STUDY and EVALUATION

of INTERNAL CONTROL

Module 6
Internal Control

Internal control is a process, effected by an

entity’s board of directors, management
and other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
 Effectiveness and efficiency of operations,
 reliability of financial reporting, and
 compliance with applicable laws and
regulations.
Internal Control Over Financial
Reporting

 PREVENTIVE CONTROLS
aim to decrease the chance of errors and
fraud before they occur, and often revolve around the
concept of separation of duties
Examples:
 Segregation of duties
 Pre-approval of actions and transactions
 Access controls (such as passwords)
 Physical control over assets (i.e. locks on doors or a safe for
cash/checks)
 Employee screening and training
Internal Control Over Financial
Reporting

 DETECTIVE CONTROLS
designed to find errors or problems after the
transaction has occurred.

Examples:
 Monthly reconciliations
 Review organizational performance (such as a budget-to-actual
comparison to look for any unexpected differences
 Physical (such as a cash or inventory count)
Internal Control Over Financial
Reporting

 COMPENSATING CONTROL
put in place when it is too difficult to
implement a primary control for a particular
requirement
Responsibilities

 MANAGEMENT
- To design, implement and maintain internal
controls

 AUDITOR
- To obtain an understanding of internal controls
- To test internal control over financial reporting
(optional)
Components of Internal Control
Components of Internal Control
The Control Environment

 The control environment sets the tone of an

organization, influencing the control consciousness of
its people.
 It is the foundation for all other components of
internal control, providing discipline and structure.
 It includes the governance and management
functions and the attitudes, awareness, and actions
of those charged with governance
Elements of the Control Environment

 Commitment to Competence
 Human Resources Policies and Practices
 Assignment of Authority and Responsibility
 Management’s Philosophy and Operating Style
 Participation by Those Charged with Governance
 Organizational Structure
 Communication and enforcement of Integrity
and ethical values
Elements of the Control Environment

Competence
 Competence should reflect the knowledge and
skills needed to accomplish tasks that define the
individual’s job.
 How well these tasks need to be accomplished
generally is a management decision which
should be made considering the entity’s
objectives and management’s strategies and
plans for achievement of the objectives.
Elements of the Control Environment

HR Policies And Practices

 Method by which personnel are hired, evaluated,
trained, promoted, compensated and given
remedial actions
 Sends message to employees regarding expected
levels of integrity, ethical behavior and
competence
Elements of the Control Environment

Authority and Responsibility

 How authority and responsibility for operating activities
are assigned
 How reporting relationships and authorization
hierarchies are established
 Establishes structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of
objectives. It is critical that management appropriately
delegate authority and define responsibilities at the
various levels of the organization
Elements of the Control Environment

Management Philosophy and Operating

Style
 Management’s approach in taking and managing
business risk and attitude towards financial
reporting, information processing and acconting
function
Elements of the Control Environment

Participation by Those Charged with

Governance
 BOARD OF DIRECTORS
– oversee the design and implementation of internal controls
- independent of management

 AUDIT COMMITTEE
- consists of independent directors who are not officers or
employee of the organization
- oversees internal controls and financial reporting policies
- responsible for appointment, compensation and oversight of
the work of auditors
Elements of the Control Environment

Organizational Structure
 Provides the framework for planning, executing,
controlling and monitoring the entity’s operation
Elements of the Control Environment

Integrity and Ethical Values

 Commitment to integrity is communicated
through entity’s standard of conduct and
emphasized through directives, actions and
behavior

 Includes management actions to remove or

reduce incentives and temptations that might
prompt personnel to engage in dishonest, illegal
or unethical acts
Components of Internal Control
The Entity’s Risk Assessment Process

 The identification and analysis of relevant risks to

achievement of the company’s objectives, forming a basis for
determining how the risks should be managed.

 ENTITY LEVEL RISK. Changes in economic, industry, regulatory

and operating conditions should be identified and the risks
associated with changes should be assessed.

