Chapter - one

Internal control system

By Anteneh D.
 Definition of internal control
Internal control—a process designed to provide
reasonable assurance regarding the achievement of
company objectives in the:
 Reliability of financial reporting,
 Effectiveness and efficiency of operations, and
 Compliance with applicable laws and regulations
A system of internal control consists of
policies and procedures designed to provide
management with reasonable assurance
that the company achieves its objectives
and goals. These policies and procedures
are often called controls, and collectively,
they make up the entity’s internal control.
Objectives of internal control

 Management typically has three broad objectives in

designing an effective internal control system:

 Reliability of financial reporting. As we have discussed

previously, management is responsible for preparing
statements for investors, creditors, and other users.
Management has both a legal and professional responsibility
to be sure that the information is fairly presented in
accordance with reporting requirements of accounting
frameworks such as GAAP and IFRS. The objective of
effective internal control over financial reporting is to fulfill
these financial reporting responsibilities
Efficiency and effectiveness of
operations. Controls within a
company encourage efficient and
effective use of its resources (both
human and non human resources) to
optimize the company’s goals.
 Compliance with laws and regulations.
management of all public companies are
legally required to issue a report about the
operating effectiveness of internal control
over financial reporting. In addition to the
legal provisions, public, nonpublic, and not-
for-profit organizations are required to
follow many laws and regulations.
 Some relate to accounting only indirectly,
such as environmental protection and civil
rights laws. Others are closely related to
accounting, such as income tax regulations
and anti-fraud legal provisions.
 Management designs systems of internal
control to accomplish all three objectives. The
auditor’s focus in both the audit of financial
statements and the audit of internal controls
is on controls over the reliability of financial
reporting plus those controls over operations
and compliance with laws and regulations that
could materially affect financial reporting.
 Components of internal control -
(The COSO framework)
 COSO’s Internal Control—Integrated Framework, the most
widely accepted internal control framework in the United
States, describes five components of internal control that
management designs and implements to provide
reasonable assurance that its control objectives will be
met. Each component contains many controls, but
auditors concentrate on those designed to prevent or
detect material misstatements in the financial
statements.
 The COSO internal control components include the
following:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 The control environment serves as
the umbrella for the other four
components. Without an effective
control environment, the other four
are unlikely to result in effective
internal control, regardless of their
quality.
 The essence of an effectively controlled
organization lies in the attitude of its
management. If top management believes
that control is important, others in the
organization will sense this commitment
and respond by conscientiously observing
the controls established.
If members of the organization believe
that control is not an important
concern to top management, it is
almost certain that management’s
control objectives will not be
effectively achieved.
The control environment
 The control environment consists of the actions,
policies, and procedures that reflect the overall
attitudes of top management, directors, and
owners of an entity about internal control and its
importance to the entity. To understand and
assess the control environment, auditors should
consider the most important control
subcomponents.
 Integrity and Ethical Values Integrity and ethical values
are the product of the entity’s ethical and behavioral
standards, as well as how they are communicated and
reinforced in practice. They include management’s
actions to remove or reduce incentives and offers that
might prompt personnel to engage in dishonest, illegal, or
unethical acts. They also include the communication of
entity values and behavioral standards to personnel
through policy statements, codes of conduct, and by
example
 Commitment to Competence is the knowledge and skills
necessary to accomplish tasks that define an individual’s
job. Commitment to competence includes management’s
consideration of the competence levels for specific jobs
and how those levels translate into requisite skills and
knowledge.
 Board of Director or Audit Committee
Participation The board of directors is essential
for effective corporate governance because it has
ultimate responsibility to make sure management
implements proper internal control and financial
reporting processes. An effective board of
directors is independent of management, and its
members stay involved in and examine
management’s activities.
 To assist the board in its oversight, the board
creates an audit committee that is charged with
oversight responsibility for financial reporting.
The audit committee is also responsible for
maintaining ongoing communication with both
external and internal auditors, including the
approval of audit and non-audit services done by
auditors for public companies.
 The audit committee’s independence from
management and knowledge of financial reporting
issues are important determinants of its ability to
effectively evaluate internal controls and
financial statements prepared by management.
 Management’s Philosophy and Operating Style
Management, through its activities, provides clear
signals to employees about the importance of internal
control. For example, does management take significant
risks, or is it risk averse? Are sales and earnings targets
unrealistic, and are employees encouraged to take
aggressive actions to meet those targets? Understanding
these and similar aspects of management’s philosophy
and operating style gives the auditor a sense of
management’s attitude about internal control.
 Organizational Structure The entity’s
organizational structure defines the existing
lines of responsibility and authority. By
understanding the client’s organizational
structure, the auditor can learn the
management and functional elements of the
business and perceive how controls are
implemented.
 Human Resource Policies and Practices the most
important aspect of internal control is personnel.
If employees are competent and trustworthy,
other controls can be absent, and reliable
financial statements will still result. Incompetent
or dishonest people can reduce the system to a
shambles—even if there are numerous controls in
place.
 Honest, efficient people are able to perform at a high
level even when there are few other controls to support
them. However, even competent and trustworthy people
can have shortcomings. For example, they can become
bored or dissatisfied, personal problems can disrupt their
performance, or their goals may change.

