3.

Internal control can be expected to provide reasonable assurance of achieving the entitys objectives
-

There is no such thing as a perfect control system.

Internal control is not a failsafe mechanism.
Effective internal control helps an organization achieve its objectives; it does not ensure success
Internal control systems can and often do fail, with potential material consequences, especially

when such failures are related to instances of fraud, corruption and business failure.
Any system of internal control is constantly exposed because of certain inherent factors, i.e. factors
inherent within the concept of internal control as generally defined and applied. This applies to all

systems of internal control, irrespective of design, size and environment.

The degree to which these inherent limitations are present or are under control can however
differ, because individual internal control systems are implemented, operated and managed
differently, including the influence of subjective characteristics such as attitudes, integrity, ethical

values, etcetera.
The threat posed by inherent internal control limitations can never be eliminated, but it can be
minimized it can be kept in check.

Example: The controls over fixed assets include: maintaining an assets register, verifying the existence and
condition of assets periodically, and developing policies for authorization of asset disposal.
It is because of inherent limitations (listed below) that may affect the internal controls effectiveness:
a. Managements usual requirement that the cost of an internal control should not exceed the
expected benefit s to be derived.
-

Internal control is subject to cost-benefit considerations. Internal control could be made

perfect, or nearly so, but at great expense.

Reducing or confining the cost of internal control systems will restrict the effectiveness of
internal control systems to a certain degree. Like reducing control risk of not detecting errors

and fraud.
Example: Television monitors could be put in place or armed guards could be hired to
safeguard inventory. At some point, the cost of protecting inventory from theft exceeds the
benefit of the internal control activity.

b. Most internal controls tend to be directed at routine transactions rather than non-routine
transactions.
-

The ability to predict the likelihood of non-routine transactions arising means that it is less

likely that systems will be designed to cope with such transactions.

Most internal controls tend to focus primarily on routine activities, leaving abnormal,
extraordinary or ad-hoc activities/operations largely unattended.

Example: The purchase of a very expensive non-current asset with an unusual and complex
specification.

c. The potential for human error due to carelessness, distraction, mistakes of judgment and the
misunderstanding of instructions.
-

The effectiveness of the internal control system depends on the competence, reliability and
due care of the people responsible for its operation. Mistakes/errors, faulty decision-making,
misunderstanding of instructions threaten effectiveness of any internal control system.

d. The possibility of circumvention of internal controls through the collusion among employees.
-

Lack of integrity and dishonesty of employees and officials can lead to collusion amongst two
or more people to circumvent the internal control system. They can alter financial data or other

management information in a manner that cannot be identified by control systems.

Example: Between a factory employee, factory manager and a wages data processing clerk
to claim, authorize and process a fraudulent payment for overtime wages.

e. The possibility of management overriding the internal control.

-

High level personnel may be able to override prescribed policies and procedures for personal
gain or advantage. This should not be confused with management intervention, which
represents management actions to depart from prescribed policies and procedures for

legitimate purposes.
Management may purposefully override existing controls, thus rendering laid down system

controls to be ineffective.
Example: A sales director may choose to opt to extend credit to a long-standing customer in
order to create customer goodwill, in contravention of laid down credit control procedures.

f.

The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures may deteriorate.
-

Conditions within organizations are not static, e.g. Internal control systems that dont change
in reaction to new control techniques, or to changes in the organizational environment are left
exposed.

B. Components of Internal Control

1. Control Environment
-

It is the foundation for effective internal control.

In a pyramid structure, Control Environment is located at the base of it which serves as a

foundation for all other components of internal control.

The control environment is the control consciousness of an organization; it is the atmosphere in

which people conduct their activities and carry out their control responsibilities.

Control Environment sets the tone of the organization. It provides discipline and structure to
all participants and stakeholders.

It is an intangible factor that is essential to effective internal control.

It is determined by the attitudes of the persons in charge of the internal control system.

It is the overall attitude, awareness, and actions of directors and management regarding the

internal control system and its importance in the entity.

Control Environment includes code of conduct, organizational structure and so on.

An effective control environment is an environment where competent people understand

their responsibilities, the limits to their authority, and are knowledgeable, mindful, and
committed to doing what is right and doing it the right way. They are committed to following
an organization's policies and procedures and its ethical and behavioral standards.

Factors reflected in the control environment (Components of Control Environment):

1. Integrity and ethical values (Communication and enforcement of Integrity and Ethical Values)
-

Many companies have high values and seek to promote honesty and integrity among their
employees on a day-to-day basis. Clearly, if it is evident those values do exist and are
communicated effectively to employees and enforced, this will have the effect of increasing
confidence in the design, administration and monitoring of controls leading to a reduced risk of

material misstatement in a companys financial statements.

Example: Management actions to remove or reduce incentives and temptations that might prompt
personnel to engage in dishonest, illegal or unethical acts. Restrict use of agency credit cards and
verify all charges made to credit cards or accounts to ensure they were business-related.

2. Active participation of those charged with governance

Those charged with Governance Describes the role of persons entrusted with the supervision,
control and direction of an entity. Various committees of Board of directors such as audit

committee, share holders committee etc.

Management - means the person(s) responsible for achieving the objectives of the entity and who
have the authority to establish policies and make decisions by which those objectives are to be

pursued.
TCWG is also known as Policy Implementing body. Management is also known as Policy making

Body. TCWG is lower than management. Management is a higher body.