 TRANSACTION LEVEL RISK. Risks within divisions, operating

units or functions of the organization
Conditions That May Increase Risk

 Changed Operating Environment

 New Personnel
 New or Revamped Information Systems
 Rapid Growth of Business
 Significant Decline in Economic Condition
 New Technology
 New product lines and activities
 Corporate restructuring
Components of Internal Control
Components of Information and
Communication Control

Information System
 Pertains to the initiation, recording, processing
and reporting of the entity’s transaction

 Consists of:
 People

 Input data

 Infrastructure (physical and hardware components)

 Software (processes or procedures)

 Output or meaningful information

Components of Information and
Communication Control

Accounting Information System

 Identify and record all valid transactions (Occurrence and
Completeness)
 Proper classification of transactions (Classification)
 Proper measurement of the value of transactions
(Accuracy)
 Permits recording of transactions in the proper
accounting period (Cut-off)
 Present properly the transactions and related disclosures
(Posting and summarization)
Components of Information and
Communication Control

Communication
 How the entity communicates roles and responsibilities
of each employee

 Normally in the form of: manuals, memorandums,

bulletin board notices.
Components of Internal Control
Control Activities

 Policies and procedures that management has

established to mitigate the risk that the entity’s
objectives are not met

 Performance Review
 Authorization
 Physical Controls
 Segregation of Duties
 Information Processing
Control Activities

Performance Review
 Includes review of actual performance as compared to
budgets, forecasts and prior period performance

 Provides management with an overall indication of

whether personnel at various levels are effectively
pursuing the objectives of the organization

 By investigating reasons for unexpected performance,

management may make timely changes in strategies and
plans
Control Activities

Authorization
 The giving of approval before an action

 GENERAL AUTHORIZATION
- established policies for routine transactions

 SPECIFIC AUTHORIZATION
- when transactions are authorized on an individual
basis
Control Activities

Physical Controls
 Physical security over both assets and documents
 If assets are left unprotected, they can be stolen
 If documents are not adequately protected, they can be
stolen, altered, damaged or lost
Control Activities

Segregation of Duties
 No one person or department should handle all aspects of a
transaction from beginning to end

 CUSTODY from accounting

- a person who has custody of an asset should not
account for that asset
 AUTHORIZATION from custody of relate asset
- to prevent persons who authorize transactions from
having control over related asset
 RECORDING
- record keeping should be the responsibility of a separate
department or person
Control Activities

Information Processing
 To check the accuracy, completeness and authorization of
transactions

 GENERAL IT CONTROLS
- policies and procedures that relate to multiple types
of transactions
- include software controls, physical hardware
controls, computer operations controls, data
security controls, controls over the systems
implementation process, and administrative
controls.
Control Activities

 GENERAL IT CONTROLS
Control Activities

Information Processing
 APPLICATION CONTROLS
- relates to a specific transaction
- include both automated and manual procedures that
ensure that only authorized data are completely and
accurately processed by that application.
- can be classified as input controls, processing
controls, and output controls
Control Activities

 APPLICATION CONTROLS
Components of Internal Control
Control Activities

Monitoring
Control Activities

Monitoring
 Assessment of the quality or performance of internal controls
over time

 Ongoing and/or separate evaluations enable management to

determine whether the other components of internal control
continue to function over time, and

 Internal control deficiencies are identified and communicated

in a timely manner to those parties responsible for taking
corrective action and to management and the board as
appropriate.
Control Activities

Monitoring
 ONGOING
- routine monitoring activities which are built into
the operations of the organization

 SEPARATE
- performed on a nonroutine basis such as
periodic audits by internal auditors
- occur with varying frequencies depending on
management’s judgment of risks involved and
importance of the processes to the organization
Examples of Monitoring Controls

 Periodic review of expenses against budget

 Analysis of trends

 Review of performance indicators

 Internal and external audits

 Operations audit
POLICIES as means of control

 Policies should be clearly stated in writing,

systematically organized into handbooks, manuals,
or other publications, and properly approved.

 Policies should be systematically communicated to all

officials and appropriate employees of the
organization.