 Because of the importance of competent, trustworthy

personnel in providing effective control, the methods by
which persons are hired, evaluated, trained, promoted,
and compensated are an important part of internal
control.
 After obtaining information about each of the
subcomponents of the control environment, the auditor
uses this understanding as a basis for assessing
management’s and directors’ attitudes and awareness
about the importance of control. For example, the auditor
might determine the nature of a client’s budgeting system
as a part of understanding the design of the control
environment. The operation of the budgeting system
might then be evaluated in part by inquiry of budgeting
personnel to determine budgeting procedures and follow-
up of differences between budget and actual
 Risk assessment
 Risk assessment for financial reporting is
management’s identification and analysis of risks
relevant to the preparation of financial statements in
conformity with appropriate accounting standards.
For example, if a company frequently sells products
at a price below inventory cost because of rapid
technology changes, it is essential for the company to
incorporate adequate controls to address the risk of
overstating inventory.
 Similarly, failure to meet prior objectives, quality of
personnel, geographic dispersion of company
operations, significance and complexity of core
business processes, introduction of new information
technologies, economic downturns, and entrance of
new competitors are examples of factors that may lead
to increased risk. Once management identifies a risk, it
estimates the significance of that risk, assesses the
likelihood of the risk occurring, and develops specific
actions that need to be taken to reduce the risk to an
acceptable level.
 Management’s risk assessment differs from but is
closely related to the auditor’s risk assessment.
While management assesses risks as a part of
designing and operating internal controls to
minimize errors and fraud, auditors assess risks to
decide the evidence needed in the audit. If
management effectively assesses and responds to
risks, the auditor will typically accumulate less
evidence than when management fails to identify or
respond to significant risks.
 Auditors obtain knowledge about
management’s risk assessment process using
questionnaires and discussions with
management to determine how management
identifies risks relevant to financial
reporting, evaluates the significance and
likely hood of the risks occurring, and decides
the actions needed to address the risks.
 Control activities
 Control activities are the policies and
procedures, in addition to those included in the
other four control components that help ensure
that necessary actions are taken to address risks
to the achievement of the entity’s objectives.
There are potentially many such control activities
in any entity, including both manual and
automated controls.
The control activities generally fall into the following
five types, which are discussed next:

 Adequate separation of duties

 Proper authorization of transactions and activities

 Adequate documents and records

 Physical control over assets and records

 Independent checks on performance

 Adequate Separation of Duties Four general
guidelines for adequate separation of duties to
prevent both fraud and errors are especially
significant for auditors.