Given the influence that the actions of directors have on a companys internal control, the extent of
their day-to-day active involvement in the companys operations has a pervasive effect on the
internal control of the company.

3. Commitment to competence
-

Competence is the knowledge and skills necessary to accomplish tasks that define the individuals
job. It is self-evident that if individual employees are tasked with carrying out duties that are beyond

their competence levels, then desired objectives are unlikely to be met.

Example: There is an increased probability that the objective of avoiding material misstatement in
a set of complex financial statements will not be met if prepared by an inexperienced company

accountant.
Commitment to competence means that management considers the competence levels for
particular jobs in determining the skills and knowledge required for each employee and that it hires
employees competent to perform tasks.

4. Personnel policies and procedures

-

As explained in ISA 315, human resource policies and practices demonstrate important matters in
relation to the control consciousness of an entity. This implies that if human resources policies and
practices are considered to be sound both in design and in implementation over a range of matters,
then the risk of material misstatement will be reduced.

Examples of these matters include:

Recruitment policies and procedures. These should ensure that only competent individuals with
integrity are employed by the company. Interview procedures should ensure that only candidates

meeting the companys criteria for recruitment are engaged.

There should be adequate induction procedures for new employees, such that they can carry out
their assigned responsibilities effectively and efficiently soon after being engaged by the company.

Employees should be provided with ongoing training, support and mentoring as appropriate, such

that they can continue to carry out their assigned responsibilities effectively and efficiently.
Employment termination procedures should incorporate provision for an exit interview so that the
reason for the termination can be confirmed or clarified, all emoluments due to the employee can
be settled and arrangements can be made for the return of all company assets prior to the
termination date.

5. Assignment of responsibility and authority/Organizational Structure

-

Normally, the larger companys scale of operations, then the larger the size of the workforce and,

inevitably, the larger the amount of assignment of authority and responsibility that is required.
Consequently, companies need to deal not only with ensuring that appropriate levels of authority
and responsibility are appropriately qualified and experienced individuals. They also need to

ensure that adequate reporting relationships and authorization hierarchies are in place.
Additionally, individuals need to be properly resourced and made fully aware of their responsibilities
and of how their actions interrelate with the actions of others and contribute to the objectives of the

company.
If a company is not successful in meeting each of these needs, then there is an increased
probability of ineffective decisions, errors and oversights by employees leading to an increased risk

of material misstatement in its financial statements.

Management may develop job descriptions, computer system documentation.
Responsibilities and authorities of the various personnel within the organization should be
established in such manner as to (a) assist the entity in meeting its goals and objectives.

2. Risk Assessment
The entitys business objectives cannot be achieved without some risks. For an audit client, the Iceberg theyre
facing is called Business Risk factors, events, and conditions that can prevent the organization from achieving its
business objectives, including effective financial reporting.
I. Determine Goals and Objectives
The central theme of internal control is (1) to identify risks to the achievement of an organization's objectives and (2)
to do what is necessary to manage those risks.

Thus, management must first clearly articulate its goals and objectives.

Goals and objectives are classified in the following categories:

1.

Operations objectives. These objectives pertain to the achievement of the basic mission(s) of a department

and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources
against loss.
2.

Financial reporting objectives. These objectives pertain to the preparation of reliable financial reports,

including the prevention of fraudulent public financial reporting.

3.

Compliance objectives. These objectives pertain to adherence to applicable laws and regulations.

II. Identify Risks after Determining Goals

Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial
reporting, and compliance goals and objectives.
For financial reporting purposes, the entitys risk assessment process includes how management identifies risks
relevant to the preparation of financial statements that are presented fairly, in all material respects in accordance with
the entitys applicable financial reporting framework, estimates their significance, assesses the likelihood of their
occurrence, and decides upon actions to manage them.

Risk assessment is one of management's responsibilities and enables management to act proactively in
reducing unwanted surprises. Failure to consciously manage these risks can result in a lack of confidence
that operation, financial and compliance goals will be achieved.

III. Risk Analysis

After risks have been identified, a risk analysis should be performed to prioritize those risks:
a. Assess the likelihood (or frequency) of the risk occurring.
b. Estimate the potential impact if the risk were to occur.
c. Determine how the risk should be managed.
Example: Schedule Related Risks (Late delivery of materials & Lost/misdirected shipments of your product)

3. Information & Communication System

To be effective, an internal control system must provide relevant and timely information and communication. The
system should identify the information requirements and create an information system that provides the needed data
and reports.

The essential elements of sound information system:

1.

Identification of Information. Proper identification of all economic transactions and events.

2.

Capture of Information. Once identified, accounting data must be accessed and captured by whatever

device is used to store and assemble it while awaiting the classification and recording by the storage device.

Capture device may be a computer terminal, a document or a set of manual accounting

records.

3.

Processing of Information. Accounting information is processed by the recording of transactions in journals

and their posting to ledger accounts.

4.

Reporting of Information. The external auditor is concerned that the internal control system accurately

converts accounting data from ledger format to financial statements prepared in accordance with GAAP, including
necessary year-end adjustments and adequate footnote disclosures.
Communication Financial reporting controls require that specific duties be communicated clearly to employees
responsible for implementing the control procedures.

It takes forms such as policy manuals, accounting and financial reporting manuals and
memoranda.