 Policies must conform with applicable laws and

regulations
THOUGHT ON POLICIES and
PROCEDURES

”Policies are excellent, but if

they are not effectively
communicated to the staff
they are a waste of time.”
Limitations of Internal Control

 Cost benefit consideration

 Controls are directed at anticipated/routine
transactions and not on unusual transactions
 Possibility of collusion among employees
 Possibility of management override
 Possibility of inadequacy of controls due to changes
PLACEMENT OF CONTROLS

Controls should be positioned where they are most effective.

They should be installed:

1. Before an expensive part of the project.

2. Before points of no (or difficult) return
3. Where one phase of an operation ends and another starts
4. Where corrective action is easier to take
5. Where accountability for resources change
Steps in the Study and Evaluation
of Internal Controls

1. Obtain and Document your Understanding of the

Control Structure

2. Asses the Level of Control Risk

3. Perform Test of Control

4. Determine the Nature, Timing and Extent of

Substantive Test
Steps in the Study and Evaluation
of Internal Controls
Obtain and Document Understanding of the Control
Structure
The auditor should obtain an understanding of the client’s internal
control system, including the related business processes,
relevant to financial reporting, in order to:

 Identify types of potential misstatements in the financial

statements.
 Identify factors that affect the risk of material misstatements in
the financial statements.
 Design the nature, extent and timing of further audit
procedures.
Steps in the Study and Evaluation
of Internal Controls

Obtain Understanding of the Control Structure

 Gather evidence about the design of internal controls and

whether they have been implemented

 Procedures:
 RE-PERFORMANCE of client procedures
 INQUIRY of client personnel
 INSPECTION of documents
 OBSERVATION of control applications
Steps in the Study and Evaluation
of Internal Controls

Obtain Understanding of the Control Structure

 Identify TRANSACTION CYCLES – policies and

sequence of procedures for processing a particular
transaction:
 Revenue Cycle
 Acquisition Cycle
 Payroll Cycle
Steps in the Study and Evaluation
of Internal Controls

Obtain Understanding of the Control Structure

 Revenue Cycle
receive order  approval of credit sales  shipment of goods
 billing customers  collection

 Acquisition Cycle
processing purchase order  receipt of goods  recognize
liability  payment

 Payroll Cycle
hiring of employee  preparation of time record  salary
computation  payment
Steps in the Study and Evaluation
of Internal Controls

Document Understanding of the Control Structure

 NARRATIVE
- describe the follow of transaction cycles, identify
employees performing tasks, documents prepared, records
maintained and the division of duties.

- Describes:
1. Origin of every document
2. All processing that takes place
3. Disposition of every document and record in the system
4. Indication of related controls
Steps in the Study and Evaluation
of Internal Controls

 NARRATIVE
Steps in the Study and Evaluation
of Internal Controls

Document Understanding of the Control Structure

 INTERNAL CONTROL QUESTIONNAIRE

- asks a series of questions about the controls in each audit
area to identify internal control deficiencies

- “Yes” or “No”
Steps in the Study and Evaluation
of Internal Controls

 INTERNAL CONTROL QUESTIONNAIRE

Steps in the Study and Evaluation
of Internal Controls

Document Understanding of the Control Structure

 FLOW CHART
- a diagram that represents the system or series of
procedures with each procedure shown in sequence

- conveys a clear image of the system, showing the nature

and sequence of procedures, division of responsibilities,
sources and distribution of documents, and types of
accounting records and files.
Steps in the Study and Evaluation
of Internal Controls

 FLOW CHART
Steps in the Study and Evaluation
of Internal Controls

Document Understanding of the Control Structure

 WALKTHROUGH
- tracing a process from initiation through the entire
accounting system process until the end.

- at each phase of the process, the auditor makes inquiries

with client personnel, observes activities and inspects
completed documents and records

- OBJECTIVE: to see if controls are appropriately designed

and implemented
Steps in the Study and Evaluation
of Internal Controls

Asses The Level Of Control Risk

- measurement of auditor’s expectation that internal
controls will prevent material misstatements from
occurring or detect and correct them if it does occur

- assess risk for both Financial Statement Level and

Assertion Level

i.e. an ineffective BOD or

i.e. Sales and Collection Cycle management’s failure to
- Sales have any process to identify,
- Sales return & allowances assess or manage risk, has
- Provision for bad debts a potential to undermine
- Cash receipt controls
Steps in the Study and Evaluation
of Internal Controls

