UNIT FOUR

INTERNAL CONTROL SYSTEMS

4.1 Meaning of Internal Control

Differences of opinion have long existed about the meaning & objectives of internal control. Many people
interpreted the term internal control as the steps taken by a business to prevent fraud-both
misappropriation of assets and fraudulent financial reporting. Others while acknowledging the importance
of internal control for fraud prevention believed that internal control has an equal role in assuring control
over manufacturing and other processes. In the broadest sense, an enterprise’s internal control structure
consists of the policies and procedures established to provide reasonable assurance that organization’s
objectives will be achieved.
After the establishment of the Committee of Sponsoring Organizations [COSO] by major professional
organizations, the committee commissioned a study established a common definition of internal control.
The study was titled as Internal Control-Integrated Framework, and defines internal control as:
A process, effected by the entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
 Reliability of financial reporting.
 Effectiveness and efficiency of operations.
 Compliance with applicable laws and regulations.

The above three categories in the definition can be explained as follows:

 Reliability of financial reporting- Management has both legal and professional responsibility to
be sure that the information presented in the financial statements for investors, creditors, and other
users is fairly prepared in accordance with the reporting requirements; Generally Accepted
Accounting Principles.
 Enhancing efficiency and effectiveness of operations - Adequate control system should be
established by organizations to encourage efficient and effective utilization of resources (financial,
human and material) to optimize the company's goals and objectives. On top of this, internal
control systems should safeguard assets and records of the organization from theft, misuse,
embezzlements, misappropriations and accidental damages.
 Compliance with applicable laws and regulations - There are many laws regulations and
procedures that organizations are required to follow some of which are only indirectly related to
accounting (environmental protection and civil rights laws). Others such as income tax regulations
and fraud are closely related to accounting.

COSO’s definition of internal control emphasizes that internal control is a process, or a means to an
end, and not an end by itself. The process is effected by individuals, not merely policy manuals,
1
documents, and forms. By including the concept of reasonable assurance, the definition recognizes that
internal control cannot realistically provide absolute assurance that an organization’s objectives will be
achieved. Reasonable assurance recognizes that the cost of an organization’s internal control system should
not exceed the benefit expected to be obtained.

The American Institute of Certified Public Accountants [AICPA] defined internal control as follows:

Internal control comprises the plan of an organization and all of the coordinated methods and
measures adopted with in a business to safeguard its assets, check the accuracy and reliability of its
accounting data, promote operational efficiency and encourage adherence to prescribed managerial
policies.

4.2 Objectives of Internal Control System

Among internal control system objectives, the following are the common ones:
1) To adhere to policies and procedures laid down by management.
2) To safeguard assets.
3) To ensure that the enterprise is conducting in an orderly and efficient manner.
4) To prevent and detect fraud and error.

To accomplish these objectives, management needs an adequate and reliable system of internal control, for
which management bears the primary and sole responsibility.
To the external auditors, internal control is of equal importance. The quality of the internal controls
enforces, more than any factor, and determines the pattern of their examination. Thus, both auditors and
management need a system of internal control to perform their respective functions. However, the auditors’
objective for internal control is not the same as management’s. The external auditors’ objective in their
study and evaluation of the system of internal control is to determine the nature, extent and timing of the
audit work necessary to express an opinion as to the fairness of the financial statements.

An auditor obtains information about internal control and uses that information as a basis for audit
planning. The auditor considers internal control by first obtaining an understanding of internal control,
which is then used to initially assess control risk. When the auditor’s control risk assessment is below
maximum, the auditor considers how those results affect planned detection risk and substantive testing.
The following are reasons for studying internal control.
 To be satisfied that sufficient, competent evidence is available to support the audit of financial
statement
 To identify potential material misstatement
 To assess control risk for each objective, which affect planned detection risk and planned audit
procedures
 Allow the auditor to design effective test of financial statement balances and analytical procedures.

2
4.3 Scopes and Types of Internal Controls
The system of internal control involves the plan of organization and various other methods and procedures.
The plan of organization refers to the organizational structure and the method of assigning authorities and
responsibilities. Appropriate plan of organization is significant for effective operation of the entire internal
control system. Similarly, proper authorities and responsibilities can be allocated in such a manner that no
single person has control over all the phases of any significant transactions. This minimized the
possibilities of errors and frauds.
The plan of organization refers to the study of authority, responsibilities and duties among members of an
organization. A well-designed organization plan is a first step to assure that transactions are executed in
conformity with company polices, to enhance the efficiency of operations to safeguard assets, and to
promote the reliability and timely preparation of accounting data. These objectives may be achieved in
large part through adequate separation of responsibility for initiation of approval of transactions, custody of
assets and record keeping. When accounting and custodial departments are relatively independent, the
work of each department serves to verify the accuracy of the work of the other.
An internal control system has a wide coverage that extends beyond those matters, which relate directly to
the functions of the accounting system. From this angle, internal control can be divided into two broad
categories, accounting and administrative controls.

