Chapter 9 • Internal control systems

Internal control • The use of internal control

systems by auditors
• The evaluation of internal
control components
• Internal controls in a
computerised environment

B P P L E A R N IN G M E D IA
 Syllabus learning outcomes 1

• Explain why an auditor needs to obtain an understanding of internal

control activities relevant to the audit.
• Describe and explain the five components of an internal control
system: the control environment, the entity's risk assessment process,
the information system, including related business processes relevant
to financial reporting and communication, control activities relevant to
the audit, and monitoring of controls.

B P P L E A R N IN G M E D IA
 Syllabus learning outcomes 2

• Explain how auditors record internal control systems including the use
of narrative notes, flowcharts, internal control questionnaires and
internal control evaluation questionnaires.
• Evaluate internal control components, including deficiencies and
significant deficiencies in internal control.
• Discuss the limitations of internal control components.
• Discuss computer system controls, including general IT controls and
application controls.

B P P L E A R N IN G M E D IA
 Syllabus learning outcomes 3

• Discuss the requirements and methods of how reporting significant

deficiencies in internal control are provided to management and those
charged with governance.
• Explain, in a format suitable for inclusion in a report to management,
significant deficiencies within an internal control system and provide
recommendations for overcoming these deficiencies to management.
• Describe why smaller entities may have different control environments
and describe the type of evidence likely to be available in smaller
entities.
• Discuss the difference between tests of controls and substantive
procedures.

B P P L E A R N IN G M E D IA
 Overview

B P P L E A R N IN G M E D IA
 Overview (cont'd)

B P P L E A R N IN G M E D IA
 Chronology of an audit

B P P L E A R N IN G M E D IA
 Internal control 1

Internal control is the process designed and effected by those charged

with governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity's objectives
with regard to reliability of financial reporting, effectiveness and efficiency
of operations and compliance with applicable laws and regulations.

B P P L E A R N IN G M E D IA
 Question: Internal controls

You are the audit senior responsible for the audit of Supreme Food
Limited, a company which runs a chain of fast food stores.
The major risk in this industry is always related to food quality which
might result in damage claims by customers.
What controls should the company have in place to reduce the risk
associated with purchases of food and its preparation in the kitchen?

B P P L E A R N IN G M E D IA
 Internal control 2

Why do auditors need to understand internal control?

Because it helps them to:
• Identify types of potential misstatements and factors affecting the risks
of material misstatements
• Design the nature, timing and extent of their audit procedures

ISA 315 (Revised) Identifying and assessing the risks of material

misstatement through understanding the entity and its environment

B P P L E A R N IN G M E D IA
 Internal control 3

If internal controls are strong, the auditor can rely on them and base
their audit work on tests of controls, and therefore reduce the amount
of substantive procedures required.

If internal controls are weak, the auditor cannot rely on them and will
have to carry out a fully substantive audit.

B P P L E A R N IN G M E D IA
 Internal control 4

There are five components of internal control:

• CONTROL ENVIRONMENT
• ENTITY'S RISK ASSESSMENT PROCESS
• INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING
• CONTROL ACTIVITIES
• MONITORING OF CONTROLS

B P P L E A R N IN G M E D IA
 Internal control 5

CONTROL ENVIRONMENT
• The framework within which controls operate
• Includes the governance and management functions and the
attitudes, awareness and actions of those charged with governance
and management concerning the entity's internal control and the
importance of internal controls in the entity
• Auditors must understand the control environment because the
control environment can affect the risk of material misstatement in the
entity's financial statements
• Have a look at this article in Student Accountant from March 2013:
http://www.accaglobal.com/content/dam/acca/global/PDF-
students/2012s/sa_mar13_fauf8p7_controlenv.pdf

