses the quality of the internal control structure over time and it
is the last component of internal control. The monitoring of the internal control structure is
important to determine whether it is operating as intended and whether any modifications are
necessary. Monitoring can be achieved by:

10
 a. Ongoing monitoring activities include regularly performed supervisory and management
activities such as continuous monitoring of customer complaints or reviewing the
reasonableness of the management reports.
b. Separate evaluations are monitoring activities that are performed on a non-routing basis,
such as periodic audits by the internal auditors. Internal auditors investigate and appraise
the internal control structure and the efficiency with which the various units of the
organization are performing their assigned functions, and report their findings and
recommendations to the top management.

6.3. Recording Internal Control System

Possible ways of recording internal control systems include:

 Narrative notes (which can prove bulky if systems are large or complex)
 Flowcharts (which can make a complex system easier to follow)
 Organization charts - showing roles, responsibilities, and reporting lines
 Internal Control Questionnaire (ICQ)
 Internal Control Evaluation Questionnaire (ICE).

ISA 315 states that the method adopted is a matter of auditor judgment.

An ICQ is a list of possible controls for each area of the Financial Statements. The client is
asked to review the list and confirm which are applicable to their system.

In contrast to ICQ's an ICE lists control objectives. Clients are then asked to confirm how they
meet that objective.

For example; an ICQ might ask a client: "does a supervisor authorize all weekly timesheets?" An
ICE would ask "how does the company ensure that only hours worked are recorded on
timesheets?"

Testing the internal control system

Having documented the systems the auditor needs to assess whether:

11
  they are actually implemented; and
 They are effective.

In order to assess the operating effectiveness of controls in preventing and detecting material
misstatement the auditor performs tests of controls. These are designed to gather evidence
concerning:
 how controls were applied during the period;
 the consistency of application; and
 Who (or what) they were applied by.
Typical methods of controls testing include:
 observation of control activities, e.g. the inventory count; and
 Computer aided audit techniques (as seen in the audit evidence chapter).

6.4. Auditor’s consideration of internal control

In planning an audit it is essential that the auditors have a sufficient understanding of the client's
internal control structure. This encompasses both an understanding of the design of the policies,
procedures, and records, and knowledge of whether they have been placed in operation by the
client. It is difficult to imagine designing tests of financial statement balances without an
understanding of the internal control structure. For example, auditors who do not understand the
client's policies and procedures for executing and recording credit sales would have a difficult
time substantiating the balances of account receivable and sales.

The auditor's consideration of the internal control structure also provides a basis for their
assessment of control risk – the risk that material misstatements will not be prevented or detected
by the client's internal control structure. If the auditors determine that the client's internal control
is effective, they will assess control risk to be low. They can then accept a higher level of
detection risk, and substantive testing can be decreased. Conversely, if internal controls are
weak, control risk is high and the auditors must increase the scope of their substantive tests to
limit the level of detection risk. Therefore, the auditors' understanding of internal control is a
major factor in determining the nature, timing, and extent of substantive testing necessary to
verify the financial statement assertions.

12
Since an effective internal control structure is a major factor in an audit, the question arises as to
what action the auditors should take when internal control is found to be seriously deficient. Can
the auditors complete a satisfactory audit and properly express an opinion on the fairness of
financial statements of a company in which control risk is considered to be extremely high? The
answer to this question depends on whether the auditors believe that inherent risk is at a
satisfactory level so that substantive tests can be designed that will reduce audit risk to an
acceptable level. For example, the auditors of a small business with a limited segregation of
duties often apply an approach of restricting detection risk through extensive substantive tests of
financial statement assertions, rather than performing tests of internal control.

6.5. Limitation of Internal Control

Management can only obtain a certain level of assurance (reasonable assurance) that internal
control objectives have been achieved because of certain inherent limitations of accounting and
control systems. These limitations include the following.
(i) Control systems still rely on human input and compliance. Therefore there is always a
possibility of human error rendering the control ineffective.
(ii) Employees can collude to bypass controls. For example, one employee may 'sign in'
or 'clock in' another employee to bypass controls designed to monitor hours worked.
(iii) Management can use their authority to override controls.
(iv) Controls are usually designed to cope with routine transactions. When a non-routine
or unusual transaction occurs, the system may not be adequately designed to ensure it
is properly recorded.
(v) The costs of implementing controls should not outweigh the benefits. This means that
controls are not always implemented where management has taken the view they
would rather accept the risk of certain errors occurring than incur the cost of
implementing a preventative control.

13