Auditors are primarily interested in internal control of an accounting nature, those controls bearing
directly upon the dependability of accounting records and the financial statements. For example,
preparation of monthly bank reconciliation by an employee not authorized to issue checks or handle cash is
an internal accounting control that increases the probability that cash transactions are presented fairly in the
accounting records and financial statements. Some internal controls have no bearing on the financial
statements and consequently are not of direct interest to independent public accountant. Controls of this
nature are often referred to as administrative controls. Management is interested in maintaining strong
internal control over, factory operations and sales activities as well as over accounting and financial
functions. Accordingly, management will establish administrative controls, to provide operational
efficiency and adherence to prescribed policies in all departments of the enterprise.

Statement of Auditing Standards states that administrative control includes, but not limited to the plan of
organization and the procedures and records that are concerned with the decision processes leading to
management’s authorization of transactions. Such authorization is a management function directly
associated with the responsibility for achieving the objectives of the organization and is the starting point
for establishing accounting control of transactions.
Accounting control comprises the plan of organization and procedures and records that are concerned with
the safeguarding of assets and the reliability of financial records and consequently are designed to provide
reasonable assurance that:
 Transactions are executed in accordance with management’s general or specific authorization.
 Transactions are recorded as necessary to permit preparation of financial statements in conformity
with generally accepted accounting principles or any other criteria applicable to such statement and
to maintain accountability to assets.
 Access to assets is permitted only in accordance with management’s authorization.
3
  The recorded accountability for assets is compared with the existing assets at reasonable intervals
and appropriate action is taken with respect to any differences.
Both accounting and administrative controls are derived from the organization’s policies established by
management; they are the means by which company policies are satisfactorily accomplished. Therefore,
auditors should be aware of these policies and review them in terms of their impact on internal control.
The accounting system must be able to measure the performance and efficiency of the individual
organizational units. An accounting system with this should include:
1. Adequate documentation
2. Chart of accounts
3. Manual of accounting policies and procedures
4. Financial forecasts
In general, accounting controls related to the accounting system are:
a) Executing of transaction in accordance with the management’s authorization
b) Prompt recording of transaction in proper manner
c) Maintained accountability to safeguard assets
Accounting controls should further include:
 Proper segregation of duties relating to accounting function
 Rotation of duties
 Periodic reconciliation
 Checking the arithmetical accuracy of the records
 Maintenance of control accounts and preparation of periodic trial balance
 Approval and control of documents
 Comparison with external sources of information
 Comparison of actual figures with budgets
4.4 Components of Internal Control
Internal control varies significantly from one organization to the other, depending on such factors as
their size, nature of operations, and objectives. Internal controls of large-scale organizations,
however, have certain common characteristics tanned as components of internal control. The five
components of internal control are:

1. The control environments

2. Control activities

3. Risk assessments

4. The information (accounting) and communication

5. Monitoring

We will discuss each of them as follows:

4
1. The Control Environment - The control environment consists of actions, policies and procedures
that reflect the overall attitudes of top management, directors, and owners of the entity about control
and its importance to the entity. The auditors need to consider the following to assess and
understand the control environment.

 Integrity and ethical values - Are product of the entity's ethical (code of Conduct) and
behavioral values and how they are communicated and reinforced in practice. Effectiveness
of internal control depends directly on the integrity and ethical values of the personnel who
are responsible for creating, administering and monitoring controls. It includes management
action to remove or reduce incentive and temptations that might prompt personnel to engage
in dishonest, illegal or unethical acts.

 Commitment to competence - Competence is the knowledge and skill necessary to accomplish

tasks that define the individual's job. Employees should posses the skill and knowledge
essential to perform their job for that they might be ineffective if they lack the necessary skill
and knowledge. Thus, management should be committed to hiring employees with appropriate
level of education and experience, and providing them with adequate supervision and
trainings.

 Board of directors or audit committee participation - Control environment of an organization

is significantly influenced by the effectiveness of its board of directors or the audit committee.
Factors that bear on the effectiveness of the board or the audit committee consists of the
degree of its independence from the management, the experience and the stature of its
members, the extent to which it raises difficult questions with the management and its
interaction with external and internal auditors.

 Management philosophy and operating style- Management differ in both their philosophy
towards financial reporting and their attitudes towards taking business risks. Some
management aggressively emphasis on meeting or exceeding earning projections in their
financial reporting and they are willing to undertake activities of high risk with respect of high
return. Others are extremely conservative and risk averse. Management's philosophy and
operating style is also reflected in the way the organization is managed. That is, whether
control is in an informal way (face to face contact between employees and management) or
formal; the organization establishes written policies, performance reports, and exception
reports to control its various activities.