 A. Separation of the Custody of Assets from

Accounting to protect a company from
embezzlement, a person who has temporary or
permanent custody of an asset should not account for
that asset. Allowing one person to perform both
functions increases the risk of that person disposing
of the asset for personal gain and adjusting the
records to cover up the theft.
 If the cashier, for example, receives cash and is
responsible for data entry for cash receipts and
sales, that person could pocket the cash received
and adjust the customer’s account by failing to
record a sale or by recording a fictitious credit to
the account.
 B. Separation of the Authorization of Transactions
from the Custody of Related Assets It is desirable to
prevent persons who authorize transactions from having
control over the related asset, to reduce the likelihood
of embezzlement. For example, the same person should
not authorize the payment of a vendor’s invoice and
also approve the disbursement of funds to pay the bill.
 C. Separation of Operational Responsibility from
Record-Keeping Responsibility To ensure
unbiased information, record keeping is typically
the responsibility of a separate department
reporting to the controller. For example, if a
department or division oversees the creation of
its own records and reports, it might change the
results to improve its reported performance.
 D. Separation of IT Duties from User
Departments As the level of complexity of IT
systems increases, the separation of
authorization, record keeping, and custody often
becomes blurred. For example, sales agents may
enter customer orders online. The computer
authorizes those sales based on its comparison of
customer credit limits to the master file and posts
all approved sales in the sales cycle journals
 Therefore, the computer plays a significant role in
the authorization and record keeping of sales
transactions. To compensate for these potential
overlaps of duties, it is important for companies to
separate major IT-related functions from key user
department functions.
 In this example, responsibility for designing and
controlling accounting software programs that
contain the sales authorization and posting
controls should be under the authority of IT,
whereas the ability to update information in the
master file of customer credit limits should
reside in the company’s credit department
outside the IT function.
 Proper Authorization of Transactions and
Activities every transaction must be properly authorized
if controls are to be satisfactory. If any person in an
organization could acquire or expend assets at will,
complete chaos would result.
 Authorization can be either general or specific. Under
general authorization, management establishes policies
and subordinates are instructed to implement these
general authorizations by approving all transactions within
the limits set by the policy. General authorization
decisions include the issuance of fixed price lists for the
sale of products, credit limits for customers, and fixed
reorder points for making acquisitions.
 Specific authorization applies to individual
transactions. For certain transactions, management
prefers to authorize each transaction. An example is the
authorization of a sales transaction by the sales manager
for a used-car.
 Adequate Documents and Records are the records upon
which transactions are entered and summarized. They
include such diverse items as sales invoices, purchase
orders, subsidiary records, sales journals, and employee
time cards. Many of these documents and records are
maintained in electronic rather than paper formats.

 They are essential for correct recording of transactions

and control of assets.
 Physical Control over Assets and Records to
maintain adequate internal control, assets and records
must be protected. If assets are left unprotected, they
can be stolen. If records are not adequately protected,
they can be stolen, damaged, altered, or lost, which can
seriously disrupt the accounting process and business
operations.
 When a company is highly computerized, its computer
equipment, programs, and data files must be
protected. The data files are the records of the
company and, if damaged, could be costly or even
impossible to reconstruct.

 The most important type of protective measure

for safeguarding assets and records is the use of
physical precautions. An example is the use of
storerooms for inventory to guard against theft.
 Independent Checks on Performance the last
category of control activities is the careful and continuous
review of the other four, often called independent
checks or internal verification. The need for independent
checks arises because internal controls tend to change
over time, unless there is frequent review. Personnel are
likely to forget or intentionally fail to follow procedures,
or they may become careless unless someone observes and
evaluates their performance.
 Information and Communication
 The purpose of an entity’s accounting
information and communication system is to
initiate, record, process, and report the entity’s
transactions and to maintain accountability for
the related assets. An accounting information and
communication system has several
subcomponents, typically made up of classes of
transactions such as sales, sales returns, cash
receipts, acquisitions, and so on.
 For example, the sales accounting system should
be designed to ensure that all shipments of goods
are correctly recorded as sales (complete ness
and accuracy objectives) and are reflected in the
financial statements in the proper period (timing
objective). The system must also avoid duplicate
recording of sales and recording a sale if a
shipment did not occur (occurrence objective).
 Monitoring