B P P L E A R N IN G M E D IA
 Internal control 6
CONTROL ENVIRONMENT
Communication and Essential elements which influence the effectiveness of the design,
enforcement of integrity administration and monitoring of controls
and ethical values
Commitment to Management's consideration of the competence levels for particular jobs
competence and how those levels translate into requisite skills and knowledge
Participation by those • Independence from management
charged with governance • Experience and stature
• Extent of involvement and scrutiny of activities
• Appropriateness of actions and interaction with internal and external
auditors
Management's philosophy • Approach to taking and managing business risks
and operating style • Attitudes and actions towards financial reporting
• Attitudes towards information processing and accounting functions and
personnel
Organisational structure The framework within which an entity's activities for achieving its objectives
are planned, executed, controlled and reviewed
Assignment of authority How authority and responsibility for operating activities are assigned and
and responsibility how reporting relationships and authorisation hierarchies are established
Human resource policies Recruitment, orientation, training, evaluating, counselling, promoting,
and practices compensation and remedial actions

B P P L E A R N IN G M E D IA
 Internal control 7

ENTITY'S RISK ASSESSMENT PROCESS

The auditor needs to obtain an understanding of whether processes are
in place for the following:
• Identifying business risks relevant to financial reporting objectives
• Estimating the significance of the risks
• Assessing the likelihood of their occurrence
• Deciding upon actions to address those risks

B P P L E A R N IN G M E D IA
 Internal control 8

INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING

A component of internal control that includes the financial reporting
system, and consists of the procedures and records established to
initiate, record, process and report entity transactions (as well as events
and conditions) and to maintain accountability for the related assets,
liabilities and equity.

B P P L E A R N IN G M E D IA
 Internal control 9

INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING

The auditor must understand the system, including the following:
• The classes of transactions in the entity's operations that are
significant to the financial statements
• The procedures, within both IT and manual systems, by which those
transactions are initiated, recorded, processed, corrected, transferred
to the general ledger and reported in the financial statements
• The related accounting records, supporting information, and specific
accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions

B P P L E A R N IN G M E D IA
 Internal control 10

INFORMATION SYSTEM RELEVANT TO FINANCIAL REPORTING

The auditor must understand the system, including the following:
• How the information system captures events and conditions, other
than transactions, that are significant to the financial statements
• The financial reporting process used to prepare the entity's financial
statements, including significant accounting estimates and disclosures
• Controls surrounding journal entries, including non-standard journal
entries used to record non-recurring, unusual transactions or
adjustments
• As well as understanding how information is obtained from within the
general and subsidiary ledgers, auditors must gain an understanding
of the system relating to information obtained outside of the
ledgers (ie contracts and agreements, risk management system files,
reports from management’s experts)

B P P L E A R N IN G M E D IA
 Internal control 11

CONTROL ACTIVITIES
Those policies and procedures that help ensure that management
directives are carried out.
Control activities include those activities designed to prevent, or detect
and correct, errors.

Examples
• Authorisation controls
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties

B P P L E A R N IN G M E D IA
 Tackling the exam

• You will appreciate from the previous question that control

activities vary greatly depending on the nature and size of the
entity. A national supermarket chain is likely to have far more
sophisticated controls in place than a small bakery store. A small
entity employing few people has less scope to use segregation of
duties because of its very nature.
• You must take into account the type of entity you are auditing
when it comes to the exam. Internal control is a key syllabus area
and you are highly likely to get a question based on a scenario
that tests it.
• You might be asked for internal controls so it is important that you
appreciate the type of business you are auditing. Irrelevant
controls will not gain many marks.

B P P L E A R N IN G M E D IA
 Internal control 12

MONITORING OF CONTROLS
A process to assess the effectiveness of internal control performance
over time.
It includes assessment of the design and operation of controls on a
timely basis and taking necessary corrective actions modified for
changes in condition.
Who could monitor the controls within an entity?
INTERNAL AUDITORS (…provided the entity has an internal audit
function)

B P P L E A R N IN G M E D IA
 Question:

ISA 315 Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and its Environment sets out the
five components of internal control.
Which of the following is NOT set out as a component of internal
control within ISA 315?
A Control environment
B The information system relevant to financial reporting
C Human resource policies and practices

B P P L E A R N IN G M E D IA
 Internal control 13

The limitations of accounting and control systems

Internal control systems can only provide reasonable assurance that
their objectives are reached, because of inherent limitations:
• Costs of control not outweighing the benefits
• Potential for human error
• Collusion between employees
• Possibility of controls being overridden or by-passed by management
• Non-routine transactions being difficult for the system to cope with

This is why auditors cannot rely on internal controls alone – they

always have to carry out some substantive procedures as well.

