INTERNAL CONTROL

A) What is IC?
A set of policies & procedures designed by management and aimed at aiding a company in achieving its
objectives & goals being: Management has typically three broad objectives in design an effective internal
control system:
1. Reliability of financial reporting: meaning that manag is respon to prepare financial statements for
investors, creditors and other users. Thus, manag has the legal and professional responsibility to be sure that
the information is fairly represented in accordance with GAAP.

2. Efficiency & effectiveness of operations: meaning that are done some controls in the organization to
encourage efficient and effective use of its operations to achieve company’s goals. Objective of these
controls could be accurate financial and non-financial information about the business operations for decision
making.

3. Compliance with laws & regulations (state, industry, corporate): the law requires public, non public and
non profitable organization to follow laws and regulations. Some are related to accounting some to
environmental issues some to civil law rights

B) Management Responsibility:
• To develop an IC system that provides reasonable assurance but not absolute assurance, that FS will be
fairly stated. Reasonable assurance is stated to show that there is a small chance of material
misstatements will no be prevented or detected by the i.c system.

• Inherent limitations in IC (human error or collusion):a system can not be completely effective even if is
design and implement carefully. Even if the personnel can design an ideal system, its effectiveness will
depend on the competency and dependability of the employees using it. For example, if a company is
about to count inventories and has two employees to this job independently. However, if one of
employees understand instructions or are careless during this procedure the inventory account would be
wrong. Moreover employees could steal some stock and decide to overstate the account in order to cover
up losses or manag ask to overstate them in order to show improve earnings. This is called collusion.

• Most developed countries require that management of public companies include in their AFS a report on
IC that:
- States that they are responsible for designing, implementing, maintaining & monitoring an
adequate IC structure & procedures for reliable financial reporting
- Assesses the IC structure & procedures for financial reporting for the year under question as
to: i) evaluating the adequacy of the designed controls in preventing/detecting mat miss.
ii) Additionally prepare some tests to see the effectiveness of the designed controls.

C) Auditors Responsibility:
Def(GAAS): Sufficient understanding of IC so that an auditor may plan the audit and determine nature,
time and extent of tests to be performed. Achieved by:
• Auditors are concerned about controls related to the i) reliability of financial reporting meaning that
because this are reflects the F.S may directly effect the auditors ability to say if F.S are fairly
represented.
• And ii) classes of transactions (see E below): meaning that the accounts balances depend heavily in the
transactions. For example if products sold or product selling price is wrong both sales and accounts
receivable will be misstated.
• Testing IC controls (see E below): Meaning that the auditor in order to express an opinion should have a
significant understanding of I.c and perform test of controls to all account balances classes of
transactions or disclosures in the F.S.
• Reporting on whether managements assessment of design & operating effectiveness of IC over financial
reporting is fairly stated in all material aspects; this involves both auditor’s evaluation on manag
assessment and auditor’s independence.
D) Components of IC (Mngmnt responsibility):
Control Environment
1. Integrity & ethical values
If manag is ethical and
integrated all organization
will b like that.
2. Commitment to
competence
Requires knowledge and
skills to accomplish the task
3.Board of Dir/AC
participation
Independent of management,
participate and control manag
activities of D can create an
audit committee which is resp
for financial repors,both
discuss matters related to
integrity and manag actions
4.Mng philosophy & style
Through its actions give clear
signals to employees.Mang
can be risky or risk averse
5. Organisational structure
Respo and authority good
understanding of these
6. assignment of auth & resp
Formal methods of commun
about resp and auth very
important
7. HR policies & practices
Most important aspect of I.C
is personnel
Competent and trustworthy
employees can give reliable
F.S even other controls can
be absent
Risk Control Activities Information Monitoring
Assessment &
Communicati
on
Management: 1.Adequate separation Transactions By internal
1. Identify risks of duties: are auditors or
2.Estimate i) separ of custody of assets from initiated appropriate
signif accounting:meaning to a person who recorded person
3.Assess has permanent custody of an asset processed
probab should not account for that asset.e.g,,a reported
of occurring cashier when receives money can &
4.Develop pocket that money and entry data accountabilit
actions faulsy data in cash receips y
decr risks to ii) separ of transaction of auth of for related
acceptable cutody of related assets. assets are
level Prevent persons who authorize maintained
5. Mng risk transactions from having control over
related to the assets because this raises the in a way that
auditors risk probability of misstatements.e.g, the mngmnt/audi
same person should not authorize the t
payment of a vendor’s and also sign objectives for
the check in payment of the bill particular
iii)sep operational resp from transaction
Record keeping respo.to ensure are
unbiased info, record keeping is met.
typically included in a separate
depar.e.g, a depart preparing its own
reports may bias the info to show
higher performance.
iv)Sep IT duties from users Depart.
The higher the level complexity of i.t
the authorization, record keeping
,custody becomes difficult
tasks.E.g,sales agent entering
customer orders online.the computer
see the customers credit file and
authorize the transc.however the
customer credit file should be out of
i.t depart because personnel there may
manipulate the data.
2. Proper authorisation of trnscn &
activitiesTwo types of autho;general
and specific.General is when manag
set policies and are subordinated by
implementing and approving tranc in
the limits set by policies.e.g fixed
price for products,customer credit
limit e.c.t.whweas is specific as the
word says auth is done on a case by
case basis.e.g author of sale tranc of
sales manager for a car used company
4. Adequate docs & records
Are physical objects upon which
transc are entered.e.g,sales,purchases
invoices,employee time cards.
5. Physical cntrl over ass & records
Protect asset from stealing damaging
or losses.E.g a competent employee
safe guarding inventories
6. Indep checks on performance.
highly related with human
error.Banks reconciliation be done by
a guy who has not accounting records
or cash receips.
E) Auditing IC:
1) Obtain & document understanding of IC by way of:
• Narrative written should have four characteristics:
• 1. Origin of every document & record in system: meaning that should state when customer’s orders
come from and how sales invoices are generated.
2. Describe the processing of the above: meaning that if sales amounts are determined by a computer
program that multiplies quantities shipped by stand prices kept in price files, that process should be
described
3. Disposition of every document filing/sending/destruction: meaning that the filling of the documents,
sending them to the customers or destroying them should be shown.
4. Tabulation of designed controls: meaning typically separation of duties authorization and approvals
and internal verification