Asses The Level Of Control Risk

 MAXIMUM CONTROL RISK

When:
- controls do not pertain to an assertion
- controls that pertain are unlikely to be effective
- evaluating the effectiveness of relevant controls would be
inefficient

Response:
- no need to perform test of controls
- more substantive test procedures
Steps in the Study and Evaluation
of Internal Controls

Asses The Level Of Control Risk

 LESS THAN MAXIMUM CONTROL RISK

When:
- relevant controls are likely to prevent or detect and
correct material misstatements

Response:
- perform test of controls that the auditor intends to rely
upon to evaluate the effectiveness of such control
- less substantive test procedures
In considering the nature of the risks, the auditor considers a
number of matters, including:

 Whether the risk is a risk of fraud

 Whether the risk is related to recent significant economic,
accounting or other developments and, therefore, requires
specific attention
 The complexity of transactions
 Whether the risk involves significant transactions with related
parties
 Whether the risk involves significant transactions that appear to
be unusual
Overall Responses to Address Risks

 Emphasize to the audit team the need to maintain professional

skepticism in gathering and evaluating audit evidence

 Assign more experienced staff or those with special skills or

using experts

 Provide more supervision

 Incorporate additional elements of unpredictability in the

selection of further audit procedures to be performed
Steps in the Study and Evaluation
of Internal Controls

Perform Test of Controls

When the auditor’s assessment of risks of material

misstatement at the assertion level includes an
expectation that controls are operating effectively
(i.e., less than high), the auditor should perform tests
of controls to obtain sufficient appropriate audit evidence
that the controls were operating effectively at relevant
times during the period under audit.
Steps in the Study and Evaluation
of Internal Controls
Nature of Test of Controls
procedures used to test operating effectiveness include:

 RE-PERFORMANCE of client procedures

Example: recalculating the sales commissions paid on a sample of sales
transactions.

 INQUIRY of client personnel

 INSPECTION of documents
Example: HR manager signs the payroll as evidence of her/his review
before the payroll is finalized and the checks are issued.

 OBSERVATION of control applications

Example: auditor observes the cashier perform sales transactions and
notes that the cash register will not open unless a sale has occurred.
Steps in the Study and Evaluation
of Internal Controls

Extent of Test of Controls

- Depends on the preliminary assessment of control risk.
- Depends on whether the control is applied manually or
automated

- Assessed control risk inversely related to extent of TOC

- Reliance on controls directly related to extent of TOC
Steps in the Study and Evaluation
of Internal Controls

Timing of Test of Controls

- Test controls for the particular time, or throughout the
period, for which the auditor intends to rely on those
controls
- Depends on the nature of controls and when the company
uses them

 INTERIM
 check any significant changes to that control from
interim to year end
 if with significant changes, obtain effectiveness of that
control
Steps in the Study and Evaluation
of Internal Controls

Timing of Test of Controls

 USING AUDIT EVIDENCE OBTAINED IN PREVIOUS
AUDITS
- obtain audit evidence about whether changes in those
controls have occurred subsequent to the
previous audit
 If there have been changes, the auditor shall test
the operating effectiveness of the controls in the
current audit.
 If there have not been changes, the auditor shall
test the operating effectiveness of the controls at least
once in every third audit
Examples of Test of Control

 Checking purchase requisitions for approval

 Examining receiving reports for the initials of quality
control inspector
 Examining approved sales orders for approval
 Examining initials for proper approval of overtime slip
 Examining canceled checks for authorized signatures
Steps in the Study and Evaluation
of Internal Controls

Substantive Test Procedure

 Irrespective of the assessed risk of material
misstatement, the auditor should design and perform
substantive procedures for each material class of
transactions, account balances, and disclosures

 Effectiveness of Internal Control inversely related

with substantive procedures
 Assessment of control risk directly related with
substantive procedures
Communication of Weaknesses

 The auditor should make management aware, as

soon as practicable and at an appropriate level of
responsibility, of material weaknesses in the design or
operation of the internal control system, which have
come to the auditor’s attention.

 Such communication should be done in written form

through a Management Letter.