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 1

• Auditors are only interested in the control activities which are relevant
to the financial statements.
• Auditors must do the following:
— Assess the adequacy of the accounting system as a basis for
preparing the accounts
— Identify the types of potential misstatements that could occur
in the accounts
— Consider factors that affect the risk of misstatements
— Design appropriate audit procedures

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 2

Auditors will record the accounting and control systems in place.

There are a number of methods for doing this:
• Narrative notes
• Flowcharts
• Questionnaires (Internal Control Questionnaires (ICQs) and Internal
Control Evaluation Questionnaires (ICEQs))
• Checklists

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 3

Narrative notes
Advantages Disadvantages
Relatively simple to record More time consuming than a simple
Can facilitate understanding by flowchart
all audit team members Particularly where the system follows
a logical flow
Flexible They are awkward to update if
Can be used for any system written manually
Editing in future years can be Can be difficult to identify missing
relatively easy if computerised internal controls – may not identify
exceptions clearly

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 4

Flowcharts

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 5

Flowcharts
Advantages
• Can be prepared quickly
• Standard format so easy to follow and review
• Ensure system is recorded in its entirety
• Eliminate need for extensive narrative

Disadvantages
• Generally only suitable for describing standard systems
• Major changes difficult without redrafting
• Time wasted in charting areas of no audit significance

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 6

Questionnaires: Internal Control Questionnaires (ICQs)

• How good is the system of controls?
• List of questions to determine whether desirable controls are present
• One list of questions for each major transaction cycle

Questionnaires: Internal Control Evaluation Questionnaires (ICEQs)

• Focus on whether specific errors/frauds are possible, rather than
establishing whether certain desirable controls are present
• Key questions or control questions for each transaction stream

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 7

Questionnaires
Advantages Disadvantages
If drafted thoroughly, they can ensure all If drafted vaguely, may be misunderstood
controls are considered and important controls may be missed
They are quick to prepare May contain irrelevant controls
They are easy to use and control They may not include unusual controls, which
are nevertheless effective in particular
circumstances
Because they are drafted in terms of They can give the false impression that all
objectives rather than specific controls, controls are of equal weight
ICEQs are easier to apply to a variety of
systems than ICQs
They should enable auditors to identify The client may be able to overstate controls
the key controls which they are most
likely to test during control testing
ICEQs can highlight deficiencies where
extensive substantive testing will be
required

B P P L E A R N IN G M E D IA
 The use of internal control systems by auditors 8

Checklists
• Statements are made
• Tick boxes used to indicate where the statement holds true
• Share many advantages and disadvantages with questionnaires

B P P L E A R N IN G M E D IA
 Tackling the exam

• You could be tested on the documentation of internal control

systems, either in Section A or in a knowledge-based question in
Section B.
• The June 2011 paper had a six-mark part on the advantages and
disadvantages of narrative notes and internal control
questionnaires.
• The December 2014 paper had a multiple choice question about
the disadvantages of using internal control questionnaires.

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 1

• Once the auditors have documented the internal control system, they
need to test the controls to see whether they can rely on them for the
audit of the financial statements.
• They will initially do a walk-through test – that is, they will follow a
transaction through the system to see if all the controls they think
should be in existence operated for that transaction.

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 2

Tests of controls (recap)

Tests performed to obtain audit evidence about the effectiveness of the:
• Design of the accounting and internal control systems, ie whether
they are suitably designed to prevent, or detect and correct, material
misstatement at the assertion level
• Operation of the internal controls throughout the period

Remember: Tests of control are not designed to detect material

misstatements in the financial statements. The purpose of substantive
tests is to detect these misstatements.

