Internal controls

Controls have impact on F.S

Auditor performs TOC
Internal controls system designed and operate by the company management

Internal Controls ISA – 315 deals with the whole area of controls.
As an auditor, in order to perform TOC, we need to understand the control system of
client…
…In this section we are discussing the controls system and then how the auditor should
deal with controls…
Internal control is system/process designed, implemented by the management or those
charged with governance or anyone who are representing the organisation and
achievement of its objectives.
Internal control has five components:
1) The control environment
2) The entity's risk assessment process
Of client entity
3) The information system relevant to financial reporting
4) Control activities
5) Monitoring of controls

Internal Controls 1 By:- Haris Hanif

(1) Control Environment:-
It includes the overall attitude, awareness, dedication, seriousness, commitment of those
charged with governance concerning the internal controls and its importance in the entity.
It sets the tone of the organisation and affects all other elements of the controls.
Control environment has many elements, like:-
• Organisational structure.
• Attitude of management towards risk.
• Management operating style.
• Human Resource policies.
• Enforcement of ethical values.
• Assignment of authority and reporting structures.
(2) Entity Risk Assessment Process :-
It involves how the management of client had identified the risk relevant to financial
reporting, estimating the significance of risk, assessing the likelihood of the occurrence of
those risk and what actions were decided by the management to address those risks.

(3) Information system relevant to Financial Reporting :-

It involves the system (either MANUAL or IT BASED) by which the entity initiate, record,
process and report the transactions or any events and to maintain the accountability for the
related assets, liabilities and equity.
NOTE:-
Auditor needs to understand all the information system of client, like TPS,MIS,EIS,ES,ERPS

Internal Controls 2 By:- Haris Hanif

(4) Control Activities:-
These are the policies and procedures that help to ensure that management directives are
carried out. These activities are designed to prevent, detect and correct errors/frauds. The
activities of controls either MANUAL or IT based are applied at various levels of the
organisation’s functions.
Examples may include
• Segregation of duties.
• Authorisation and approval by seniors.
• CCTV facility.
• Performance review and performance evaluation.
• Restricting access to certain information or assets.
• Internal audit review.
etc..

(5) Monitoring:-
It is process of assess or evaluate the effectiveness of internal control performance over a
period of time. The purpose is to assess the design and operation of controls and in case of
any problem, taking reasonable remedial actions to make the control system improvised.
The monitoring can be done through on-going activities or separate evaluation or both.
Management is ultimately responsible to undertake the monitoring of controls and in this
aspect, internal auditors play the key role.

INTERNAL CONTROLS

COMMON CONTROLS SPECIFIC CONTROLS

Specific to the department

Controls apply on the overall company

CRQ from these areas

Cash and bank system
Inventory system
Purchase system
NCA system
Sales system
Payroll system
Internal Controls 3 By:- Haris Hanif
COMMON CONTROLS
WHAT are controls?
WHY are controls?

COMMON CONTROLS WHAT are controls?

These are the control ACTIVITIES.
SPAMSOAP
S – Segregation of duties.
It involves dividing the duties between two or more than two people, like one person should
receive the cash and second one is to record it.
P – Physical controls.
It involves the controls on the custody of assets and monitoring who is accessing the assets
or placing the restriction over assets, like Camera, locks, Passwords, authorised access.
A – Authorisation & Approval.
All the transactions, discounts, credit time and period should need authorization or approval
by the appropriate authorised personnel, like HOD.
M – Management Control.
This is the control by the management in all the departments, via analysis and review,
example like budgets, variances, internal audit services.
S – Supervision.
It involves ensuring the staff to know that their work will be checked, like supervising day-
to-day transactions.
O – Organisation chart/Organogram.
This means identifying the reporting line, levels of authority and responsibility so that no
one can cross their boundaries. Procedures manual may be helpful.
A – Arithmetic control.
The controls to ensure the mathematical accuracy of the transactions, examples include,
control-accounts, trial balance, reconciliations.
P – Personnel control.
Controls applied on the human resource, like providing training, performance appraisal,
disciplinary actions, proper investigation before hiring.

Internal Controls 4 By:- Haris Hanif

Other Common controls
• Proper backups.
• Disaster recovery plan (IT BASED).
• Proper dates and official logo on official papers.
• Sequentially pre-numbered official documents.
• Signature, initials, official stamp.
• Using words along with figures so that chances of transposition error may be
reduced.
• Multiple signatories, like on cheques of large amount.
• Pre-review and post-review of work.

COMMON CONTROLS WHY are controls?

Objectives/Reasons of controls (common):-

- To reduce the chances of fraud and error.
- To ensure the safeguard of the assets and prevent its misuse.
- To minimise the chances of material misstatements in the financial statements.
- To achieve the corporate objectives on timely basis.
- To ensure the receiving of relevant, timely and accurate information for appropriate
decision making.

Knowledge base 4-5 marks

Limitations of Controls
- Controls may not prevent the fraud if all of the staff together committing the fraud,
that is, collusion with the staff.
- There is a possibility of management override of the controls and if so, then staff
down the line may not follow the controls.
- Even if controls are effective, still there are chances of human error, since many of
the controls are operated by humans.
- Controls may be sometimes expensive and may not justify the benefits.
- Controls may be designed for the routine activities, not well designed/operated for
the non-routine tasks, that is, limited use for the routine activities.
- Controls, if not updated on timely basis, then those controls are not adequate.

Internal Controls 5 By:- Haris Hanif