 Monitoring activities deal with ongoing or

periodic assessment of the quality of
internal control by management to
determine that controls are operating as
intended and that they are modified as
appropriate for changes in conditions.
 The information being assessed comes from a variety
of sources, including studies of existing internal
controls, internal auditor reports, exception
reporting on control activities, reports by regulators
such as bank regulatory agencies, feedback from
operating personnel, and complaints from customers
about billing charges.
 For many companies, especially larger ones, an internal
audit department is essential for effective monitoring of
the operating performance of internal controls. To be
effective, the internal audit function must be performed
by staff independent of both the operating and accounting
departments and report directly to a high level of
authority within the organization, either top management
or the audit committee of the board of directors.
 In addition to its role in monitoring an entity’s
internal control, an adequate internal audit staff
can reduce external audit costs by providing
direct assistance to the external auditor.
Tests of controls – Evaluating internal
control system
 The procedures to test effectiveness of controls in support of a
reduced assessed control risk are called tests of controls. Now
we’ll address how auditors test those controls that are used to
support a control risk assessment.

 For example, each key control in that the auditor intends to

rely on to support a control risk of medium or low must be
supported by sufficient tests of controls.
 Purpose of Tests of Controls
 Assessing control risk requires the auditor to
consider both the design and operation of controls
to evaluate whether they will likely to be
effective in meeting related audit objectives.
 During the understanding phase, the auditor will
have already gathered some evidence in support
of both the design of the controls and their
implementation by using procedures to obtain an
understanding
 If the results of tests of controls support the
design and operation of controls as expected, the
auditor uses the same assessed control risk as the
preliminary assessment. If, however, the tests of
controls indicate that the controls did not operate
effectively, the assessed control risk must be
reconsidered
 For example, the tests may indicate that the
application of a control was curtailed midway
through the year or that the person applying it
made frequent misstatements. In such situations,
the auditor uses a higher assessed control risk.
 Procedures for Tests of Controls

 The auditor is likely to use four types of

procedures to support the operating effective
ness of internal controls. Management’s testing of
internal control will likely include the same types
of procedures. The four types of procedures are
as follows:
.
 1. Make inquiries of appropriate client personnel.
Although inquiry is not a highly reliable source of
evidence about the effective operation of
controls, it is still appropriate. For example, to
determine that unauthorized personnel are
denied access to computer files, the auditor may
make inquiries of the person who controls the
computer library and of the person who controls
online access security password assignments
 2. Examine documents, records, and reports. Many
controls leave a clear trail of documentary evidence that
can be used to test controls. Suppose, for example, that
when a customer order is received, it is used to create a
customer sales order, which is approved for credit. Then
the customer order is attached to the sales order as
authorization for further processing. The auditor can test
the control by examining the documents to make sure that
they are complete and properly matched and that
required signatures or initials are present.
 3. Observe control-related activities. Some
controls do not leave an evidence trail, which
means that it is not possible to examine evidence
that the control was executed at a later date. For
example, separation of duties relies on specific
persons performing specific tasks, and there is
typically no documentation of the separate
performance. For controls that leave no
documentary evidence, the auditor generally
observes them being applied at various points
 4. Re perform client procedures. There are also
control-related activities for which there are related
documents and records, but their content is
insufficient for the auditor’s purpose of assessing
whether controls are operating effectively. For
example, assume that prices on sales invoices are
obtained from the master price list, but no indication
of the control is documented on the sales invoices..
 In these cases, it is common for the auditor to re
perform the control activity to see whether the
proper results were obtained. For this example,
the auditor can re perform the procedure by
tracing the sales prices to the authorized price
list in effect at the date of the transaction. If no
misstatements are found, the auditor can
conclude that the procedure is operating as
intended