 Organization structure - The entity's organizational structure defines the lines of

responsibility and authority that exists. By understanding the client's organizational structure,
the auditor can learn the management and functional elements of the business and perceive
how controls are carried out.

 Assignments of authority and responsibility - Personnel in an organization need to have a clear

understanding of their responsibilities and the underlying rules and regulations that govern
5
 their actions. Therefore, management should develop employee job descriptions and clearly
define authority and responsibility within the organization so that the control environment can
be enhanced.

 Human resource policies and practices - The most important aspect of internal control is
personnel. If employees are competent and trustworthy, other controls can be absent and
reliable financial, reports will still result from the system, as honest and efficient people are
able to perform at high level even when there are a few other controls to support them.
Because of the importance of competent and trust worthy personnel in providing effective
control, the policies and practices by which persons are hired, trained, oriented, evaluated
plays a significant role.

2. Control Activities - are the policies and procedures, in addition to those included in the other four
components that help ensure that the necessary actions are considered to address risks in the
achievements of the entity's objectives. Although there are several such control activities in an entity,
they fall into the following five categories:

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent check on performance

Adequate separation of duties- the following four general guidelines for separation of duties to
prevent both frauds and errors are of significant importance to auditors:

 Separation of the custody of assets from accounting - The reason for not permitting the person
who has temporary or permanent custody of an asset to account for that asset is to protect the
firm against defalcation. When on person performs both functions, there is an excessive risk
of that person's disposing of that asset for personal gain and adjusting the records to relief
himself or herself of the responsibility.

 Separation of authorization of transactions from the custody of related assets - It is desirable

to prevent persons who authorize transactions from having control over the related assets. For
instance, the same person should not authorize the payment of vendor's invoice and sign
checks in payment of the bill as this situation increases the possibility of defalcations in the
organization.

 Separation of operational responsibility form record keeping responsibility - If each

department or divisions in an organization are responsible for preparing its reported

6
 performance, In order to ensure unbiased information, record keeping is typically included in
a separate department under the controller.

 Segregation of duties within electronic data processing - It is desirable to separate the major
functions within the electronic data processing to the extent possible. The duties of system
analysts, programmers, computer operations and data librarians should be separated.

Proper authorization of transactions and activities -Every transaction should be appropriately

authorized if controls are to be satisfactory. If any person in an organization acquires and expends
assets at will, would result in complete chaos. Authorization can be either general or specific and is
different from approval. Authorization is a policy decision for either a general class of transactions or
specific transactions. Approval is the implementation of management's general authorization
decisions. For instance, assume that management sets a policy authorizing ordering of raw materials
when there is less than one-months supply on hand (i.e. general authorization). When the responsible
department orders raw materials the clerk responsible for maintaining the perpetual record approves
the order to indicate that the authorization policy has been met.

Adequate documents and records - documents and records are the physical objects upon which
transactions are entered and summarized. /Documents perform the function of transmitting
information throughout the client's organization and between different organizations. The documents
must be adequate to reasonable assurance that all assets are properly controlled and all transactions
correctly recorded.

Physical control over assets and records - are those controls that provide physical security over both
records and other assets. Activities that safeguard assets include maintaining control at all times over
unissued pre-numbered documents, as well as other journals and ledgers, and restricting access to
computer programmers and data file. Only authorized persons should have access to company's
valuable assets. Direct physical access to assets may be controlled through the use of safes, locks,
fences, and guards. Improper indirect access to assets, generally accomplished by falsifying financial
records, must also be prevented. Periodic comparisons should be made between accounting records
and the physical assets on hand to detect the waste, loss or theft of the related assets.

Independent check on performance - It is continuous and careful review of the other four control
activities (i.e. an internal verification). The need for independent checks arises because personnel are
likely to forget or intentionally fail to follow procedures, or become careless unless come one
observes and evaluates their performance. An essential characteristic of the persons performing
internal verification procedure is independence from the individuals originally responsible for
preparing the data.

3. Risk assessment - Management should carefully identify and analyze the factors that affect the
risk that the organization's objectives will not be attained, and then attempt to manage those risks.
The scope of the management's risk assessment is comprehensive in that it involves considerations of
all the factors that affect the organization's objectives. Auditors are concerned only with those risks
7
associated with the objective of reliable financial reporting threats to preparing financial statements in
accordance with generally accepted accounting principles. The following factors might be indicatives
of increases risk of financial reporting for an organization:

 Changes in the organization's regulatory or operating environment and personnel

 Implementations of new or modified information systems and corporate restructurings.

 Changes in technology affecting production process and information systems

 Introductions of new lines of business, products or processes

 Rapid growth of the organization and expansion or acquisition of foreign operations.

 Adoption of new accounting principles or changing in accounting principles.

4. Information and communication - The purpose of an entity's accounting information and

communication system is to identify, assemble, classify, analyze, record and report the entity's
transactions and to maintain accountability for the related assets.