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 3

What audit procedures can the auditor use to get evidence about
controls?
• INSPECTION OF DOCUMENTS
• INQUIRIES about internal controls
• REPERFORMANCE of control procedures
• OBSERVATION of controls

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 4

Document internal controls

Test the controls

Reliable Not reliable

Audit approach: Audit approach:

Tests of controls Fully substantive
+ reduced substantive approach
procedures

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 5

• Once auditors have documented and tested the system, they might
find that there are weaknesses in the system.
• These weaknesses are known as deficiencies.
• Auditors have responsibilities regarding deficiencies in internal
control, as set out in ISAs.
• ISA 265 Communicating deficiencies in internal control to those
charged with governance and management
• Auditors must communicate significant deficiencies in internal
control to those charged with governance and management.

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 6

• A deficiency in internal control exists when a control is designed,

implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the financial statements on a
timely basis, or a control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely basis is missing.
• A significant deficiency in internal control is a deficiency or
combination of deficiencies in internal control that, in the auditor's
professional judgement, is of sufficient importance to merit the
attention of those charged with governance.

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 7

So how does an auditor judge whether a deficiency is significant enough to

warrant it being reported to those charged with governance and management?
Here are some factors the auditor must consider:
• The likelihood of the deficiencies resulting in material misstatements in the
financial statements in the future
• The susceptibility to loss or fraud of the related asset or liability
• The subjectivity and complexity of determining estimated amounts
• The amounts exposed to the deficiencies
• The volume of activity that has occurred or could occur
• The importance of the controls to the financial reporting process
• The cause and frequency of the exceptions identified as a result of the
deficiencies
• The interaction of the deficiency with other deficiencies in internal control

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 8

• Auditors must communicate significant deficiencies in internal control

on a timely basis in writing
• Include a description of the deficiencies and an explanation of their
potential effect
• Include sufficient information to enable those charged with
governance and management to understand the context of the
communication

B P P L E A R N IN G M E D IA
 The evaluation of internal control components 9

• Auditors can include recommendations

• They can state that more deficiencies may have been identified had
the auditor undertaken more extensive procedures on internal control
or that some of the reported deficiencies need not have been reported
• They can include a statement that the written communication is for the
purpose of those charged with governance and may not be suitable
for other purposes

B P P L E A R N IN G M E D IA
 Tackling the exam

• A very common requirement from the F8 examiner is to ask you to

explain the deficiencies and the implications of those deficiencies
of a given system in a scenario question, together with suggested
recommendations.
• This type of requirement is generally worth a lot of marks and has
been tested in all sittings except June 2011.
• We will look at this in more detail in Chapter 10 where we will go
through some such questions.

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 1

• IT controls can be general controls or application controls.

• General IT controls are policies and procedures that relate to many
applications and support the effective functioning of application
controls by helping to ensure the continued proper operation of
information systems. They commonly include controls over data
centre and network operations, system software acquisition, change
and maintenance, access security, and application system acquisition,
development and maintenance.
• Application controls are manual or automated procedures that
typically operate at a business process level. They can be
preventative or detective in nature and are designed to ensure the
integrity of the accounting records. Accordingly, they relate to
procedures used to initiate, record, process and report transactions or
other financial data.

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 2
General controls
GENERAL EXAMPLES
CONTROLS
Development of Standards over systems design, programming and
computer documentation
applications Full testing procedures using test data
Approval by computer users and management
Segregation of duties so that those responsible for design
are not responsible for testing
Installation procedures so that data is not corrupted in
transition
Training of staff in new procedures and availability of
adequate documentation

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 2
General controls
GENERAL EXAMPLES
CONTROLS
Prevention or Segregation of duties
detection of Full records of program changes
unauthorised
Password protection of programs so that access is limited to
changes to
computer operations staff.
programs
Restricted access to central computer by locked doors, keypads
Maintenance of programme logs
Virus checks on software: use of anti-virus software and policy
prohibiting use of non-authorised programs or files
Back-up copies of programs being taken and stored in other
locations
Control copies of programs being preserved and regularly
compared with actual programs
Stricter controls over certain programs (utility programs) by use of
read-only memory