• Flowcharts are a diagram of the client’s documents and their sequential flow in the organization. Also
include the same four characteristics as in narrative
• Internal Control Questionnaires asks a series of questions about the controls in each audit area as well as
uncovered aspects of I.C. usually the answers are given by ‘yes’ or ‘no’.
• Evaluate if cntls actually put in place complied to by way of:
1. Inquire from client personnel: meaning that in order to determine if the system operates as
design the auditor should ask management, supervisors and staff to tell them duties. A careful
questionnaire will help Auditor to understand if employees are doing what I.C documentation
requires them to do.
2. Examine docs & records: The five components of I.C create a lot of documents. By examine
all these documents records, computer files, the auditor can evaluate whether the information in
flowcharts and narrative has been placed in operations
3. Observe actions: the auditor can observe client personnel carrying out their normal duties and
control activities. This will further help the auditor to understand if controls have been place in
operations
4. Perform walkthrough tests: all above can be combined in a form of transaction
walfthrough.This means that the auditors has to select one or a few documents for opening of a
transaction type and this is traced through the entire accounting process. The auditor id required
by the PCAOB to do so.

NOTE: the above is done for every cycle, transaction class & account

2) Assess control risk per each cycle/transaction/account

• Control risk matrix: 1.Identify transaction related audit objectives

2. Identify existing controls
3. Associate controls with transaction related audit objectives
4 Identify & evaluate control deficiencies, significant deficiencies and material
weaknesses
5. Associate control deficiencies, significant deficiencies and material
weaknesses with transaction related audit objectives
6. Assess control risk for each transaction related audit objective

*control def: design/operation of IC does not permit timely prevention/detection

*significant def: I or more control deff exist & more than remotely likely will result
in a more than inconsequential misstatement

*material weakness: 1 or more significant deff exists and more than remotely likely
that mat miss will not be prevented/detected

3) Testing of controls
(Done later on same selections selected for detailed testing under substantive testing phase)
• Inquire
• Examine doc
• Observe actions
• Re-perform
Note: What happens if found inadequate? Increase control risk which will increase substantive tests

Thereafter auditor decides on PDR and extent of substantive testing and finally opinion in audit report