5. Monitoring - Monitoring activities deals with ongoing or periodic assessment of the quality of
internal control performance by management to determine that controls are operating as intended
and whether any modifications are necessary.

4.5 Documentation of the Understanding

Three commonly used methods of documenting the understanding of internal control are narratives, flow
chart, and internal control questioners.
1. Narrative is a written description of client’s internal control system. A proper narrative of an accounting
system and related control includes four characteristics;
 The description should state where customer order come from and how sales invoice are generated
 All processes that takes place
 The dispassion of every document and record in the system
 An indication relevant to the assessment of control risk.
2. Flow Chart: an internal control flowchart is a symbolic, diagrammatical representation of the client’s
document and their sequential flow in the organization. An adequate flowchart includes the four
characteristics identified for narrative. Flow chart is advantageous primarily because it provides a concise
overview of the clients system which is useful to the auditor as analytical tool in evaluation. A well
prepared flowchart aids in identifying inadequacy by facilitating a clear understanding of how the system
operates. For most uses, it is superior to narratives as a method of communicating the characteristics of a
system, especially to show adequate separation of duties
3. Internal Control Questionnaire: an internal control questioner asks a series of questions about the
control in each audit area as means of indicating to the audit aspect of internal control that may be
inadequate. In most cases, it is designed to require yes or no response, with no response indicating potential
internal control deficiencies. The primary advantages of using a questioner are the ability to thoroughly
8
cover each audit area responsible quickly at the beginning of the audit. The primary disadvantage is that
individual parts of the clients system are examined without providing an overall view
4.6 Internal Control and Auditors

Internal audit is means of management control mechanism established internally and arising out of need
for verification, evaluation and compliance of internal operation. It is designed for management internal
purposes. As such internal audit is part of the internal control system in the organization, while at the
same time internal audit (or auditor), is responsible for the surveillance of the effectiveness of the internal
control system and involves its weakness and strength. As mentioned earlier, the external auditor’s interest
in internal control is in order to help him determine the extent of reliability of organization’s results, and
effectiveness of control of its operations. To this end, he reviews the internal control (a) to understand the
existing control systems and procedures, (b) to evaluate their adequacy in fulfilling internal control
objectives, by identifying strengths and weaknesses. It is worth noting here that the study and review of
internal control is part of the independent auditor’s standard of fieldwork. He accomplishes this objective
through:
(a) Internal control questionnaire
(b) Interview
(c) Testing (compliance test)
(d) Study of organization charts, manuals and procedures.
Through compliance testing, he tries to identify weaknesses. If the compliance test proves to be reliable it
decreases the need for substantive test or vice versa too. The compliance test determines if internal control
systems and procedures are actually present and effective, and thus establishes the congruence in the
procedures of system. It must be distinguished that there is preliminary review as well as extensive review,
one that goes during the examination process.
4.7 Internal Auditing
Internal auditing is a service function established within an organization to examine and evaluate its
activities. Internal audits may focus on financial reporting (financial audits); compliance with policies,
procedures, laws, or regulations (Compliance audits); fraud detection (fraud audits); or operational
efficiency and effectiveness (operational audits).
Responsibility and Authority

Internal auditing is a staff function; therefore, the auditor ideally is not in disposition of line function. His
position and place in the organization is determined by the scope of the function he performs and extent of
responsibility entrusted to him by management. It is desirable that he should be placed as high as possible
in the organization structure if he is truly to be of “service to management “without intimidation, and be in
position of surveillance over all the organization’s activity.

Internal Audit Report

The end product of any audit work culminates in writing of an audit report, but unlike the external auditors,
the internal audit report is not standardized short-form in its contents consequently the audit report of
internal auditor requires lot of imagination and creativity with communicative ability in its writing. The
audit report should basically contain the following:
9
  Detail of purpose and scope of audit
 Description of tools and procedures of audit
 Findings, suggestion and opinions
 Recommendations.
It is important that verbosity, and negative criticism be avoided, while cooperation and constructive
suggestion should be emphasized.

Internal Auditing and External Auditing

There are similarities as well as differences between internal auditing and external auditing. The
similarities could be in terms of scope, and functions, tools and procedures. The differences lie
mainly in selection and employment, remuneration, qualification and independence.
There are arguments that propagate that if there is external auditing why there is a need for internal
auditing, or vice-versa. However, an in-depth understanding of the objectives and purposes of internal and
external auditing can show that they should be rather complementary and not competitive. If the internal
auditing function is strong and wide, and performed by qualified persons then the results of the operation of
the organization can be reliable, which in turn assists in decreasing the scope of audit work by the external
auditor, and thus reduce the cost of external audit fee? But the purposes of audit of the external and internal
auditor are quite distinct and cannot be a substitute for each other’s responsibility.

10