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 3
General controls
GENERAL EXAMPLES
CONTROLS
Testing and Complete testing procedures
documentation of Documentation standards
program changes Approval of changes by computer users and management
Training of staff using programs
Controls to prevent Operation controls over programs
wrong programs or Libraries of programs
files being used Proper job scheduling
Controls to prevent Password protection
unauthorised Restricted access to authorised users only
amendments to data
files
Controls to ensure Storing extra copies of programs and data files off-site
continuity of Protection of equipment against fire and other hazards
operation Back-up power sources
Disaster recovery procedures eg availability of back-up computer
facilities.
Maintenance agreements and insurance

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 4

Application controls
Application controls include the following:
• Controls over input
• Controls over processing
• Controls over master files and standing data

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 5

Controls over input

Completeness
• Manual or programmed agreement of control totals
• Document counts
• One-for-one checking of processed output to source documents
• Programmed matching of input to an expected input control file
• Procedures over re-submission of rejected controls

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 6

Controls over input

Accuracy
• Programmes to check data fields on input transactions for plausibility
• Manual scrutiny of output and reconciliation to source
• Agreement of control totals

Authorisation
• Manual checks to ensure information input was authorised and input
by authorised personnel

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 7

Controls over processing

Accuracy
• Batch reconciliations
• Screen warnings (eg to prevent people logging out before processing
is complete)

B P P L E A R N IN G M E D IA
 Internal controls in a computerised environment 8

Controls over master files and standing data

• One-to-one checking
• Cyclical reviews of all master files and standing data
• Record counts and batch totals
• Controls over deletion of accounts with no current balance

B P P L E A R N IN G M E D IA
 Question:
Application controls are manual or automated procedures that
operate over accounting applications to ensure that all transactions
are complete and accurate.
Which TWO of the following are application controls?
1 Password protection of programs
2 Batch controls
3 One for one checking
4 Regular back up of programs

A 1 and 4
B 3 and 4
C 1 and 2
D 2 and 3

B P P L E A R N IN G M E D IA
 Tackling the exam 1

• The vast majority of businesses use computerised systems so it is

essential that you are familiar with IT controls as they may come
up in scenario-based questions in the exam.
• For example, the June 2013 paper contained the following
requirement (Question 1, part c):
'Identify and explain FOUR application controls that should
be adopted by Fox Industries Co to ensure the completeness
and accuracy of the input of purchase invoices.' (4 marks)
• Students notoriously find computer audit difficult but it is an area
that could be tested regularly by the examiner.

B P P L E A R N IN G M E D IA
 Tackling the exam 2

• This article from the January 2011 edition of Student Accountant

may prove useful:
http://www.accaglobal.com/content/dam/acca/global/PDF-
students/2012s/sa_jan11_CAATs.pdf
• This article from August 2009 is also worth reading:
http://www.accaglobal.com/content/dam/acca/global/PDF-
students/2012s/sa_aug09_byrne.pdf

B P P L E A R N IN G M E D IA
 Tackling the exam 3

• The current F8 examining team have tested internal control in

every sitting so this is a key syllabus area.
• You could be tested on the components of internal control as we
saw earlier.
• You might also be asked to explain one element of internal control
in more detail.
• You could be asked to distinguish between tests of controls and
substantive procedures.

B P P L E A R N IN G M E D IA
 Tackling the exam 4

• Scenario-based internal controls questions have also been asked

in every sitting so far. A common requirement is to ask you to
describe the deficiencies and implications of those from the
scenario and then to make recommendations to overcome those
deficiencies.
• This kind of requirement also features in the 2016 Specimen
Paper, for 18 marks.
• These kind of questions are best answered in a tabular format,
and we will be looking at them in more detail in Chapter 10.

B P P L E A R N IN G M E D IA